ImagePullSecrets not present on ARC deployment

[mkahnlein-caylent]

Checks

• [X] I've already read https://github.com/actions/actions-runner-controller/blob/master/TROUBLESHOOTING.md and I'm sure my issue is not covered in the troubleshooting guide.
• [X] I'm not using a custom entrypoint in my runner image

Controller Version

0.27.0

Helm Chart Version

0.27.0

CertManager Version

v1.8.1

Deployment Method

Helm

cert-manager installation

Was installed via Helm

Checks

• [X] This isn't a question or user support case (For Q&A and community support, go to Discussions. It might also be a good idea to contract with any of contributors and maintainers if your business is so critical and therefore you need priority support
• [X] I've read releasenotes before submitting this issue and I'm sure it's not due to any recently-introduced backward-incompatible changes
• [X] My actions-runner-controller version (v0.x.y) does support the feature
• [X] I've already upgraded ARC (including the CRDs, see charts/actions-runner-controller/docs/UPGRADING.md for details) to the latest and it didn't fix the issue
• [X] I've migrated to the workflow job webhook event (if you using webhook driven scaling)

Resource Definitions

Not applicable to this case

To Reproduce

Have imagePullSecrets on values file passed to Helm. 

# Default values for actions-runner-controller.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

labels: {}

replicaCount: 1

webhookPort: 9443
syncPeriod: 1m
defaultScaleDownDelay: 10m

namespace: actions-runner-system

enableLeaderElection: true
# Specifies the controller id for leader election.
# Must be unique if more than one controller installed onto the same namespace.
#leaderElectionId: "actions-runner-controller"

# DEPRECATED: This has been removed as unnecessary in #1192
# The controller tries its best not to repeat the duplicate GitHub API call
# within this duration.
# Defaults to syncPeriod - 10s.
#githubAPICacheDuration: 30s

# The URL of your GitHub Enterprise server, if you're using one.
#githubEnterpriseServerURL: https://github.example.com

# Override GitHub URLs in case of using proxy APIs
#githubURL: ""
#githubUploadURL: ""
#runnerGithubURL: ""

# Only 1 authentication method can be deployed at a time
# Uncomment the configuration you are applying and fill in the details
#
# If authSecret.enabled=true these values are inherited to actions-runner-controller's controller-manager container's env.
#
# Do set authSecret.enabled=false and set env if you want full control over
# the GitHub authn related envvars of the container.
# See https://github.com/actions-runner-controller/actions-runner-controller/pull/937 for more details.
authSecret:
  enabled: true
  create: false
  name: "controller-manager"
  annotations: {}
  ### GitHub Apps Configuration
  ## NOTE: IDs MUST be strings, use quotes
  #github_app_id: ""
  #github_app_installation_id: ""
  #github_app_private_key: |
  ### GitHub PAT Configuration
  #github_token: ""
  ### Basic auth for github API proxy
  #github_basicauth_username: ""
  #github_basicauth_password: ""

dockerRegistryMirror: ""
image:
  repository: "summerwind/actions-runner-controller"
  actionsRunnerRepositoryAndTag: "summerwind/actions-runner:v2.293.0-ubuntu-20.04"
  dindSidecarRepositoryAndTag: "docker:dind"
  pullPolicy: IfNotPresent
  # The default image-pull secrets name for self-hosted runner container.
  # It's added to spec.ImagePullSecrets of self-hosted runner pods.
  actionsRunnerImagePullSecrets: ["dockercfg"]

imagePullSecrets: ["dockercfg"]
nameOverride: ""
fullnameOverride: ""

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

podAnnotations: {}

podLabels: {}

podSecurityContext:
  {}
  # fsGroup: 2000

securityContext:
  {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000

# Webhook service resource
service:
  type: ClusterIP
  port: 443
  annotations: {}

# Metrics service resource
metrics:
  serviceAnnotations: {}
  serviceMonitor: false
  serviceMonitorLabels: {}
  port: 8443
  proxy:
    enabled: true
    image:
      repository: quay.io/brancz/kube-rbac-proxy
      tag: v0.12.0

resources:
  requests:
    cpu: 500m
    memory: 512Mi
  limits:
    cpu: 500m
    memory: 512Mi
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.

nodeSelector: {}

tolerations: []

affinity: {}

# Only one of minAvailable or maxUnavailable can be set
podDisruptionBudget:
  enabled: false
  # minAvailable: 1
  # maxUnavailable: 3

# Leverage a PriorityClass to ensure your pods survive resource shortages
# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
# PriorityClass: system-cluster-critical
priorityClassName: ""

env:
  {}
  # http_proxy: "proxy.com:8080"
  # https_proxy: "proxy.com:8080"
  # no_proxy: ""

## specify additional volumes to mount in the manager container, this can be used
## to specify additional storage of material or to inject files from ConfigMaps
## into the running container
additionalVolumes: []

## specify where the additional volumes are mounted in the manager container
additionalVolumeMounts: []

scope:
  # If true, the controller will only watch custom resources in a single namespace
  singleNamespace: false
  # If `scope.singleNamespace=true`, the controller will only watch custom resources in this namespace
  # The default value is "", which means the namespace of the controller
  watchNamespace: ""

certManagerEnabled: true

admissionWebHooks:
  {}
  #caBundle: "Ci0tLS0tQk...<base64-encoded PEM bundle containing the CA that signed the webhook's serving certificate>...tLS0K"

# There may be alternatives to setting `hostNetwork: true`, see
# https://github.com/actions-runner-controller/actions-runner-controller/issues/1005#issuecomment-993097155
#hostNetwork: true

githubWebhookServer:
  enabled: false
  replicaCount: 1
  syncPeriod: 10m
  useRunnerGroupsVisibility: false
  secret:
    enabled: false
    create: false
    name: "github-webhook-server"
    ### GitHub Webhook Configuration
    github_webhook_secret_token: ""
  imagePullSecrets: ["dockercfg"]
  nameOverride: ""
  fullnameOverride: ""
  serviceAccount:
    # Specifies whether a service account should be created
    create: true
    # Annotations to add to the service account
    annotations: {}
    # The name of the service account to use.
    # If not set and create is true, a name is generated using the fullname template
    name: ""
  podAnnotations: {}
  podLabels: {}
  podSecurityContext: {}
  # fsGroup: 2000
  securityContext: {}
  resources: {}
  nodeSelector: {}
  tolerations: []
  affinity: {}
  priorityClassName: ""
  service:
    type: ClusterIP
    annotations: {}
    ports:
      - port: 80
        targetPort: http
        protocol: TCP
        name: http
        #nodePort: someFixedPortForUseWithTerraformCdkCfnEtc
  ingress:
    enabled: false
    ingressClassName: ""
    annotations: {}
      # kubernetes.io/ingress.class: nginx
      # kubernetes.io/tls-acme: "true"
    hosts:
      - host: chart-example.local
        paths: []
        #  - path: /*
        #    pathType: ImplementationSpecific
        # Extra paths that are not automatically connected to the server. This is useful when working with annotation based services.
        extraPaths: []
        # - path: /*
        #   backend:
        #     serviceName: ssl-redirect
        #     servicePort: use-annotation
        ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used)
        # - path: /*
        #   pathType: Prefix
        #   backend:
        #     service:
        #       name: ssl-redirect
        #       port:
        #         name: use-annotation
    tls: []
    #  - secretName: chart-example-tls
    #    hosts:
    #      - chart-example.local

  # Only one of minAvailable or maxUnavailable can be set
  podDisruptionBudget:
    enabled: false
    # minAvailable: 1
    # maxUnavailable: 3

helm template -f values.yaml .

Describe the bug

imagePullSecrets are not being added into the controller deployment template.

Source: actions-runner-controller/charts/actions-runner-controller/templates/deployment.yaml

apiVersion: apps/v1 kind: Deployment metadata: name: release-name-actions-runner-controller namespace: default labels: helm.sh/chart: actions-runner-controller-0.22.0 app.kubernetes.io/name: actions-runner-controller app.kubernetes.io/instance: release-name app.kubernetes.io/version: "0.27.0" app.kubernetes.io/managed-by: Helm spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: actions-runner-controller app.kubernetes.io/instance: release-name template: metadata: labels: app.kubernetes.io/name: actions-runner-controller app.kubernetes.io/instance: release-name spec: serviceAccountName: release-name-actions-runner-controller securityContext: {} containers:

• args:
  • "--metrics-addr=127.0.0.1:8080"
  • "--enable-leader-election"
  • "--port=9443"
  • "--sync-period=1m"
  • "--default-scale-down-delay=10m"
  • "--docker-image=docker:dind"
  • "--runner-image=summerwind/actions-runner:latest"
  • "--log-format=text" command:
  • "/manager" env:
  • name: GITHUB_TOKEN valueFrom: secretKeyRef: key: github_token name: controller-manager optional: true
  • name: GITHUB_APP_ID valueFrom: secretKeyRef: key: github_app_id name: controller-manager optional: true
  • name: GITHUB_APP_INSTALLATION_ID valueFrom: secretKeyRef: key: github_app_installation_id name: controller-manager optional: true
  • name: GITHUB_APP_PRIVATE_KEY valueFrom: secretKeyRef: key: github_app_private_key name: controller-manager optional: true
  • name: GITHUB_BASICAUTH_PASSWORD valueFrom: secretKeyRef: key: github_basicauth_password name: controller-manager optional: true image: "summerwind/actions-runner-controller:v0.27.0" name: manager imagePullPolicy: IfNotPresent ports:
  • containerPort: 9443 name: webhook-server protocol: TCP resources: {} securityContext: {} volumeMounts:
  • mountPath: "/etc/actions-runner-controller" name: secret readOnly: true
  • mountPath: /tmp name: tmp
  • mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true
• args:
  • "--secure-listen-address=0.0.0.0:8443"
  • "--upstream=http://127.0.0.1:8080/"
  • "--logtostderr=true"
  • "--v=10" image: "quay.io/brancz/kube-rbac-proxy:v0.13.1" name: kube-rbac-proxy imagePullPolicy: IfNotPresent ports:
  • containerPort: 8443 name: metrics-port resources: {} securityContext: {} terminationGracePeriodSeconds: 10 volumes:
• name: secret secret: secretName: controller-manager
• name: cert secret: defaultMode: 420 secretName: release-name-actions-runner-controller-serving-cert
• name: tmp emptyDir: {}

Describe the expected behavior

imagePullSecrets present on deployment

Whole Controller Logs

N/A

Whole Runner Pod Logs

N/A

Additional Context

Using Argo as deployment tool

[github-actions[bot]]

Hello! Thank you for filing an issue.

The maintainers will triage your issue shortly.

In the meantime, please take a look at the troubleshooting guide for bug reports.

If this is a feature request, please review our contribution guidelines.

[gionn]

not well documented, but you need to specify imagePullSecrets as per standard kubernetes, while actionsRunnerImagePullSecrets is fine as you did (string in array).

Full working example:

imagePullSecrets:
 - name: dockercfg
image:
  actionsRunnerImagePullSecrets:
    - dockercfg