Open jbw976 opened 4 months ago
The downside of the current solution for patching the Crossplane ServiceAccount with the pull secret, other than it being a shared secret for all packages, is that it will disappear (i.e. reset) when you upgrade Crossplane.
Possible solutions we have been thinking about:
Re: Option A
- I had a closer look how we deploy Crossplane’s SA and realized that we already have a helm value to inject imagePullSecrets with helm install/upgrade commands. This means that, the pull secrets users provide would not be reset if it were provided via helm upgrade --install crossplane … --set imagePullSecrets={secret1,secret2…}
instead of manually patching SA after the installation. So, this solution should already work with this little caveat.
This means we could still leverage / rely on this option as a stop gap solution for private images/dependencies. It is a little inconvenient for folks to run an upgrade command instead of simply patching existing SA, but for any serious non-development cluster, people use GitOps like flows to install Crossplane and this would be one additional line there.
What's Missing?
The challenge of installing a package from a private registry that has further dependencies (e.g. family providers) recently came up in:
We have some existing docs for this scenario, but they are not quite complete:
The provider focused page mentions this challenge, but does not provide a solution for it:
As @turkenh suggested in https://github.com/crossplane/crossplane/issues/5799#issuecomment-2197390101, one solution is to provide package pull secrets at the Crossplane service account level instead of to individual packages. We could document this approach so it is more discoverable for folks using private registries.