Namely, we’d like to attach the secret to the default ServiceAccount in a given namespace. I guess it could work if there’d be a way to patch the namespace.yml template but at the moment it’s not possible.
I am wondering if anyone has ran into this as well and/or has some ideas how to do this?
@mrtmm I think this is not going to work since the default ServiceAccount is not a resource generated by the Tutor Kustomization file. A patch can only be applied to resources that are generated by the kustomization.yaml that includes the patch. This ServiceAccount is automatically generated by Kubernetes.
There are still some alternatives:
In case you require credentials for a few images, you can patch the corresponding deployments to override the imagePullSecrets parameter (spec.template.spec.imagePullSecrets)
Patch the ServiceAccount once in the namespace (ugly in the sense it is not tracked via Tutor):
This one can be more expensive: create a plugin to extend the Tutor K8S functionality in order to manage the private docker credentials. In my opinion, it should involve the secret creation and the attachment of the secret to ServiceAccount/deployments. I think the community would benefit from such a feature.
Hi @jhony_avella, that is what I was thinking as well but I was hoping I missed something.
I tried this also, it works kind-of. Most pods get the secret attached and are able to pull the image but the deployments failed on jobs that also require an image from the private registry. If I understand correctly we cannot patch jobs with the secret. In any case we have more than a few images and for that this approach is not ideal in general.
The main issue with this is, in case we need to create/recreate the namespace, everything would fail from start wouldn’t it? This is why I was wondering if there’d be way to patch the namespace.yml template, we could patch the default ServiceAccount for fresh deployments? What are your thoughts on that?