feat: Add support for image pull secrets in deployments

.changeset/rotten-numbers-protect.md

@@ -0,0 +1,5 @@
+---
+"helm-charts": patch
+---
+
+feat: Add support for image pull secrets in deployments

charts/hdx-oss-v2/templates/clickhouse-deployment.yaml

@@ -26,6 +26,10 @@ spec:
       tolerations:
         {{- toYaml .Values.clickhouse.tolerations | nindent 8 }}
       {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml .Values.global.imagePullSecrets | nindent 8 }}
+      {{- end }}
       containers:
         - name: clickhouse
           image: "{{ .Values.clickhouse.image }}"

charts/hdx-oss-v2/templates/cronjobs/task-checkAlerts.yaml

@@ -17,6 +17,10 @@ spec:
             {{- include "hdx-oss.selectorLabels" . | nindent 12 }}
             app.kubernetes.io/component: task
         spec:
+          {{- if .Values.global.imagePullSecrets }}
+          imagePullSecrets:
+            {{- toYaml .Values.global.imagePullSecrets | nindent 12 }}
+          {{- end }}
           restartPolicy: OnFailure
           containers:
             - name: task

charts/hdx-oss-v2/templates/hyperdx-deployment.yaml

@@ -43,6 +43,10 @@ spec:
       {{- if .Values.hyperdx.priorityClassName }}
       priorityClassName: {{ .Values.hyperdx.priorityClassName | quote }}
       {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml .Values.global.imagePullSecrets | nindent 8 }}
+      {{- end }}
       {{- if .Values.mongodb.enabled }}
       initContainers:
         - name: wait-for-mongodb

charts/hdx-oss-v2/templates/mongodb-deployment.yaml

@@ -48,6 +48,10 @@ spec:
       tolerations:
         {{- toYaml .Values.mongodb.tolerations | nindent 8 }}
       {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml .Values.global.imagePullSecrets | nindent 8 }}
+      {{- end }}
       containers:
         - name: mongodb
           image: "{{ .Values.mongodb.image }}"

charts/hdx-oss-v2/templates/otel-collector-deployment.yaml

@@ -32,6 +32,10 @@ spec:
       tolerations:
         {{- toYaml .Values.otel.tolerations | nindent 8 }}
       {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml .Values.global.imagePullSecrets | nindent 8 }}
+      {{- end }}
       containers:
         - name: otel-collector
           image: "{{ .Values.otel.image.repository }}:{{ .Values.otel.image.tag | default .Chart.AppVersion }}"

charts/hdx-oss-v2/tests/clickhouse-deployment_test.yaml

@@ -338,4 +338,29 @@ tests:
           of: PersistentVolumeClaim
       - documentIndex: 5
         isNull:
-          path: metadata.annotations
+          path: metadata.annotations
+
+  - it: should not include imagePullSecrets when not configured
+    set:
+      clickhouse:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        isNull:
+          path: spec.template.spec.imagePullSecrets
+
+  - it: should include imagePullSecrets when configured
+    set:
+      clickhouse:
+        enabled: true
+      global:
+        imagePullSecrets:
+          - name: regcred
+    asserts:
+      - documentIndex: 0
+        isNotNull:
+          path: spec.template.spec.imagePullSecrets
+      - documentIndex: 0
+        equal:
+          path: spec.template.spec.imagePullSecrets[0].name
+          value: regcred

charts/hdx-oss-v2/tests/hyperdx-deployment_test.yaml

@@ -226,4 +226,47 @@ tests:
           value: 9000
       - equal:
           path: spec.template.spec.containers[0].readinessProbe.httpGet.port
-          value: 9000
+          value: 9000
+
+  - it: should not include imagePullSecrets when not configured
+    asserts:
+      - isNull:
+          path: spec.template.spec.imagePullSecrets
+
+  - it: should include imagePullSecrets when configured with single secret
+    set:
+      global:
+        imagePullSecrets:
+          - name: regcred
+    asserts:
+      - isNotNull:
+          path: spec.template.spec.imagePullSecrets
+      - equal:
+          path: spec.template.spec.imagePullSecrets[0].name
+          value: regcred
+      - lengthEqual:
+          path: spec.template.spec.imagePullSecrets
+          count: 1
+
+  - it: should include imagePullSecrets when configured with multiple secrets
+    set:
+      global:
+        imagePullSecrets:
+          - name: regcred
+          - name: docker-hub-secret
+          - name: private-registry-secret
+    asserts:
+      - isNotNull:
+          path: spec.template.spec.imagePullSecrets
+      - equal:
+          path: spec.template.spec.imagePullSecrets[0].name
+          value: regcred
+      - equal:
+          path: spec.template.spec.imagePullSecrets[1].name
+          value: docker-hub-secret
+      - equal:
+          path: spec.template.spec.imagePullSecrets[2].name
+          value: private-registry-secret
+      - lengthEqual:
+          path: spec.template.spec.imagePullSecrets
+          count: 3

charts/hdx-oss-v2/tests/mongodb-deployment_test.yaml

@@ -265,3 +265,28 @@ tests:
         equal:
           path: spec.storageClassName
           value: fast-ssd
+
+  - it: should not include imagePullSecrets when not configured
+    set:
+      mongodb:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        isNull:
+          path: spec.template.spec.imagePullSecrets
+
+  - it: should include imagePullSecrets when configured
+    set:
+      mongodb:
+        enabled: true
+      global:
+        imagePullSecrets:
+          - name: regcred
+    asserts:
+      - documentIndex: 1
+        isNotNull:
+          path: spec.template.spec.imagePullSecrets
+      - documentIndex: 1
+        equal:
+          path: spec.template.spec.imagePullSecrets[0].name
+          value: regcred

charts/hdx-oss-v2/tests/otel-collector_test.yaml

@@ -807,3 +807,28 @@ tests:
         equal:
           path: spec.template.spec.containers[0].readinessProbe.httpGet.port
           value: 13134
+
+  - it: should not include imagePullSecrets when not configured
+    set:
+      otel:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        isNull:
+          path: spec.template.spec.imagePullSecrets
+
+  - it: should include imagePullSecrets when configured
+    set:
+      otel:
+        enabled: true
+      global:
+        imagePullSecrets:
+          - name: regcred
+    asserts:
+      - documentIndex: 0
+        isNotNull:
+          path: spec.template.spec.imagePullSecrets
+      - documentIndex: 0
+        equal:
+          path: spec.template.spec.imagePullSecrets[0].name
+          value: regcred

charts/hdx-oss-v2/tests/task-checkAlerts_test.yaml

@@ -72,3 +72,25 @@ tests:
       - equal:
           path: spec.schedule
           value: "*/1 * * * *"
+
+  - it: should not include imagePullSecrets when not configured
+    set:
+      tasks:
+        enabled: true
+    asserts:
+      - isNull:
+          path: spec.jobTemplate.spec.template.spec.imagePullSecrets
+
+  - it: should include imagePullSecrets when configured
+    set:
+      tasks:
+        enabled: true
+      global:
+        imagePullSecrets:
+          - name: regcred
+    asserts:
+      - isNotNull:
+          path: spec.jobTemplate.spec.template.spec.imagePullSecrets
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.imagePullSecrets[0].name
+          value: regcred

charts/hdx-oss-v2/values.yaml

@@ -1,5 +1,11 @@
 global:
   imageRegistry: ""
+  # List of image pull secrets to use for pulling images from private registries
+  # This helps avoid rate limiting (429 errors) when pulling from Docker Hub
+  # Example:
+  # imagePullSecrets:
+  #   - name: regcred
+  #   - name: docker-hub-secret
   imagePullSecrets: []
   storageClassName: "local-path"
   # Keep PVCs when uninstalling helm release to preserve data