kubernetes / ingress-nginx

Ingress NGINX Controller for Kubernetes
https://kubernetes.github.io/ingress-nginx/
Apache License 2.0
17.85k stars 8.3k forks source link

Add a helm template that creates the imagePullSecret #12752

Closed docbyte86 closed 2 weeks ago

docbyte86 commented 2 weeks ago

A secret for the imagePullSecrets will be created during installation of the helm chart.

Example:

https://github.com/longhorn/longhorn/blob/master/chart/templates/registry-secret.yaml

privateRegistry:
  # -- Setting that allows you to create a private registry secret.
  createSecret: ~
  # -- URL of a private registry. When unspecified, Longhorn uses the default system registry.
  registryUrl: ~
  # -- User account used for authenticating with a private registry.
  registryUser: ~
  # -- Password for authenticating with a private registry.
  registryPasswd: ~
  # -- Kubernetes secret that allows you to pull images from a private registry. This setting applies only when creation of private registry secrets is enabled. You must include the private registry name in the secret name.
  registrySecret: ~

no

no

k8s-ci-robot commented 2 weeks ago

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
longwuyuan commented 2 weeks ago

The project would not support images that are not released by the project and not clear on why you would implement the requirement of a secret to pull a copy of a image, that is already published on the internet without requiring auth.

docbyte86 commented 2 weeks ago

Hello, thank you for your feedback. However, we are using a private container registry, such as Artifactory Jfrog. We use Jfrog as a cache and mirror the container registries from the internet. Authentication is also required here. Therefore, we need to provide the corresponding secrets with the information. It would simplify automation if we could deploy the creation of the secrets via Helm.

You support pulling images using imagePullSecret. So why not create the secret at the same time?

longwuyuan commented 2 weeks ago

https://github.com/kubernetes/ingress-nginx/blob/36f2d40db984bb1a30e132633a4e74cbc7422646/charts/ingress-nginx/values.yaml#L1206

longwuyuan commented 2 weeks ago

You can try to submit a PR that adds the required template and other related code.

Just understand that we are not creating new features because all the resources are occupied with securing the controller and providing a stable reliable controller out of the box. And then its very very few users who need this feature but the project has to maintain it & support it, so it all depends on many factors.

Gacko commented 2 weeks ago

As Long already stated, we are not going to support this.

There already should be a possibility to provide image pull secrets, see Long's comment.

Creating these secrets is out of scope of the Ingress NGINX project, especially because your approach would require putting clear text passwords into a values.yaml and we do not want to support this approach from a security and maintenance point of view.

This aside, you should also already be able to override the registry images are being pulled from by overriding the global.image.registry property.

So to sum it up: You only need to create the secret on your own. Everything else does already exist and is fully supported by us.