Skip to content

Commit

Permalink
Allows multiple imagePullSecrets in the helm chart. (#4656)
Browse files Browse the repository at this point in the history
  • Loading branch information
AlessioCasco authored Dec 1, 2023
1 parent 39f9fa3 commit 601f471
Show file tree
Hide file tree
Showing 7 changed files with 96 additions and 10 deletions.
6 changes: 4 additions & 2 deletions charts/nginx-ingress/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,9 @@ This chart deploys the NGINX Ingress Controller in your Kubernetes cluster.
- If you’d like to use NGINX Plus:
- To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal
by following the instructions from
[here](https://docs.nginx.com/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). Make sure to
specify the secret using `controller.serviceAccount.imagePullSecretName` parameter.
[here](https://docs.nginx.com/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret).
Make sure to specify the secret using one of the following parameters:
`controller.serviceAccount.imagePullSecretName` or `controller.serviceAccount.imagePullSecretsNames`.
- Alternatively, pull an Ingress Controller image with NGINX Plus and push it to your private registry by following
the instructions from
[here](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image).
Expand Down Expand Up @@ -416,6 +417,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
|`controller.serviceAccount.annotations` | The annotations of the Ingress Controller service account. | {} |
|`controller.serviceAccount.name` | The name of the service account of the Ingress Controller pods. Used for RBAC. | Autogenerated |
|`controller.serviceAccount.imagePullSecretName` | The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. | "" |
|`controller.serviceAccount.imagePullSecretsNames` | The list of secret names containing docker registry credentials. Secret must exist in the same namespace as the helm release. | [] |
|`controller.serviceMonitor.name` | The name of the serviceMonitor. | Autogenerated |
|`controller.serviceMonitor.create` | Create a ServiceMonitor custom resource. | false |
|`controller.serviceMonitor.labels` | Kubernetes object labels to attach to the serviceMonitor object. | "" |
Expand Down
13 changes: 11 additions & 2 deletions charts/nginx-ingress/templates/controller-serviceaccount.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,17 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
{{- include "nginx-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.serviceAccount.imagePullSecretName }}
{{- if or .Values.controller.serviceAccount.imagePullSecretName .Values.controller.serviceAccount.imagePullSecretsNames }}
imagePullSecrets:
- name: {{ .Values.controller.serviceAccount.imagePullSecretName }}
{{- end }}

{{- if .Values.controller.serviceAccount.imagePullSecretName }}
- name: {{ .Values.controller.serviceAccount.imagePullSecretName}}
{{- end }}

{{- if .Values.controller.serviceAccount.imagePullSecretsNames }}
{{- range .Values.controller.serviceAccount.imagePullSecretsNames }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- end }}
75 changes: 72 additions & 3 deletions charts/nginx-ingress/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -1075,12 +1075,79 @@
"examples": [
""
]
},
"imagePullSecretsNames": {
"type": "array",
"default": [],
"title": "The imagePullSecretName list",
"examples": [
[]
]
}
},
"oneOf": [
{
"properties": {
"imagePullSecretName": {
"maxLength": 0
},
"imagePullSecretsNames": {
"minItems": 1
}
},
"required": [
"imagePullSecretsNames"
]
},
{
"properties": {
"imagePullSecretName": {
"minLength": 1
},
"imagePullSecretsNames": {
"maxItems": 0
}
},
"required": [
"imagePullSecretName"
]
},
{
"properties": {
"imagePullSecretName": {
"maxLength": 0
},
"imagePullSecretsNames": {
"maxItems": 0
}
},
"required": [
"imagePullSecretName",
"imagePullSecretsNames"
]
},
{
"properties": {
"imagePullSecretName": {
"maxLength": 0
},
"imagePullSecretsNames": {
"maxItems": 0
}
},
"not": {
"required": [
"imagePullSecretName",
"imagePullSecretsNames"
]
}
}
],
"examples": [
{
"name": "",
"imagePullSecretName": ""
"imagePullSecretName": "",
"imagePullSecretsNames": []
}
]
},
Expand Down Expand Up @@ -1412,7 +1479,8 @@
},
"serviceAccount": {
"name": "",
"imagePullSecretName": ""
"imagePullSecretName": "",
"imagePullSecretsNames": []
},
"serviceMonitor": {
"create": false,
Expand Down Expand Up @@ -1784,7 +1852,8 @@
},
"serviceAccount": {
"name": "",
"imagePullSecretName": ""
"imagePullSecretName": "",
"imagePullSecretsNames": []
},
"podDisruptionBudget": {
"enabled": false,
Expand Down
4 changes: 4 additions & 0 deletions charts/nginx-ingress/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -397,6 +397,10 @@ controller:
## Secret must exist in the same namespace as the helm release.
imagePullSecretName: ""

## A list of secret names containing docker registry credentials.
## Secrets must exist in the same namespace as the helm release.
imagePullSecretsNames: []

reportIngressStatus:
## Updates the address field in the status of Ingress resources with an external address of the Ingress Controller.
## You must also specify the source of the external address either through an external service via controller.reportIngressStatus.externalService,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ h2 {
- A [Kubernetes Version Supported by the Ingress Controller](https://docs.nginx.com/nginx-ingress-controller/technical-specifications/#supported-kubernetes-versions)
- Helm 3.0+.
- If you’d like to use NGINX Plus:
- To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from [here](https://docs.nginx.com/nginx-ingress-controller/installation/nic-images/using-the-jwt-token-docker-secret). Make sure to specify the secret using `controller.serviceAccount.imagePullSecretName` parameter.
- To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from [here](https://docs.nginx.com/nginx-ingress-controller/installation/nic-images/using-the-jwt-token-docker-secret). Make sure to specify the secret using `controller.serviceAccount.imagePullSecretName` or `controller.serviceAccount.imagePullSecretsNames` parameter.
- Alternatively, pull an Ingress Controller image with NGINX Plus and push it to your private registry by following the instructions from [here]({{< relref "installation/nic-images/pulling-ingress-controller-image" >}}).
- Alternatively, you can build an Ingress Controller image with NGINX Plus and push it to your private registry by following the instructions from [here]({{< relref "installation/building-nginx-ingress-controller.md" >}}).
- Update the `controller.image.repository` field of the `values-plus.yaml` accordingly.
Expand Down Expand Up @@ -380,6 +380,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
| **controller.serviceAccount.annotations** | The annotations of the Ingress Controller service account. | {} |
| **controller.serviceAccount.name** | The name of the service account of the Ingress Controller pods. Used for RBAC. | Autogenerated |
| **controller.serviceAccount.imagePullSecretName** | The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. | "" |
| **controller.serviceAccount.imagePullSecretsNames** | The list of secret names containing docker registry credentials. Secret must exist in the same namespace as the helm release. | [] |
| **controller.serviceMonitor.name** | The name of the serviceMonitor. | Autogenerated |
| **controller.serviceMonitor.create** | Create a ServiceMonitor custom resource. | false |
| **controller.serviceMonitor.labels** | Kubernetes object labels to attach to the serviceMonitor object. | "" |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ spec:
imagePullSecretName: ""
```
{{<note>}}For NGINX Plus, change the `image.repository` and `image.tag` values and change `nginxPlus` to `True`. If required, set the `serviceAccount.imagePullSecretName` to the name of the pre-created docker config secret that should be associated with the ServiceAccount.{{</note>}}
{{<note>}}For NGINX Plus, change the `image.repository` and `image.tag` values and change `nginxPlus` to `True`. If required, set the `serviceAccount.imagePullSecretName` or `serviceAccount.imagePullSecretsNames` to the name of the pre-created docker config secret that should be associated with the ServiceAccount.{{</note>}}

## Deploy NGINX Ingress Controller

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ The [Installation with Helm ]({{< relref "installation/installing-nic/installati

1. Change the `nginxplus` argument to `true`.
1. Change the `repository` argument to the NGINX Ingress Controller image you intend to use.
1. Add an argument to `imagePullSecretName` to allow Docker to pull the image from the private registry.
2. Add an argument to `imagePullSecretName` or `imagePullSecretsNames` to allow Docker to pull the image from the private registry.

The following code block shows snippets of the parameters you will need to change, and an example of their contents:

Expand All @@ -130,6 +130,7 @@ The [Installation with Helm ]({{< relref "installation/installing-nic/installati
## The name of the secret containing docker registry credentials.
## Secret must exist in the same namespace as the helm release.
## Note that also imagePullSecretsNames can be used here if multiple secrets need to be set.
imagePullSecretName: regcred
```

Expand Down

0 comments on commit 601f471

Please sign in to comment.