Support multiple ImagePullSecrets (#575)

* Support multiple ImagePullSecrets

* add length check

Author: chunter0

changelog/v0.40.5/image-pull-secrets.yaml

@@ -0,0 +1,6 @@
+changelog:
+  - type: FIX
+    issueLink: https://github.com/solo-io/skv2/issues/574
+    description: >
+      Add support for multiple ImagePullSecret references
+    skipCI: "false"

codegen/cmd_test.go

@@ -3,7 +3,9 @@ package codegen_test
 import (
 	"bytes"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"io"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -41,6 +43,125 @@ var _ = Describe("Cmd", func() {
 	skv2Imports.External["github.com/solo-io/cue"] = []string{
 		"encoding/protobuf/cue/cue.proto",
 	}
+
+	Describe("image pull secrets", Ordered, func() {
+		BeforeAll(func() {
+			cmd := &Command{
+				Chart: &Chart{
+					Data: Data{
+						ApiVersion:  "v1",
+						Description: "",
+						Name:        "Painting Operator",
+						Version:     "v0.0.1",
+						Home:        "https://docs.solo.io/skv2/latest",
+						Sources: []string{
+							"https://github.com/solo-io/skv2",
+						},
+					},
+					Operators: []Operator{{
+						Name: "painter",
+						Deployment: Deployment{
+							Container: Container{
+								Image: Image{
+									Tag:        "v0.0.0",
+									Repository: "painter",
+									Registry:   "quay.io/solo-io",
+									PullPolicy: "IfNotPresent",
+								},
+							},
+						},
+						Values: map[string]any{
+							"imagePullSecrets": []v1.LocalObjectReference{},
+						},
+					}},
+				},
+				ManifestRoot: "codegen/test/chart/image-pull-secrets",
+			}
+			Expect(cmd.Execute()).NotTo(HaveOccurred(), "failed to execute command")
+		})
+		DescribeTable(
+			"using",
+			func(values any, shouldBeEmpty bool, expected ...v1.LocalObjectReference) {
+				manifests := helmTemplate("./test/chart/image-pull-secrets", values)
+
+				var (
+					renderedDeployment *appsv1.Deployment
+					decoder            = kubeyaml.NewYAMLOrJSONDecoder(bytes.NewBuffer(manifests), 4096)
+				)
+				for {
+					var deployment appsv1.Deployment
+					if err := decoder.Decode(&deployment); errors.Is(err, io.EOF) {
+						break
+					}
+
+					if deployment.GetName() == "painter" && deployment.Kind == "Deployment" {
+						renderedDeployment = &deployment
+						break
+					}
+				}
+				Expect(renderedDeployment).NotTo(BeNil())
+				if shouldBeEmpty {
+					Expect(renderedDeployment.Spec.Template.Spec.ImagePullSecrets).To(BeEmpty())
+					return
+				}
+
+				Expect(renderedDeployment.Spec.Template.Spec.ImagePullSecrets).To(ContainElements(expected))
+			},
+			Entry(
+				"empty",
+				map[string]any{
+					"painter": map[string]any{
+						"enabled": true,
+					},
+				},
+				true,
+				nil,
+			),
+			Entry(
+				"legacy pullSecret field",
+				map[string]any{
+					"painter": map[string]any{
+						"enabled": true,
+						"image": map[string]any{
+							"pullSecret": "a-registry",
+						},
+					},
+				},
+				false,
+				v1.LocalObjectReference{Name: "a-registry"},
+			),
+			Entry(
+				"imagePullSecrets field",
+				map[string]any{
+					"painter": map[string]any{
+						"enabled": true,
+						"imagePullSecrets": []v1.LocalObjectReference{{
+							Name: "b-registry",
+						}},
+					},
+				},
+				false,
+				v1.LocalObjectReference{Name: "b-registry"},
+			),
+			Entry(
+				"imagePullSecrets field with legacy",
+				map[string]any{
+					"painter": map[string]any{
+						"enabled": true,
+						"image": map[string]any{
+							"pullSecret": "a-registry",
+						},
+						"imagePullSecrets": []v1.LocalObjectReference{{
+							Name: "b-registry",
+						}},
+					},
+				},
+				false,
+				v1.LocalObjectReference{Name: "a-registry"}, v1.LocalObjectReference{Name: "b-registry"},
+			),
+		)
+	})
+
 	It("env variable priority", func() {
 		cmd := &Command{
 			Chart: &Chart{
@@ -58,7 +179,7 @@ var _ = Describe("Cmd", func() {
 					Name: "painter",
 					Deployment: Deployment{
 						Container: Container{
-							Image: Image{Repository: "painter", Tag: "v0.0.1"},
+							Image: Image{Repository: "painter", Registry: "gcr.io/painter", Tag: "v0.0.1"},
 							Env:   []v1.EnvVar{{Name: "ENV_VAR", Value: "default"}},
 							TemplateEnvVars: []TemplateEnvVar{
 								{
@@ -3156,18 +3277,19 @@ func helmTemplate(path string, values interface{}) []byte {
 
 	defer os.RemoveAll(helmValuesFile.Name())
 
-	cc := exec.Command("helm", "template",
+	args := []string{
+		"template",
 		path,
 		"--values", helmValuesFile.Name(),
-	)
-	out, err := cc.CombinedOutput()
-	defer func(e error) {
-		if e == nil {
-			return
-		}
-		fmt.Printf("[Cameron]: failed to run %s\n", cc.String())
-	}(err)
+	}
 
+	if os.Getenv("HELM_DEBUG") != "" {
+		args = append(args, "--debug")
+	}
+
+	cc := exec.Command("helm", args...)
+
+	out, err := cc.CombinedOutput()
 	ExpectWithOffset(0, err).NotTo(HaveOccurred(), string(out))
 	return out
 }

codegen/model/chart.go

@@ -123,6 +123,7 @@ type Deployment struct {
 	CustomPodAnnotations        map[string]string
 	CustomDeploymentLabels      map[string]string
 	CustomDeploymentAnnotations map[string]string
+	ImagePullSecrets            []corev1.LocalObjectReference
 }
 
 type ConditionalStrategy struct {

codegen/templates/chart/operator-deployment.yamltmpl

@@ -241,10 +241,16 @@ spec:
 {{- end }}
 [[- end ]]
 [[- end ]]
-      {{- if $[[ $operatorVar ]]Image.pullSecret }}
-      imagePullSecrets:
-        - name: {{ $[[ $operatorVar ]]Image.pullSecret }}
-      {{- end}}
+{{- $pullSecrets := (list) -}}
+{{- if $[[ $operatorVar ]]Image.pullSecret }}
+  {{- $pullSecrets = concat $pullSecrets (list (dict "name" $[[ $operatorVar ]]Image.pullSecret)) -}}
+{{- end }}
+{{- if $[[ $operatorVar ]].imagePullSecrets }}
+  {{- $pullSecrets = concat $pullSecrets $[[ $operatorVar ]].imagePullSecrets -}}
+{{- end }}
+{{- if gt (len $pullSecrets) 0 -}}
+  {{- (dict "imagePullSecrets" $pullSecrets) | toYaml | nindent 6 }}
+{{- end }}
 {{- end }} {{/* define "[[ $operator.Name ]].deploymentSpec" */}}
 
 {{/* Render [[ $operator.Name ]] deployment template with overrides from values*/}}

codegen/test/chart-conditional-deployment-strategy/templates/deployment.yaml

@@ -88,10 +88,16 @@ spec:
             drop:
             - ALL
 {{- end }}
-      {{- if $painterImage.pullSecret }}
-      imagePullSecrets:
-        - name: {{ $painterImage.pullSecret }}
-      {{- end}}
+{{- $pullSecrets := (list) -}}
+{{- if $painterImage.pullSecret }}
+  {{- $pullSecrets = concat $pullSecrets (list (dict "name" $painterImage.pullSecret)) -}}
+{{- end }}
+{{- if $painter.imagePullSecrets }}
+  {{- $pullSecrets = concat $pullSecrets $painter.imagePullSecrets -}}
+{{- end }}
+{{- if gt (len $pullSecrets) 0 -}}
+  {{- (dict "imagePullSecrets" $pullSecrets) | toYaml | nindent 6 }}
+{{- end }}
 {{- end }} {{/* define "painter.deploymentSpec" */}}
 
 {{/* Render painter deployment template with overrides from values*/}}

codegen/test/chart-deployment-strategy/templates/deployment.yaml

@@ -84,10 +84,16 @@ spec:
             drop:
             - ALL
 {{- end }}
-      {{- if $painterImage.pullSecret }}
-      imagePullSecrets:
-        - name: {{ $painterImage.pullSecret }}
-      {{- end}}
+{{- $pullSecrets := (list) -}}
+{{- if $painterImage.pullSecret }}
+  {{- $pullSecrets = concat $pullSecrets (list (dict "name" $painterImage.pullSecret)) -}}
+{{- end }}
+{{- if $painter.imagePullSecrets }}
+  {{- $pullSecrets = concat $pullSecrets $painter.imagePullSecrets -}}
+{{- end }}
+{{- if gt (len $pullSecrets) 0 -}}
+  {{- (dict "imagePullSecrets" $pullSecrets) | toYaml | nindent 6 }}
+{{- end }}
 {{- end }} {{/* define "painter.deploymentSpec" */}}
 
 {{/* Render painter deployment template with overrides from values*/}}

codegen/test/chart-envvars/templates/deployment.yaml

@@ -80,10 +80,16 @@ spec:
             drop:
             - ALL
 {{- end }}
-      {{- if $painterImage.pullSecret }}
-      imagePullSecrets:
-        - name: {{ $painterImage.pullSecret }}
-      {{- end}}
+{{- $pullSecrets := (list) -}}
+{{- if $painterImage.pullSecret }}
+  {{- $pullSecrets = concat $pullSecrets (list (dict "name" $painterImage.pullSecret)) -}}
+{{- end }}
+{{- if $painter.imagePullSecrets }}
+  {{- $pullSecrets = concat $pullSecrets $painter.imagePullSecrets -}}
+{{- end }}
+{{- if gt (len $pullSecrets) 0 -}}
+  {{- (dict "imagePullSecrets" $pullSecrets) | toYaml | nindent 6 }}
+{{- end }}
 {{- end }} {{/* define "painter.deploymentSpec" */}}
 
 {{/* Render painter deployment template with overrides from values*/}}

codegen/test/chart-no-desc/templates/deployment.yaml

@@ -152,10 +152,16 @@ spec:
             port: 8080
           initialDelaySeconds: 30
           periodSeconds: 60
-      {{- if $painterImage.pullSecret }}
-      imagePullSecrets:
-        - name: {{ $painterImage.pullSecret }}
-      {{- end}}
+{{- $pullSecrets := (list) -}}
+{{- if $painterImage.pullSecret }}
+  {{- $pullSecrets = concat $pullSecrets (list (dict "name" $painterImage.pullSecret)) -}}
+{{- end }}
+{{- if $painter.imagePullSecrets }}
+  {{- $pullSecrets = concat $pullSecrets $painter.imagePullSecrets -}}
+{{- end }}
+{{- if gt (len $pullSecrets) 0 -}}
+  {{- (dict "imagePullSecrets" $pullSecrets) | toYaml | nindent 6 }}
+{{- end }}
 {{- end }} {{/* define "painter.deploymentSpec" */}}
 
 {{/* Render painter deployment template with overrides from values*/}}

codegen/test/chart-pod-security-context/templates/deployment.yaml

@@ -83,10 +83,16 @@ spec:
             drop:
             - ALL
 {{- end }}
-      {{- if $painterImage.pullSecret }}
-      imagePullSecrets:
-        - name: {{ $painterImage.pullSecret }}
-      {{- end}}
+{{- $pullSecrets := (list) -}}
+{{- if $painterImage.pullSecret }}
+  {{- $pullSecrets = concat $pullSecrets (list (dict "name" $painterImage.pullSecret)) -}}
+{{- end }}
+{{- if $painter.imagePullSecrets }}
+  {{- $pullSecrets = concat $pullSecrets $painter.imagePullSecrets -}}
+{{- end }}
+{{- if gt (len $pullSecrets) 0 -}}
+  {{- (dict "imagePullSecrets" $pullSecrets) | toYaml | nindent 6 }}
+{{- end }}
 {{- end }} {{/* define "painter.deploymentSpec" */}}
 
 {{/* Render painter deployment template with overrides from values*/}}

codegen/test/chart-readiness/templates/deployment.yaml

@@ -87,10 +87,16 @@ spec:
             scheme: HTTPS
           initialDelaySeconds: 5
           periodSeconds: 10
-      {{- if $painterImage.pullSecret }}
-      imagePullSecrets:
-        - name: {{ $painterImage.pullSecret }}
-      {{- end}}
+{{- $pullSecrets := (list) -}}
+{{- if $painterImage.pullSecret }}
+  {{- $pullSecrets = concat $pullSecrets (list (dict "name" $painterImage.pullSecret)) -}}
+{{- end }}
+{{- if $painter.imagePullSecrets }}
+  {{- $pullSecrets = concat $pullSecrets $painter.imagePullSecrets -}}
+{{- end }}
+{{- if gt (len $pullSecrets) 0 -}}
+  {{- (dict "imagePullSecrets" $pullSecrets) | toYaml | nindent 6 }}
+{{- end }}
 {{- end }} {{/* define "painter.deploymentSpec" */}}
 
 {{/* Render painter deployment template with overrides from values*/}}