Adding an ImagePullSecret to a ServiceAccount in Tutor k8s

Site Operators
1

Hi Folks!

I’d like to follow up on a previous thread about using a private registry with tutor k8s.

We’d like to include attaching an ImagePullSecret to a ServiceAccount in the tutor deployment but so far I haven’t found a way to do that with the existing {{ patch(...) }} options within tutor.

Namely, we’d like to attach the secret to the default ServiceAccount in a given namespace. I guess it could work if there’d be a way to patch the namespace.yml template but at the moment it’s not possible.

I am wondering if anyone has ran into this as well and/or has some ideas how to do this?

Thanks in advance! :slight_smile:

2

Did you try to use the k8s-override patch? If yes, why didn’t it work?

3

Hi @regis! I tried yes, the error was that the ServiceAccount was not found. Maybe my patch was missing something? I tried the following:

patches:
   k8s-override: |
     ---
     apiVersion: v1
     kind: ServiceAccount
     metadata:
       name: default
     imagePullSecrets:
       - name: registrykey
4

@mrtmm I think this is not going to work since the default ServiceAccount is not a resource generated by the Tutor Kustomization file. A patch can only be applied to resources that are generated by the kustomization.yaml that includes the patch. This ServiceAccount is automatically generated by Kubernetes.

There are still some alternatives:

  1. In case you require credentials for a few images, you can patch the corresponding deployments to override the imagePullSecrets parameter (spec.template.spec.imagePullSecrets)
  2. Patch the ServiceAccount once in the namespace (ugly in the sense it is not tracked via Tutor):
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "registrykey"}]}'
  1. This one can be more expensive: create a plugin to extend the Tutor K8S functionality in order to manage the private docker credentials. In my opinion, it should involve the secret creation and the attachment of the secret to ServiceAccount/deployments. I think the community would benefit from such a feature.

Hope this helps

5

Hi @jhony_avella, that is what I was thinking as well but I was hoping I missed something.

I tried this also, it works kind-of. Most pods get the secret attached and are able to pull the image but the deployments failed on jobs that also require an image from the private registry. If I understand correctly we cannot patch jobs with the secret. In any case we have more than a few images and for that this approach is not ideal in general.

The main issue with this is, in case we need to create/recreate the namespace, everything would fail from start wouldn’t it? This is why I was wondering if there’d be way to patch the namespace.yml template, we could patch the default ServiceAccount for fresh deployments? What are your thoughts on that?

Thanks!

6

For anyone interested, I’ve put together something like this:

As the README also notes, there is room for improvement to handle fresh deployments when a namespace needs to be created also but other than that, it might be useful.

Thanks! :slight_smile: