UNCLASSIFIED - NO CUI

allow disabling pullsecret, add helm unit tests, remove from schema as requirement

Christopher O'Connellrequested to merge
allow-disable-pullsecret into master

General MR

Summary

6 files changed for core logic:

File Change
chart/values.schema.json Removed registryCredentials from required[]; added {"type":"null"} to oneOf; removed required from registryCredential def
chart/values.yaml Changed default to registryCredentials: null with updated comment
chart/unittests/schema/registry-credentials_test.yaml Added two new test cases for null and omitted credentials

32 package template files updated — every hardcoded imagePullSecrets/pullSecrets/imagePullSecret/imagePullSecretName reference pointing to private-registry is now wrapped with {{- if ( include "imagePullSecret" . ) }}.

Behavior with registryCredentials: null (or omitted):

  • No private-registry Secret is created in any namespace
  • No imagePullSecrets stanza is emitted into any sub-chart values
  • Pods rely entirely on node-level ambient pull credentials (e.g., EKS node IAM role for ECR)

Backward compatible: Existing deployments with credentials set continue to work exactly as before.

Linked Issue

Closes #2393 (closed)

Testing ( michael )

Using a local image repo, I set it up so password/login is not required.

Testing involved installing all packages with and without setting registryCredentials. All serviceAccount and pods were parsed for any occurrences of private-registry.

Upgrade Notices

To better streamline and support deployments to CSP Kubernetes distros that support authentication with CSP registries, registry creds are no longer required. Users can provide registryCredentials: null and no private-registry secret is created in any namespace + imagePullSecrets stanza is emitted into any sub-chart values. Pods will rely entirely on external pull credentials.

Big Bang helm tests will still use imagePullSecrets -- we will look at removing imagePullSecrets from the helm tests in the future.

bigbang/base/flux/kustomization.yaml sets imagePullSecrets via a kustomize patch. We've left this in as a default. You can remove the following 2 lines from that file to remove imagePullSecrets from your flux-system deployments.

            imagePullSecrets:
            - name: private-registry

Several packages run a "wait job". These are run from our gluon package which invokes a package's wait.sh script. We have an open issue to remove the imagePullSecrets dependency from these jobs.

If you discover any Pods or Service Accounts that still set imagePullSecrets, please open up an issue or reach out to someone on the Big Bang Team.

Edited by Michael Martin

Merge request reports

UNCLASSIFIED - NO CUI