Imagepull secrets for extproc image

Signed-off-by: Johnu George <[email protected]>

Author: johnugeorge

cmd/controller/main.go

@@ -47,6 +47,7 @@ type flags struct {
 	spanRequestHeaderAttributes    string
 	rootPrefix                     string
 	extProcExtraEnvVars            string
+	extProcImagePullSecrets        string
 	// extProcMaxRecvMsgSize is the maximum message size in bytes that the gRPC server can receive.
 	extProcMaxRecvMsgSize int
 	// maxRecvMsgSize is the maximum message size in bytes that the gRPC extension server can receive.
@@ -143,6 +144,11 @@ func parseAndValidateFlags(args []string) (flags, error) {
 		"",
 		"Semicolon-separated key=value pairs for extra environment variables in extProc container. Format: OTEL_SERVICE_NAME=ai-gateway;OTEL_TRACES_EXPORTER=otlp",
 	)
+	extProcImagePullSecrets := fs.String(
+		"extProcImagePullSecrets",
+		"",
+		"Semicolon-separated list of image pull secret names for extProc container. Format: my-registry-secret;another-secret",
+	)
 	extProcMaxRecvMsgSize := fs.Int(
 		"extProcMaxRecvMsgSize",
 		512*1024*1024,
@@ -205,6 +211,14 @@ func parseAndValidateFlags(args []string) (flags, error) {
 		}
 	}
 
+	// Validate extProc image pull secrets if provided.
+	if *extProcImagePullSecrets != "" {
+		_, err := controller.ParseImagePullSecrets(*extProcImagePullSecrets)
+		if err != nil {
+			return flags{}, fmt.Errorf("invalid extProc image pull secrets: %w", err)
+		}
+	}
+
 	return flags{
 		extProcLogLevel:                *extProcLogLevelPtr,
 		extProcImage:                   *extProcImagePtr,
@@ -221,6 +235,7 @@ func parseAndValidateFlags(args []string) (flags, error) {
 		spanRequestHeaderAttributes:    *spanRequestHeaderAttributes,
 		rootPrefix:                     *rootPrefix,
 		extProcExtraEnvVars:            *extProcExtraEnvVars,
+		extProcImagePullSecrets:        *extProcImagePullSecrets,
 		extProcMaxRecvMsgSize:          *extProcMaxRecvMsgSize,
 		maxRecvMsgSize:                 *maxRecvMsgSize,
 	}, nil
@@ -304,6 +319,7 @@ func main() {
 		TracingRequestHeaderAttributes: flags.spanRequestHeaderAttributes,
 		RootPrefix:                     flags.rootPrefix,
 		ExtProcExtraEnvVars:            flags.extProcExtraEnvVars,
+		ExtProcImagePullSecrets:        flags.extProcImagePullSecrets,
 		ExtProcMaxRecvMsgSize:          flags.extProcMaxRecvMsgSize,
 	}); err != nil {
 		setupLog.Error(err, "failed to start controller")

internal/controller/controller.go

@@ -81,6 +81,8 @@ type Options struct {
 	RootPrefix string
 	// ExtProcExtraEnvVars is the semicolon-separated key=value pairs for extra environment variables in extProc container.
 	ExtProcExtraEnvVars string
+	// ExtProcImagePullSecrets is the semicolon-separated list of image pull secret names for extProc container.
+	ExtProcImagePullSecrets string
 	// ExtProcMaxRecvMsgSize is the maximum message size in bytes that the gRPC server can receive for extProc.
 	ExtProcMaxRecvMsgSize int
 }
@@ -211,6 +213,7 @@ func StartControllers(ctx context.Context, mgr manager.Manager, config *rest.Con
 			options.TracingRequestHeaderAttributes,
 			options.RootPrefix,
 			options.ExtProcExtraEnvVars,
+			options.ExtProcImagePullSecrets,
 			options.ExtProcMaxRecvMsgSize,
 			isKubernetes133OrLater(versionInfo, logger),
 		))

internal/controller/gateway_mutator.go

@@ -42,6 +42,7 @@ type gatewayMutator struct {
 	spanRequestHeaderAttributes    string
 	rootPrefix                     string
 	extProcExtraEnvVars            []corev1.EnvVar
+	extProcImagePullSecrets        []corev1.LocalObjectReference
 	extProcMaxRecvMsgSize          int
 
 	// Whether to run the extProc container as a sidecar (true) as a normal container (false).
@@ -51,7 +52,7 @@ type gatewayMutator struct {
 
 func newGatewayMutator(c client.Client, kube kubernetes.Interface, logger logr.Logger,
 	extProcImage string, extProcImagePullPolicy corev1.PullPolicy, extProcLogLevel,
-	udsPath, metricsRequestHeaderAttributes, spanRequestHeaderAttributes, rootPrefix, extProcExtraEnvVars string, extProcMaxRecvMsgSize int,
+	udsPath, metricsRequestHeaderAttributes, spanRequestHeaderAttributes, rootPrefix, extProcExtraEnvVars, extProcImagePullSecrets string, extProcMaxRecvMsgSize int,
 	extProcAsSideCar bool,
 ) *gatewayMutator {
 	var parsedEnvVars []corev1.EnvVar
@@ -63,6 +64,17 @@ func newGatewayMutator(c client.Client, kube kubernetes.Interface, logger logr.L
 				"envVars", extProcExtraEnvVars)
 		}
 	}
+
+	var parsedImagePullSecrets []corev1.LocalObjectReference
+	if extProcImagePullSecrets != "" {
+		var err error
+		parsedImagePullSecrets, err = ParseImagePullSecrets(extProcImagePullSecrets)
+		if err != nil {
+			logger.Error(err, "failed to parse extProc image pull secrets, skipping",
+				"imagePullSecrets", extProcImagePullSecrets)
+		}
+	}
+
 	return &gatewayMutator{
 		c: c, codec: serializer.NewCodecFactory(Scheme),
 		kube:                           kube,
@@ -75,6 +87,7 @@ func newGatewayMutator(c client.Client, kube kubernetes.Interface, logger logr.L
 		spanRequestHeaderAttributes:    spanRequestHeaderAttributes,
 		rootPrefix:                     rootPrefix,
 		extProcExtraEnvVars:            parsedEnvVars,
+		extProcImagePullSecrets:        parsedImagePullSecrets,
 		extProcMaxRecvMsgSize:          extProcMaxRecvMsgSize,
 		extProcAsSideCar:               extProcAsSideCar,
 	}
@@ -167,6 +180,31 @@ func ParseExtraEnvVars(s string) ([]corev1.EnvVar, error) {
 	return result, nil
 }
 
+// ParseImagePullSecrets parses semicolon-separated secret names into a list of
+// LocalObjectReference objects for image pull secrets.
+// Example: "my-registry-secret;another-secret".
+func ParseImagePullSecrets(s string) ([]corev1.LocalObjectReference, error) {
+	if s == "" {
+		return nil, nil
+	}
+
+	names := strings.Split(s, ";")
+	result := make([]corev1.LocalObjectReference, 0, len(names))
+	for _, name := range names {
+		name = strings.TrimSpace(name)
+		if name == "" {
+			continue // Skip empty names from trailing semicolons.
+		}
+		result = append(result, corev1.LocalObjectReference{Name: name})
+	}
+
+	if len(result) == 0 {
+		return nil, nil
+	}
+
+	return result, nil
+}
+
 func (g *gatewayMutator) mutatePod(ctx context.Context, pod *corev1.Pod, gatewayName, gatewayNamespace string) error {
 	var routes aigv1a1.AIGatewayRouteList
 	err := g.c.List(ctx, &routes, client.MatchingFields{
@@ -223,6 +261,11 @@ func (g *gatewayMutator) mutatePod(ctx context.Context, pod *corev1.Pod, gateway
 		},
 	)
 
+	// Add imagePullSecrets for extProc if configured
+	if len(g.extProcImagePullSecrets) > 0 {
+		podspec.ImagePullSecrets = append(podspec.ImagePullSecrets, g.extProcImagePullSecrets...)
+	}
+
 	// Currently, we have to set the resources for the extproc container at route level.
 	// We choose one of the routes to set the resources for the extproc container.
 	var resources corev1.ResourceRequirements

internal/controller/gateway_mutator_test.go

@@ -187,7 +187,7 @@ func newTestGatewayMutator(fakeClient client.Client, fakeKube *fake2.Clientset,
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&zap.Options{Development: true, Level: zapcore.DebugLevel})))
 	return newGatewayMutator(
 		fakeClient, fakeKube, ctrl.Log, "docker.io/envoyproxy/ai-gateway-extproc:latest", corev1.PullIfNotPresent,
-		"info", "/tmp/extproc.sock", metricsRequestHeaderAttributes, spanRequestHeaderAttributes, "/v1", extProcExtraEnvVars, 512*1024*1024,
+		"info", "/tmp/extproc.sock", metricsRequestHeaderAttributes, spanRequestHeaderAttributes, "/v1", extProcExtraEnvVars, "", 512*1024*1024,
 		sidecar,
 	)
 }

manifests/charts/ai-gateway-helm/templates/_helpers.tpl

@@ -78,3 +78,14 @@ Convert extraEnvVars array to semicolon-separated string for extProc
 {{- end -}}
 {{- join ";" $envVars -}}
 {{- end }}
+
+{{/*
+Convert imagePullSecrets array to semicolon-separated string for extProc
+*/}}
+{{- define "ai-gateway-helm.extProc.imagePullSecretsString" -}}
+{{- $secrets := list -}}
+{{- range .Values.extProc.imagePullSecrets -}}
+  {{- $secrets = append $secrets .name -}}
+{{- end -}}
+{{- join ";" $secrets -}}
+{{- end }}

manifests/charts/ai-gateway-helm/templates/deployment.yaml

@@ -46,6 +46,9 @@ spec:
             - --extProcImage={{ .Values.extProc.image.repository }}:{{ .Values.extProc.image.tag | default .Chart.AppVersion }}
             - --extProcImagePullPolicy={{ .Values.extProc.imagePullPolicy }}
             - --extProcLogLevel={{ .Values.extProc.logLevel }}
+            {{- if .Values.extProc.imagePullSecrets }}
+            - --extProcImagePullSecrets={{ include "ai-gateway-helm.extProc.imagePullSecretsString" . }}
+            {{- end }}
             {{- if or .Values.controller.metricsRequestHeaderAttributes .Values.controller.metricsRequestHeaderLabels }}
             - --metricsRequestHeaderAttributes={{ .Values.controller.metricsRequestHeaderAttributes | default .Values.controller.metricsRequestHeaderLabels }}
             {{- end }}

manifests/charts/ai-gateway-helm/values.yaml

@@ -21,6 +21,7 @@ extProc:
     # Overrides the image tag whose default is the chart appVersion.
     tag: ""
   imagePullPolicy: IfNotPresent
+  imagePullSecrets: []
   # One of "info", "debug", "trace", "warn", "error", "fatal", "panic".
   logLevel: info