Enable setting a list of image_pull_secrets (#860)

When there are e.g. multiple authenticated container registries used we need to be able to add multiple imagePullSecrets to the k8s resource Co-authored-by: Maximilian Meister <maximilian.meister@pm.me>
2026-04-26 00:16:45 +00:00 · 2022-04-05 11:51:21 -04:00
parent 94c5c41a24
commit 5f76d4917e
7 changed files with 35 additions and 12 deletions
--- a/README.md
+++ b/README.md
@@ -480,7 +480,7 @@ There are a few variables that are customizable for awx the image management.
 | image               | Path of the image to pull |
 | image_version       | Image version to pull     |
 | image_pull_policy   | The pull policy to adopt  |
-| image_pull_secret   | The pull secret to use    |
+| image_pull_secrets  | The pull secrets to use   |
 | ee_images           | A list of EEs to register |
 | redis_image         | Path of the image to pull |
 | redis_image_version | Image version to pull     |
@@ -494,7 +494,8 @@ spec:
  image: myorg/my-custom-awx
  image_version: latest
  image_pull_policy: Always
-  image_pull_secret: pull_secret_name
+  image_pull_secrets:
+    - pull_secret_name
  ee_images:
    - name: my-custom-awx-ee
      image: myorg/my-custom-awx-ee
@@ -788,7 +789,7 @@ type: Opaque
 ```

 ##### Control plane ee from private registry
-The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secret` to provide a k8s pull secret to access it. Currently the same secret is used for any of these images supplied at install time.
+The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secrets` to provide a list of k8s pull secrets to access it. Currently the same secret is used for any of these images supplied at install time.

 You can create `image_pull_secret`
 ```
--- a/config/crd/bases/awx.ansible.com_awxs.yaml
+++ b/config/crd/bases/awx.ansible.com_awxs.yaml
@@ -179,9 +179,11 @@ spec:
                    - never
                    - IfNotPresent
                    - ifnotpresent
-                image_pull_secret:
-                  description: The image pull secret
-                  type: string
+                image_pull_secrets:
+                  description: The image pull secrets
+                  type: array
+                  items:
+                    type: string
                task_resource_requirements:
                  description: Resource requirements for the task container
                  properties:
--- a/config/manifests/bases/awx-operator.clusterserviceversion.yaml
+++ b/config/manifests/bases/awx-operator.clusterserviceversion.yaml
@@ -252,8 +252,8 @@ spec:
        x-descriptors:
        - urn:alm:descriptor:com.tectonic.ui:advanced
        - urn:alm:descriptor:com.tectonic.ui:imagePullPolicy
-      - displayName: Image Pull Secret
-        path: image_pull_secret
+      - displayName: Image Pull Secrets
+        path: image_pull_secrets
        x-descriptors:
        - urn:alm:descriptor:com.tectonic.ui:advanced
        - urn:alm:descriptor:io.kubernetes:Secret
--- a/roles/backup/tasks/secrets.yml
+++ b/roles/backup/tasks/secrets.yml
@@ -21,9 +21,19 @@
    - ingress_tls_secret
    - ldap_cacert_secret
    - bundle_cacert_secret
-    - image_pull_secret
    - ee_pull_credentials_secret

+# image_pull_secret is deprecated in favor of image_pull_secrets
+- name: Dump image_pull_secret into file
+  include_tasks: dump_secret.yml
+  loop:
+    - image_pull_secret
+  when: image_pull_secret is defined
+
+- name: Dump image_pull_secrets into file
+  include_tasks: dump_secret.yml
+  loop: "{{ awx_spec.spec[image_pull_secrets] }}"
+
 - name: Nest secrets under a single variable
  set_fact:
    secrets: {"secrets": '{{ secret_dict }}'}
--- a/roles/installer/defaults/main.yml
+++ b/roles/installer/defaults/main.yml
@@ -133,7 +133,7 @@ _postgres_image_version: 12
 _init_container_image: quay.io/centos/centos
 _init_container_image_version: stream8
 image_pull_policy: IfNotPresent
-image_pull_secret: ''
+image_pull_secrets: []

 # Extra commands which will be appended to the initContainer
 # Make sure that each command entered return an exit code 0
--- a/roles/installer/templates/deployment.yaml.j2
+++ b/roles/installer/templates/deployment.yaml.j2
@@ -33,9 +33,14 @@ spec:
 {% endif %}
    spec:
      serviceAccountName: '{{ ansible_operator_meta.name }}'
-{% if image_pull_secret %}
+{% if image_pull_secret is defined %}
      imagePullSecrets:
        - name: {{ image_pull_secret }}
+{% elif image_pull_secrets | length > 0 %}
+      imagePullSecrets:
+{% for secret in image_pull_secrets %}
+        - name: {{ secret }}
+{% endfor %}
 {% endif %}
      initContainers:
 {% if bundle_ca_crt or projects_persistence|bool or init_container_extra_commands %}
--- a/roles/installer/templates/postgres.yaml.j2
+++ b/roles/installer/templates/postgres.yaml.j2
@@ -33,9 +33,14 @@ spec:
        app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
        app.kubernetes.io/managed-by: '{{ deployment_type }}-operator' 
    spec:
-{% if image_pull_secret %}
+{% if image_pull_secret is defined %}
      imagePullSecrets:
        - name: {{ image_pull_secret }}
+{% elif image_pull_secrets | length > 0 %}
+      imagePullSecrets:
+{% for secret in image_pull_secrets %}
+        - name: {{ secret }}
+{% endfor %}
 {% endif %}
      initContainers:
        - name: database-check