Inject pull secret for Kserve components

pierDipi · pierDipi · commit e51d4b7297a3 · 2026-02-18T12:32:14.000+01:00
Signed-off-by: Pierangelo Di Pilato &lt;pierdipi@redhat.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+/.idea
diff --git a/charts/kserve/templates/resources.yaml b/charts/kserve/templates/resources.yaml
@@ -1 +1,39 @@
-{{ .Files.Get "files/resources.yaml" }}
+{{- $resourcesFile := .Files.Get "files/resources.yaml" }}
+{{- $pullSecretEmitted := dict }}
+{{- range $doc := regexSplit "(?m)^---$" $resourcesFile -1 }}
+{{- $resource := fromYaml $doc }}
+{{- if and $resource $resource.kind }}
+{{- if eq $resource.kind "ServiceAccount" }}
+{{- $ns := $resource.metadata.namespace }}
+{{- if and $.Values.pullSecret.dockerConfigJson (not (hasKey $pullSecretEmitted $ns)) }}
+{{- $_ := set $pullSecretEmitted $ns true }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $.Values.pullSecret.name }}
+  namespace: {{ $ns }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ $.Values.pullSecret.dockerConfigJson | b64enc }}
+{{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  {{- with $resource.metadata.labels }}
+  labels:
+    {{- range $key, $value := . }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+  name: {{ $resource.metadata.name }}
+  namespace: {{ $ns }}
+imagePullSecrets:
+  - name: {{ $.Values.pullSecret.name }}
+{{- else }}
+---
+{{ $doc }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/kserve/values.yaml b/charts/kserve/values.yaml
@@ -1,3 +1,9 @@
 # Default values for kserve-rhaii-xks
 # This chart uses pre-rendered Kustomize output with embedded Go templates
-# that are passed through unchanged to the cluster.
+# that are passed through unchanged to the cluster.
+
+# Pull secret for registry.redhat.io
+# Auth is configured in the root values.yaml and passed via helmfile
+pullSecret:
+  name: redhat-pull-secret
+  dockerConfigJson: ""  # Set automatically by helmfile from root auth config
diff --git a/helmfile.yaml.gotmpl b/helmfile.yaml.gotmpl
@@ -51,6 +51,14 @@ releases:
     version: {{ $kserveVersion }}
     namespace: opendatahub
     disableValidation: true
+    set:
+{{- if .Values.useSystemPodmanAuth }}
+      - name: pullSecret.dockerConfigJson
+        file: {{ env "HOME" }}/.config/containers/auth.json
+{{- else if .Values.pullSecretFile }}
+      - name: pullSecret.dockerConfigJson
+        file: {{ .Values.pullSecretFile }}
+{{- end }}
     # CRDs are applied separately via presync hook to avoid 1MB secret size limit
     hooks:
       # Apply CRDs before helm install via presync
