feat: Add image pull secret propagation for agent run container

zion · zion · commit 4cd84a0972b7 · 2026-03-28T00:04:06.000+01:00
diff --git a/api/v1alpha1/agentrun_types.go b/api/v1alpha1/agentrun_types.go
@@ -1,6 +1,7 @@
 package v1alpha1
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -68,6 +69,10 @@ type AgentRunSpec struct {
 	// +kubebuilder:validation:Enum=task;server
 	// +optional
 	Mode string `json:"mode,omitempty"`
+
+	// ImagePullSecrets are secrets to use when pulling container images.
+	// +optional
+	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
 }
 
 // ParentRunRef links a sub-agent to its parent.
diff --git a/api/v1alpha1/sympoziuminstance_types.go b/api/v1alpha1/sympoziuminstance_types.go
@@ -48,6 +48,10 @@ type SympoziumInstanceSpec struct {
 	// When nil or Enabled is false, no web-proxy infrastructure is deployed.
 	// +optional
 	WebEndpoint *WebEndpointSpec `json:"webEndpoint,omitempty"`
+
+	// ImagePullSecrets are secrets to use when pulling container images.
+	// +optional
+	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
 }
 
 // MCPServerRef references a remote MCP server for tool integration.
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/sympozium/crds/sympozium.ai_agentruns.yaml b/charts/sympozium/crds/sympozium.ai_agentruns.yaml
@@ -109,6 +109,26 @@ spec:
                 description: Env defines custom environment variables to pass to the
                   agent container.
                 type: object
+              imagePullSecrets:
+                description: ImagePullSecrets are secrets to use when pulling container
+                  images.
+                items:
+                  description: |-
+                    LocalObjectReference contains enough information to let you locate the
+                    referenced object inside the same namespace.
+                  properties:
+                    name:
+                      default: ""
+                      description: |-
+                        Name of the referent.
+                        This field is effectively required, but due to backwards compatibility is
+                        allowed to be empty. Instances of this type with an empty value here are
+                        almost certainly wrong.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      type: string
+                  type: object
+                  x-kubernetes-map-type: atomic
+                type: array
               instanceRef:
                 description: InstanceRef is the name of the SympoziumInstance this
                   run belongs to.
diff --git a/charts/sympozium/crds/sympozium.ai_sympoziuminstances.yaml b/charts/sympozium/crds/sympozium.ai_sympoziuminstances.yaml
@@ -296,6 +296,26 @@ spec:
                   - type
                   type: object
                 type: array
+              imagePullSecrets:
+                description: ImagePullSecrets are secrets to use when pulling container
+                  images.
+                items:
+                  description: |-
+                    LocalObjectReference contains enough information to let you locate the
+                    referenced object inside the same namespace.
+                  properties:
+                    name:
+                      default: ""
+                      description: |-
+                        Name of the referent.
+                        This field is effectively required, but due to backwards compatibility is
+                        allowed to be empty. Instances of this type with an empty value here are
+                        almost certainly wrong.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      type: string
+                  type: object
+                  x-kubernetes-map-type: atomic
+                type: array
               mcpServers:
                 description: |-
                   MCPServers configures remote MCP (Model Context Protocol) servers
diff --git a/charts/sympozium/sympozium-0.4.5.tgz b/charts/sympozium/sympozium-0.4.5.tgz
diff --git a/cmd/sympozium/main.go b/cmd/sympozium/main.go
@@ -7675,6 +7675,7 @@ func tuiCreateRun(ns, instance, task string) (string, error) {
 			},
 			Skills:  inst.Spec.Skills,
 			Timeout: &metav1.Duration{Duration: 10 * time.Minute},
+			ImagePullSecrets: inst.Spec.ImagePullSecrets,
 		},
 	}
 	if err := k8sClient.Create(ctx, run); err != nil {
diff --git a/config/crd/bases/sympozium.ai_agentruns.yaml b/config/crd/bases/sympozium.ai_agentruns.yaml
@@ -109,6 +109,26 @@ spec:
                 description: Env defines custom environment variables to pass to the
                   agent container.
                 type: object
+              imagePullSecrets:
+                description: ImagePullSecrets are secrets to use when pulling container
+                  images.
+                items:
+                  description: |-
+                    LocalObjectReference contains enough information to let you locate the
+                    referenced object inside the same namespace.
+                  properties:
+                    name:
+                      default: ""
+                      description: |-
+                        Name of the referent.
+                        This field is effectively required, but due to backwards compatibility is
+                        allowed to be empty. Instances of this type with an empty value here are
+                        almost certainly wrong.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      type: string
+                  type: object
+                  x-kubernetes-map-type: atomic
+                type: array
               instanceRef:
                 description: InstanceRef is the name of the SympoziumInstance this
                   run belongs to.
diff --git a/config/crd/bases/sympozium.ai_sympoziuminstances.yaml b/config/crd/bases/sympozium.ai_sympoziuminstances.yaml
@@ -296,6 +296,26 @@ spec:
                   - type
                   type: object
                 type: array
+              imagePullSecrets:
+                description: ImagePullSecrets are secrets to use when pulling container
+                  images.
+                items:
+                  description: |-
+                    LocalObjectReference contains enough information to let you locate the
+                    referenced object inside the same namespace.
+                  properties:
+                    name:
+                      default: ""
+                      description: |-
+                        Name of the referent.
+                        This field is effectively required, but due to backwards compatibility is
+                        allowed to be empty. Instances of this type with an empty value here are
+                        almost certainly wrong.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      type: string
+                  type: object
+                  x-kubernetes-map-type: atomic
+                type: array
               mcpServers:
                 description: |-
                   MCPServers configures remote MCP (Model Context Protocol) servers
diff --git a/internal/apiserver/server.go b/internal/apiserver/server.go
@@ -825,6 +825,7 @@ func (s *Server) createRun(w http.ResponseWriter, r *http.Request) {
 				NodeSelector:  inst.Spec.Agents.Default.NodeSelector,
 			},
 			Skills: inst.Spec.Skills,
+			ImagePullSecrets: inst.Spec.ImagePullSecrets,
 		},
 	}
 
diff --git a/internal/controller/agentrun_controller.go b/internal/controller/agentrun_controller.go
@@ -807,6 +807,7 @@ func (r *AgentRunReconciler) reconcilePendingServer(ctx context.Context, log log
 				Spec: corev1.PodSpec{
 					RestartPolicy:      corev1.RestartPolicyAlways,
 					ServiceAccountName: "sympozium-agent",
+					ImagePullSecrets:   agentRun.Spec.ImagePullSecrets,
 					NodeSelector:       agentRun.Spec.Model.NodeSelector,
 					Containers: []corev1.Container{
 						{
@@ -1270,6 +1271,7 @@ func (r *AgentRunReconciler) buildJob(
 				Spec: corev1.PodSpec{
 					RestartPolicy:      corev1.RestartPolicyNever,
 					ServiceAccountName: "sympozium-agent",
+					ImagePullSecrets:   agentRun.Spec.ImagePullSecrets,
 					HostNetwork:        hostNetwork,
 					HostPID:            hostPID,
 					DNSPolicy:          dnsPolicy,
diff --git a/internal/controller/channel_router.go b/internal/controller/channel_router.go
@@ -207,6 +207,7 @@ func (cr *ChannelRouter) handleInbound(ctx context.Context, event *eventbus.Even
 			},
 			Skills:  inst.Spec.Skills,
 			Timeout: &metav1.Duration{Duration: 10 * time.Minute},
+			ImagePullSecrets: inst.Spec.ImagePullSecrets,
 		},
 	}
 
diff --git a/internal/controller/sympoziuminstance_controller.go b/internal/controller/sympoziuminstance_controller.go
@@ -749,6 +749,7 @@ func (r *SympoziumInstanceReconciler) ensureWebEndpointAgentRun(ctx context.Cont
 				AuthSecretRef: resolveAuthSecret(instance),
 			},
 			Skills: []sympoziumv1alpha1.SkillRef{webSkill},
+			ImagePullSecrets: instance.Spec.ImagePullSecrets,
 		},
 	}
 
diff --git a/internal/controller/sympoziumschedule_controller.go b/internal/controller/sympoziumschedule_controller.go
@@ -184,6 +184,7 @@ func (r *SympoziumScheduleReconciler) Reconcile(ctx context.Context, req ctrl.Re
 				Provider: resolveProvider(instance),
 				Model:    instance.Spec.Agents.Default.Model,
 			},
+			ImagePullSecrets: instance.Spec.ImagePullSecrets,
 		},
 	}
 
diff --git a/internal/controller/sympoziumschedule_controller_test.go b/internal/controller/sympoziumschedule_controller_test.go
@@ -216,6 +216,9 @@ func TestSympoziumScheduleReconcile_SkipsWhenServingRunExists(t *testing.T) {
 				Model:         "gpt-4o",
 				AuthSecretRef: "inst-serving-openai-key",
 			},
+			ImagePullSecrets: []v1.LocalObjectReference{
+				{Name: "inst-serving-secret"},
+			},
 		},
 		Status: sympoziumv1alpha1.AgentRunStatus{
 			Phase: sympoziumv1alpha1.AgentRunPhaseServing,
diff --git a/internal/orchestrator/spawner.go b/internal/orchestrator/spawner.go
@@ -11,6 +11,7 @@ import (
 	"go.opentelemetry.io/otel/codes"
 	"go.opentelemetry.io/otel/trace"
 
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -56,6 +57,8 @@ type SpawnRequest struct {
 
 	// Skills to mount.
 	Skills []sympoziumv1alpha1.SkillRef `json:"skills,omitempty"`
+
+	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
 }
 
 // SpawnResult is the result of a spawn operation.
@@ -115,6 +118,7 @@ func (s *Spawner) Spawn(ctx context.Context, req SpawnRequest) (*SpawnResult, er
 			Model:        req.Model,
 			Skills:       req.Skills,
 			Cleanup:      "delete",
+			ImagePullSecrets: req.ImagePullSecrets,
 		},
 	}
 
diff --git a/internal/webproxy/mcp.go b/internal/webproxy/mcp.go
@@ -250,6 +250,7 @@ func (p *Proxy) executeAgentTask(ctx context.Context, task string, session *mcpS
 			},
 			Skills:  inst.Spec.Skills,
 			Timeout: &metav1.Duration{Duration: 10 * time.Minute},
+			ImagePullSecrets: inst.Spec.ImagePullSecrets,
 		},
 	}
 
diff --git a/internal/webproxy/openai.go b/internal/webproxy/openai.go
@@ -171,6 +171,7 @@ func (p *Proxy) handleChatCompletions(w http.ResponseWriter, r *http.Request) {
 			},
 			Skills:  childSkills,
 			Timeout: &metav1.Duration{Duration: 10 * time.Minute},
+		  ImagePullSecrets: inst.Spec.ImagePullSecrets,
 		},
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -7675,6 +7675,7 @@ func tuiCreateRun(ns, instance, task string) (string, error) {`
`7675`	`7675`	`},`
`7676`	`7676`	`Skills: inst.Spec.Skills,`
`7677`	`7677`	`Timeout: &metav1.Duration{Duration: 10 * time.Minute},`
	`7678`	`+ ImagePullSecrets: inst.Spec.ImagePullSecrets,`
`7678`	`7679`	`},`
`7679`	`7680`	`}`
`7680`	`7681`	`if err := k8sClient.Create(ctx, run); err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -825,6 +825,7 @@ func (s Server) createRun(w http.ResponseWriter, r http.Request) {`
`825`	`825`	`NodeSelector: inst.Spec.Agents.Default.NodeSelector,`
`826`	`826`	`},`
`827`	`827`	`Skills: inst.Spec.Skills,`
	`828`	`+ ImagePullSecrets: inst.Spec.ImagePullSecrets,`
`828`	`829`	`},`
`829`	`830`	`}`
`830`	`831`