fix(helm): apply global.imagePullSecrets to Envoy Proxy deployments #7657
Conversation
Signed-off-by: Marco Bulgarini <[email protected]>
Signed-off-by: Marco Bulgarini <[email protected]>
| {{- if .Values.global.imagePullSecrets }} | ||
| envoyDeployment: | ||
| pod: | ||
| imagePullSecrets: | ||
| {{- toYaml .Values.global.imagePullSecrets | nindent 10 }} | ||
| {{- end }} |
There was a problem hiding this comment.
I'm pretty sure these get mapped to the EnvoyGateway CRD and configmap which doesn't support these fields - https://gateway.envoyproxy.io/docs/api/extension_types/#envoygatewaykubernetesprovider
There was a problem hiding this comment.
The image pull secrets defined in the helm chart get applied to the envoy-gateway controller deployment but this helm chart doesn't manage EnvoyProxy resources which is what you appear to be trying to inject into.
There was a problem hiding this comment.
Some options:
- Add the concept of a global EnvoyProxy as a field within kubernetesprovider and then the controller would default to this instead of empty. It would then follow an inheritance chain like other resources and values from separate EnvoyProxy resources would override
- If your only concern is imagePullSecrets, perhaps a new global field could be added under kubernetesprovider which then gets checked by the relevant resources during provisioning (rate limit, envoyproxy, etc)
There was a problem hiding this comment.
My immediately following concern would have been to address the distroless image that's not overridden with the global image selection.
Thanks for referencing the other issue; perhaps I can help moving that forward.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #7657 +/- ##
=======================================
Coverage 72.43% 72.43%
=======================================
Files 232 232
Lines 34307 34307
=======================================
+ Hits 24849 24851 +2
Misses 7682 7682
+ Partials 1776 1774 -2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
3 participants
What type of PR is this?
Bug fix
What this PR does / why we need it:
This PR fixes an issue where the
global.imagePullSecretsconfiguration in the gateway-helm chart was not being applied to dynamically created Envoy Proxy deployments. While the global imagePullSecrets setting was correctly applied to the Envoy Gateway controller deployment and rate limit deployment, it was missing from the Envoy Proxy deployments that are created when Gateway resources are instantiated.Background:
The gateway-helm chart follows a consistent pattern where global configuration parameters (like
global.imagePullSecretsandglobal.imageRegistry) are propagated to all component deployments:global.imagePullSecretsordeployment.envoyGateway.imagePullSecretsorglobal.images.envoyGateway.pullSecretsglobal.imagePullSecretsorglobal.images.ratelimit.pullSecretsglobal.imagePullSecretsChanges:
eg.default-envoy-gateway-configtemplate to includeenvoyDeployment.pod.imagePullSecretsconfigurationImpact:
Users deploying Envoy Gateway in environments with private container registries can now set
global.imagePullSecretsonce, and it will be correctly applied to all components including the dynamically created Envoy Proxy deployments. This ensures consistent behavior across all chart-managed resources.Which issue(s) this PR fixes:
Fixes #
Release Notes: Yes