feat(chart): added package and skyhook image pull secrets

Author: riceriley59

chart/templates/deployment.yaml

@@ -78,8 +78,10 @@ spec:
           value: {{ quote .Values.webhook.enable }}
         - name: NAMESPACE
           value: {{ .Release.Namespace }}
-        - name: IMAGE_PULL_SECRET
-          value: {{ quote .Values.imagePullSecret }}
+        - name: PACKAGE_IMAGE_PULL_SECRET
+          value: {{ quote .Values.packageImagePullSecret }}
+        - name: SKYHOOK_IMAGE_PULL_SECRET
+          value: {{ quote .Values.skyhookImagePullSecret }}
         - name: COPY_DIR_ROOT
           value: {{ quote .Values.controllerManager.manager.env.copyDirRoot }}
         - name: REAPPLY_ON_REBOOT
@@ -138,7 +140,7 @@ spec:
         securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext
           | nindent 10 }}
       imagePullSecrets:
-        - name: {{ quote .Values.imagePullSecret }}
+        - name: {{ quote .Values.skyhookImagePullSecret }}
       securityContext:
         runAsNonRoot: true
       serviceAccountName: {{ include "chart.fullname" . }}-controller-manager

chart/values.yaml

@@ -130,8 +130,10 @@ webhookService:
 rbac:
   createSkyhookViewerRole: false
   createSkyhookEditorRole: false
-## imagePullSecret: is the secret used to pull the operator controller image, agent image, and package images.
-imagePullSecret: node-init-secret
+## skyhookImagePullSecret: is the secret used to pull the operator controller image, agent image.
+skyhookImagePullSecret: node-init-secret
+## packageImagePullSecret: is the secret used to pull the package images.
+packageImagePullSecret: node-init-secret
 ## useHostNetwork: Whether the Operator pods should use hostNetwork: true or false
 useHostNetwork: false
 ## estimatedPackageCount: estimated number of packages to be installed on the cluster

operator/config/manager/manager.yaml

@@ -97,7 +97,9 @@ spec:
             value: "true"
           - name: NAMESPACE
             value: skyhook-operator-system
-          - name: IMAGE_PULL_SECRET
+          - name: SKYHOOK_IMAGE_PULL_SECRET
+            value: node-init-secret
+          - name: PACKAGE_IMAGE_PULL_SECRET
             value: node-init-secret
           - name: COPY_DIR_ROOT
             value: /var/lib/skyhook

operator/internal/controller/skyhook_controller.go

@@ -72,15 +72,16 @@ const (
 )
 
 type SkyhookOperatorOptions struct {
-	Namespace            string        `env:"NAMESPACE, default=skyhook"`
-	MaxInterval          time.Duration `env:"DEFAULT_INTERVAL, default=10m"`
-	ImagePullSecret      string        `env:"IMAGE_PULL_SECRET, default=node-init-secret"` //TODO: should this be defaulted?
-	CopyDirRoot          string        `env:"COPY_DIR_ROOT, default=/var/lib/skyhook"`
-	ReapplyOnReboot      bool          `env:"REAPPLY_ON_REBOOT, default=false"`
-	RuntimeRequiredTaint string        `env:"RUNTIME_REQUIRED_TAINT, default=skyhook.nvidia.com=runtime-required:NoSchedule"`
-	PauseImage           string        `env:"PAUSE_IMAGE, default=registry.k8s.io/pause:3.10"`
-	AgentImage           string        `env:"AGENT_IMAGE, default=ghcr.io/nvidia/skyhook/agent:latest"` // TODO: this needs to be updated with a working default
-	AgentLogRoot         string        `env:"AGENT_LOG_ROOT, default=/var/log/skyhook"`
+	Namespace              string        `env:"NAMESPACE, default=skyhook"`
+	MaxInterval            time.Duration `env:"DEFAULT_INTERVAL, default=10m"`
+	PackageImagePullSecret string        `env:"PACKAGE_IMAGE_PULL_SECRET"`
+	SkyhookImagePullSecret string        `env:"SKYHOOK_IMAGE_PULL_SECRET"`
+	CopyDirRoot            string        `env:"COPY_DIR_ROOT, default=/var/lib/skyhook"`
+	ReapplyOnReboot        bool          `env:"REAPPLY_ON_REBOOT, default=false"`
+	RuntimeRequiredTaint   string        `env:"RUNTIME_REQUIRED_TAINT, default=skyhook.nvidia.com=runtime-required:NoSchedule"`
+	PauseImage             string        `env:"PAUSE_IMAGE, default=registry.k8s.io/pause:3.10"`
+	AgentImage             string        `env:"AGENT_IMAGE, default=ghcr.io/nvidia/skyhook/agent:latest"` // TODO: this needs to be updated with a working default
+	AgentLogRoot           string        `env:"AGENT_LOG_ROOT, default=/var/log/skyhook"`
 }
 
 func (o *SkyhookOperatorOptions) Validate() error {
@@ -1507,7 +1508,7 @@ func createInterruptPodForPackage(opts SkyhookOperatorOptions, _interrupt *v1alp
 			},
 			ImagePullSecrets: []corev1.LocalObjectReference{
 				{
-					Name: opts.ImagePullSecret,
+					Name: opts.SkyhookImagePullSecret,
 				},
 			},
 			HostPID:     true,
@@ -1714,7 +1715,10 @@ func createPodFromPackage(opts SkyhookOperatorOptions, _package *v1alpha1.Packag
 			},
 			ImagePullSecrets: []corev1.LocalObjectReference{
 				{
-					Name: opts.ImagePullSecret,
+					Name: opts.PackageImagePullSecret,
+				},
+				{
+					Name: opts.SkyhookImagePullSecret,
 				},
 			},
 			Volumes:     volumes,

operator/internal/controller/skyhook_controller_test.go

@@ -457,15 +457,16 @@ var _ = Describe("skyhook controller tests", func() {
 
 	It("Ensure all the config env vars are set", func() {
 		opts := SkyhookOperatorOptions{
-			Namespace:            "skyhook",
-			MaxInterval:          time.Second * 61,
-			ImagePullSecret:      "foo",
-			CopyDirRoot:          "/tmp",
-			ReapplyOnReboot:      true,
-			RuntimeRequiredTaint: "skyhook.nvidia.com=runtime-required:NoSchedule",
-			AgentImage:           "foo:bar",
-			PauseImage:           "foo:bar",
-			AgentLogRoot:         "/log",
+			Namespace:              "skyhook",
+			MaxInterval:            time.Second * 61,
+			PackageImagePullSecret: "foo",
+			SkyhookImagePullSecret: "foo",
+			CopyDirRoot:            "/tmp",
+			ReapplyOnReboot:        true,
+			RuntimeRequiredTaint:   "skyhook.nvidia.com=runtime-required:NoSchedule",
+			AgentImage:             "foo:bar",
+			PauseImage:             "foo:bar",
+			AgentLogRoot:           "/log",
 		}
 		Expect(opts.Validate()).To(BeNil())
 
@@ -558,14 +559,15 @@ var _ = Describe("skyhook controller tests", func() {
 	It("Check validations of skyhook options", func() {
 		// good options
 		opts := SkyhookOperatorOptions{
-			Namespace:            "skyhook",
-			MaxInterval:          time.Second * 61,
-			ImagePullSecret:      "foo",
-			CopyDirRoot:          "/tmp",
-			ReapplyOnReboot:      true,
-			RuntimeRequiredTaint: "skyhook.nvidia.com=runtime-required:NoSchedule",
-			AgentImage:           "foo:bar",
-			PauseImage:           "foo:bar",
+			Namespace:              "skyhook",
+			MaxInterval:            time.Second * 61,
+			PackageImagePullSecret: "foo",
+			SkyhookImagePullSecret: "foo",
+			CopyDirRoot:            "/tmp",
+			ReapplyOnReboot:        true,
+			RuntimeRequiredTaint:   "skyhook.nvidia.com=runtime-required:NoSchedule",
+			AgentImage:             "foo:bar",
+			PauseImage:             "foo:bar",
 		}
 		Expect(opts.Validate()).To(BeNil())