Better document how the secret could be used by a pod, deployment using imagePullSecrets

[cmoulliard]

Question

Is it possible to better document how we can, post Secret, SecretExport and Secret Placeholder created consume the secret using the property imagePullSecrets within a Pod or Deployment ?

Example of resources to be created

cat <<EOF | kubectl apply -f -
---
apiVersion: v1
kind: Secret
metadata:
  name: reg-creds-docker
  namespace: demo
type: kubernetes.io/dockerconfigjson
stringData:
  .dockerconfigjson: |
    {
      "auths": {
        "index.docker.io": {
          "username": "xxxxxx",
          "password": "user",
          "auth": ""
        }
      }
    } 
---
apiVersion: secretgen.carvel.dev/v1alpha1
kind: SecretExport
metadata:
  name: reg-creds-docker
  namespace: demo
spec:
  toNamespaces:
  - "*"
---
apiVersion: v1
kind: Secret
metadata:
  name: my-reg-creds
  namespace: demo
  annotations:
    secretgen.carvel.dev/image-pull-secret: ""
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: e30K

Next, we must update the service account to patch it to set "imagePullSecrets": [{"name":"my-reg-creds"} but apparently this is not enough as no secret is copied within the namespace demo1

kc create ns demo1
kubectl patch serviceaccount default -n demo1 -p '{"imagePullSecrets": [{"name":"my-reg-creds"}]}'
kc get sa,secret -n demo1
NAME                     SECRETS   AGE
serviceaccount/default   1         100s

NAME                         TYPE                                  DATA   AGE
secret/default-token-h8cvt   kubernetes.io/service-account-token   3      100s

Question: Could the patch step be done automatically ? How ?

[benmoss]

Hmm, this works on my machine:

$ kubectl -n demo get secrets my-reg-creds -o json | jq -r '.data.".dockerconfigjson"' | base64 -d
{"auths":{"index.docker.io":{"username":"xxxxxx","password":"user","auth":""}}}

[joe-kimmel-vmw]

@cmoulliard can you confirm the version of secretgen-controller you were using, and that the deployment was healthy?

[neil-hickey]

@cmoulliard I'm just trying to follow up on this issue, did you get things working? Or are you happy to close out this issue?