Inject pull secret for Kserve components

[pierDipi]

Inject pull secret for Kserve components, inline with the other charts configurations

Summary by CodeRabbit

• New Features

  • Conditional injection of a Docker pull-secret value into the chart (system Podman auth or custom file).

• Bug Fixes

  • Emit pull-secret once per namespace and attach it to ServiceAccounts to ensure reliable image pulls.

• Chores

  • Added IDE and swap files to ignore rules.
  • Removed automatic cross-namespace copy/creation of the Red Hat pull secret during setup.

• Documentation

  • Reordered and simplified gateway setup docs; removed copy-pull-secret step.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pierDipi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [pierDipi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: f1efa251-1f97-436a-b1ab-1473c2e21396

📥 Commits

Reviewing files that changed from the base of the PR and between ede1179 and f392945.

📒 Files selected for processing (4)

• Makefile
• docs/deploying-llm-d-on-managed-kubernetes.md
• helmfile.yaml.gotmpl
• scripts/setup-gateway.sh

💤 Files with no reviewable changes (3)

• Makefile
• docs/deploying-llm-d-on-managed-kubernetes.md
• scripts/setup-gateway.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• helmfile.yaml.gotmpl

---

📝 Walkthrough

Walkthrough

Adds pull-secret support by introducing a pullSecret value and wiring it from helmfile into the kserve chart, adds Helm template logic to parse combined resources, emit a dockerconfigjson Secret once per namespace and attach it to ServiceAccounts via imagePullSecrets, removes local copy/apply steps that duplicated the Istio redhat-pull-secret into the target namespace (in Makefile, docs, and scripts), and adds IDE and swapfile ignores to .gitignore.

Changes

Cohort / File(s)	Summary
VCS ignore /.gitignore	Adds /\.idea and *.swo entries to ignore IDE metadata and swap files.
Helm chart — templates charts/kserve/templates/resources.yaml	Parses combined YAML docs, emits a dockerconfigjson Secret once per namespace when pullSecret.dockerConfigJson is set, ensures the Secret is emitted before corresponding ServiceAccount, and attaches it via imagePullSecrets. Non-ServiceAccount docs are re-emitted unchanged.
Helm chart — values charts/kserve/values.yaml	Adds pullSecret block with dockerConfigJson (empty by default) and related comments for helmfile-injected auth config.
Helmfile helmfile.yaml.gotmpl	Adds conditional set for pullSecret.dockerConfigJson: uses ${HOME}/.config/containers/auth.json when .Values.useSystemPodmanAuth is true, else uses .Values.pullSecretFile if provided.
Makefile & docs — removed copy/apply pipeline Makefile, docs/deploying-llm-d-on-managed-kubernetes.md, docs/gateway-setup-for-kserve.md, scripts/setup-gateway.sh	Removes steps and helper that copied the redhat-pull-secret from istio-system into the target namespace (commands that fetched, transformed namespace, and applied that secret). Documentation and scripts were updated to remove that copy step and re-order guide steps accordingly.

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant Helmfile
  participant Helm
  participant TemplateProcessor
  participant KubernetesAPI

  User->>Helmfile: deploy (values include pullSecret config)
  Helmfile->>Helm: render release with set pullSecret.dockerConfigJson
  Helm->>TemplateProcessor: render charts/kserve/templates/resources.yaml with values
  TemplateProcessor->>TemplateProcessor: split resources.yaml into documents
  alt doc is ServiceAccount and pullSecret provided
    TemplateProcessor->>KubernetesAPI: emit Secret (dockerconfigjson) [once per namespace]
    TemplateProcessor->>KubernetesAPI: emit ServiceAccount with imagePullSecrets referencing Secret
  else other doc
    TemplateProcessor->>KubernetesAPI: emit resource as-is
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main objective: injecting pull secrets for Kserve components through chart configuration, which is the core change across helmfile, values.yaml, and resources.yaml template.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pierDipi]

/cc @aneeshkp @zdtsw

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

charts/kserve/templates/resources.yaml (1)

22-31: ServiceAccount annotations are silently dropped during reconstruction.

The template only preserves labels, name, and namespace from the original ServiceAccount's metadata. annotations are not copied. On AKS (azure.workload.identity/client-id), EKS (eks.amazonaws.com/role-arn), and GKE (workload identity), ServiceAccount annotations are essential for cloud IAM integration. If files/resources.yaml ever carries such annotations — or if the file is extended in the future — they will be silently lost.

The same applies to automountServiceAccountToken and any pre-existing imagePullSecrets on the original ServiceAccount.

♻️ Proposed fix — forward metadata annotations and merge imagePullSecrets

 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   {{- with $resource.metadata.labels }}
   labels:
     {{- range $key, $value := . }}
     {{ $key }}: {{ $value | quote }}
     {{- end }}
   {{- end }}
+  {{- with $resource.metadata.annotations }}
+  annotations:
+    {{- range $key, $value := . }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
   name: {{ $resource.metadata.name }}
   namespace: {{ $ns }}
+{{- if $resource.automountServiceAccountToken }}
+automountServiceAccountToken: {{ $resource.automountServiceAccountToken }}
+{{- end }}
+{{- $existingPullSecrets := $resource.imagePullSecrets | default list }}
+{{- if $.Values.pullSecret.dockerConfigJson }}
 imagePullSecrets:
   - name: {{ $.Values.pullSecret.name }}
+  {{- range $existingPullSecrets }}
+  - name: {{ .name }}
+  {{- end }}
+{{- else if $existingPullSecrets }}
+imagePullSecrets:
+  {{- range $existingPullSecrets }}
+  - name: {{ .name }}
+  {{- end }}
+{{- end }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/kserve/templates/resources.yaml` around lines 22 - 31, The
ServiceAccount reconstruction in the template currently only preserves labels,
name, and namespace and drops annotations, automountServiceAccountToken, and
imagePullSecrets; update the ServiceAccount resource block to also forward {{
$resource.metadata.annotations }} into metadata.annotations, copy
automountServiceAccountToken from {{ $resource.automountServiceAccountToken }},
and merge existing imagePullSecrets by iterating/including {{
$resource.imagePullSecrets }} so pre-existing pull secrets are retained rather
than lost during template rendering.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/kserve/templates/resources.yaml`:
- Around line 8-33: The ServiceAccount always receives imagePullSecrets even
when $.Values.pullSecret.dockerConfigJson is empty; wrap or move the
imagePullSecrets block so it is emitted only when the same condition that
creates the Secret is true (the if and set that reference
$.Values.pullSecret.dockerConfigJson and $pullSecretEmitted for $ns).
Specifically, ensure the imagePullSecrets: - name: {{ $.Values.pullSecret.name
}} line is inside the existing {{- if and $.Values.pullSecret.dockerConfigJson
(not (hasKey $pullSecretEmitted $ns)) }} ... {{- end }} guard (or duplicated
guarded with the same condition) so ServiceAccount (resource.metadata.name in
namespace $ns) only gets the pullSecret when the Secret is actually created.

In `@helmfile.yaml.gotmpl`:
- Around line 54-61: The condition checking for system Podman auth in
helmfile.yaml.gotmpl is using .Values.useSystemPodmanAuth directly and should
apply the same default as other releases; update the if/else test to use the
templating default (i.e., replace references to .Values.useSystemPodmanAuth in
the conditional around pullSecret.dockerConfigJson with
.Values.useSystemPodmanAuth | default true) so the kserve release follows the
same default-true behavior as the other child helmfiles.

---

Nitpick comments:
In `@charts/kserve/templates/resources.yaml`:
- Around line 22-31: The ServiceAccount reconstruction in the template currently
only preserves labels, name, and namespace and drops annotations,
automountServiceAccountToken, and imagePullSecrets; update the ServiceAccount
resource block to also forward {{ $resource.metadata.annotations }} into
metadata.annotations, copy automountServiceAccountToken from {{
$resource.automountServiceAccountToken }}, and merge existing imagePullSecrets
by iterating/including {{ $resource.imagePullSecrets }} so pre-existing pull
secrets are retained rather than lost during template rendering.

[coderabbitai]

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@charts/kserve/templates/resources.yaml`:
- Around line 41-52: Ensure the ServiceAccount template only injects
imagePullSecrets when appropriate: add the pull-secret name when
$.Values.pullSecret.dockerConfigJson is true, preserve any existing
$resource.imagePullSecrets, and avoid duplicate entries; update the logic around
imagePullSecrets, $.Values.pullSecret.dockerConfigJson,
$.Values.pullSecret.name, and $resource.imagePullSecrets to merge the
pull-secret and existing secrets deterministically (dedupe by .name) so the
final imagePullSecrets list contains each name exactly once.

[zdtsw]

any reason to have this name configable?
can be just hardcoded in the template for 'secret', right?

[pierDipi]

Removed

[zdtsw]

if we wanna default to true (when not set) maybe we do not need it values.yaml
or have it as

# uncomment belonw line if use dockerConfigJson
# useSystemPodmanAuth: false  uncomment if when use dockerConfigJson

[pierDipi]

This is following the existing pattern in other charts

[aneeshkp]

@pierDipi Look at lines in make file - deploy-opendatahub-prerequisites:
deploy-opendatahub-prerequisites: check-kubeconfig
kubectl create namespace $(KSERVE_NAMESPACE) --dry-run=client -o yaml | kubectl apply -f -
-kubectl get secret redhat-pull-secret -n istio-system -o yaml 2>/dev/null | \
sed 's/namespace: istio-system/namespace: $(KSERVE_NAMESPACE)/' | \
kubectl apply -f - 2>/dev/null || true

This copies the redhat-pull-secret from istio-system into the KServe namespace (opendatahub).

docs/deploying-llm-d-on-managed-kubernetes.md - instruct users to manually copy the pull secret and patch ServiceAccounts with imagePullSecrets
and couple of docs , Should I clean this up after this PR is merged ?

[pierDipi]

@aneeshkp I will clean it up now in this PR

[aneeshkp]

Thanks, also look in for docs - two places .

[aneeshkp]

@pierDipi pull secret needs to be created in the opendatahub namespace for the gateway SA as well

Makefile that used to copy redhat-pull-secret from istio-system to opendatahub, but the new chart template only injects pull secrets into ServiceAccounts defined in files/resources.yaml.
As a result, the gateway pod fails with ImagePullBackOff / 401 Unauthorized when pulling from registry.redhat.io:

The gateway SA still has imagePullSecrets: [{name: redhat-pull-secret}] but the secret doesn't exist in the namespace.

[pierDipi]

are you installing Kserve chart before setting up the Gateway?

[pierDipi]

Also note that the current helmfile uses the previous released Kserve chart and not the local chart (we will need a new release after merging + update helmfile)

[aneeshkp]

Yes, I am installing kserver before running script/setup-gateway.sh.
make deploy-all
./scripts/setup.gateway.sh

[pierDipi]

Also note that the current helmfile uses the previous released Kserve chart and not the local chart (we will need a new release after merging + update helmfile)

this is the problem, make deploy-all deploys the previous helm chart, not the local one, maybe I can add a local option to the helmfile

[kwozyman]

@pierDipi I get the same as Aneesh while trying this out. What do you mean by "previous helm chart"?

[pierDipi]

I mean that helmfile points to the released dev chart

• https://github.com/opendatahub-io/rhaii-on-xks/pkgs/container/kserve-rhaii-xks

• rhaii-on-xks/helmfile.yaml.gotmpl

  Lines 44 to 51 in cc2992f

  	{{ $kserveChart := "oci://ghcr.io/opendatahub-io/kserve-rhaii-xks" }}
  	{{ $kserveVersion := .Values.kserveChartVersion | default "3.4.0-ea.1-dev-8a30e66" }}
  	releases:
  	- name: kserve-rhaii-xks
  	chart: {{ $kserveChart }}
  	# Use dev variant until official builds are released to registry.redhat.io
  	version: {{ $kserveVersion }}

it doesn't use the local one because the local one uses unreleased images (registry.redhat.io) until 3.4 is out/released

[pierDipi]

the current flow is:

1. PR
2. once merged, workflow builds and pushes the dev chart OCI image (+ image mirroring)
3. we update the helmfile to use the released chart

[coderabbitai]

🧹 Nitpick comments (1)

charts/kserve/templates/resources.yaml (1)

3-4: The regex split pattern is fragile but currently safe. All document separators in files/resources.yaml are properly placed at boundaries between complete YAML documents, and no bare --- lines exist inside block scalars or data fields. However, the approach remains vulnerable to future changes: if any resource adds content like a PEM certificate or multi-line configuration containing a bare ---, the split will fail. Consider adopting a proper YAML parser for more robust document separation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/kserve/templates/resources.yaml` around lines 3 - 4, The current
regexSplit("(?m)^---$",$resourcesFile) approach is fragile; replace the manual
split with the YAML-aware parser by using fromYamlAll to parse all documents at
once (e.g. range over $resource := fromYamlAll $resourcesFile) instead of
regexSplit + fromYaml so multi-document YAML with embedded '---' inside scalars
(PEM blocks, multi-line configs) is handled correctly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@charts/kserve/templates/resources.yaml`:
- Around line 3-4: The current regexSplit("(?m)^---$",$resourcesFile) approach
is fragile; replace the manual split with the YAML-aware parser by using
fromYamlAll to parse all documents at once (e.g. range over $resource :=
fromYamlAll $resourcesFile) instead of regexSplit + fromYaml so multi-document
YAML with embedded '---' inside scalars (PEM blocks, multi-line configs) is
handled correctly.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 9f947f7 and ede1179.

📒 Files selected for processing (7)

• .gitignore
• Makefile
• charts/kserve/templates/resources.yaml
• charts/kserve/values.yaml
• docs/deploying-llm-d-on-managed-kubernetes.md
• docs/gateway-setup-for-kserve.md
• scripts/setup-gateway.sh

💤 Files with no reviewable changes (3)

• Makefile
• scripts/setup-gateway.sh
• docs/deploying-llm-d-on-managed-kubernetes.md

✅ Files skipped from review due to trivial changes (1)

• docs/gateway-setup-for-kserve.md

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.