support image_pull_secrets for k8s SA in workload identity module

Eugene Malihins · Eugene Malihins · commit ec4f1a2e435a · 2025-02-11T19:11:15.000+02:00
diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf
@@ -53,6 +53,15 @@ resource "kubernetes_service_account" "main" {
   count = var.use_existing_k8s_sa ? 0 : 1
 
   automount_service_account_token = var.automount_service_account_token
+
+  dynamic "image_pull_secret" {
+    for_each = var.image_pull_secrets
+
+    content {
+      name = image_pull_secret.value
+    }
+  }
+
   metadata {
     name      = local.k8s_given_name
     namespace = var.namespace
diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf
@@ -84,6 +84,12 @@ variable "automount_service_account_token" {
   default     = false
 }
 
+variable "image_pull_secrets" {
+  description = "A list of references to secrets in the same namespace to use for pulling any images in pods that reference this Service Account"
+  type        = list(string)
+  default     = []
+}
+
 variable "roles" {
   description = "A list of roles to be added to the created service account"
   type        = list(string)
