From 601f471f9c61a69a2e6beb9d0188b400579903ad Mon Sep 17 00:00:00 2001
From: Alessio Casco <5306425+AlessioCasco@users.noreply.github.com>
Date: Fri, 1 Dec 2023 14:38:27 +0000
Subject: [PATCH] Allows multiple imagePullSecrets in the helm chart. (#4656)
---
charts/nginx-ingress/README.md | 6 +-
.../templates/controller-serviceaccount.yaml | 13 +++-
charts/nginx-ingress/values.schema.json | 75 ++++++++++++++++++-
charts/nginx-ingress/values.yaml | 4 +
.../installing-nic/installation-with-helm.md | 3 +-
.../installation-with-operator.md | 2 +-
.../using-the-jwt-token-docker-secret.md | 3 +-
7 files changed, 96 insertions(+), 10 deletions(-)
diff --git a/charts/nginx-ingress/README.md b/charts/nginx-ingress/README.md
index 3e66ee47b6..b5ef71a6d8 100644
--- a/charts/nginx-ingress/README.md
+++ b/charts/nginx-ingress/README.md
@@ -15,8 +15,9 @@ This chart deploys the NGINX Ingress Controller in your Kubernetes cluster.
- If you’d like to use NGINX Plus:
- To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal
by following the instructions from
- [here](https://docs.nginx.com/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). Make sure to
- specify the secret using `controller.serviceAccount.imagePullSecretName` parameter.
+ [here](https://docs.nginx.com/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret).
+ Make sure to specify the secret using one of the following parameters:
+ `controller.serviceAccount.imagePullSecretName` or `controller.serviceAccount.imagePullSecretsNames`.
- Alternatively, pull an Ingress Controller image with NGINX Plus and push it to your private registry by following
the instructions from
[here](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image).
@@ -416,6 +417,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
|`controller.serviceAccount.annotations` | The annotations of the Ingress Controller service account. | {} |
|`controller.serviceAccount.name` | The name of the service account of the Ingress Controller pods. Used for RBAC. | Autogenerated |
|`controller.serviceAccount.imagePullSecretName` | The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. | "" |
+|`controller.serviceAccount.imagePullSecretsNames` | The list of secret names containing docker registry credentials. Secret must exist in the same namespace as the helm release. | [] |
|`controller.serviceMonitor.name` | The name of the serviceMonitor. | Autogenerated |
|`controller.serviceMonitor.create` | Create a ServiceMonitor custom resource. | false |
|`controller.serviceMonitor.labels` | Kubernetes object labels to attach to the serviceMonitor object. | "" |
diff --git a/charts/nginx-ingress/templates/controller-serviceaccount.yaml b/charts/nginx-ingress/templates/controller-serviceaccount.yaml
index 0553a0e23a..8cde4f5b01 100644
--- a/charts/nginx-ingress/templates/controller-serviceaccount.yaml
+++ b/charts/nginx-ingress/templates/controller-serviceaccount.yaml
@@ -9,8 +9,17 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
{{- include "nginx-ingress.labels" . | nindent 4 }}
-{{- if .Values.controller.serviceAccount.imagePullSecretName }}
+{{- if or .Values.controller.serviceAccount.imagePullSecretName .Values.controller.serviceAccount.imagePullSecretsNames }}
imagePullSecrets:
-- name: {{ .Values.controller.serviceAccount.imagePullSecretName }}
+{{- end }}
+
+{{- if .Values.controller.serviceAccount.imagePullSecretName }}
+- name: {{ .Values.controller.serviceAccount.imagePullSecretName}}
+{{- end }}
+
+{{- if .Values.controller.serviceAccount.imagePullSecretsNames }}
+{{- range .Values.controller.serviceAccount.imagePullSecretsNames }}
+- name: {{ . }}
+{{- end }}
{{- end }}
{{- end }}
diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json
index 0587abede0..7c439f9a02 100644
--- a/charts/nginx-ingress/values.schema.json
+++ b/charts/nginx-ingress/values.schema.json
@@ -1075,12 +1075,79 @@
"examples": [
""
]
+ },
+ "imagePullSecretsNames": {
+ "type": "array",
+ "default": [],
+ "title": "The imagePullSecretName list",
+ "examples": [
+ []
+ ]
}
},
+ "oneOf": [
+ {
+ "properties": {
+ "imagePullSecretName": {
+ "maxLength": 0
+ },
+ "imagePullSecretsNames": {
+ "minItems": 1
+ }
+ },
+ "required": [
+ "imagePullSecretsNames"
+ ]
+ },
+ {
+ "properties": {
+ "imagePullSecretName": {
+ "minLength": 1
+ },
+ "imagePullSecretsNames": {
+ "maxItems": 0
+ }
+ },
+ "required": [
+ "imagePullSecretName"
+ ]
+ },
+ {
+ "properties": {
+ "imagePullSecretName": {
+ "maxLength": 0
+ },
+ "imagePullSecretsNames": {
+ "maxItems": 0
+ }
+ },
+ "required": [
+ "imagePullSecretName",
+ "imagePullSecretsNames"
+ ]
+ },
+ {
+ "properties": {
+ "imagePullSecretName": {
+ "maxLength": 0
+ },
+ "imagePullSecretsNames": {
+ "maxItems": 0
+ }
+ },
+ "not": {
+ "required": [
+ "imagePullSecretName",
+ "imagePullSecretsNames"
+ ]
+ }
+ }
+ ],
"examples": [
{
"name": "",
- "imagePullSecretName": ""
+ "imagePullSecretName": "",
+ "imagePullSecretsNames": []
}
]
},
@@ -1412,7 +1479,8 @@
},
"serviceAccount": {
"name": "",
- "imagePullSecretName": ""
+ "imagePullSecretName": "",
+ "imagePullSecretsNames": []
},
"serviceMonitor": {
"create": false,
@@ -1784,7 +1852,8 @@
},
"serviceAccount": {
"name": "",
- "imagePullSecretName": ""
+ "imagePullSecretName": "",
+ "imagePullSecretsNames": []
},
"podDisruptionBudget": {
"enabled": false,
diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml
index d9e8d758fe..e99dcd1250 100644
--- a/charts/nginx-ingress/values.yaml
+++ b/charts/nginx-ingress/values.yaml
@@ -397,6 +397,10 @@ controller:
## Secret must exist in the same namespace as the helm release.
imagePullSecretName: ""
+ ## A list of secret names containing docker registry credentials.
+ ## Secrets must exist in the same namespace as the helm release.
+ imagePullSecretsNames: []
+
reportIngressStatus:
## Updates the address field in the status of Ingress resources with an external address of the Ingress Controller.
## You must also specify the source of the external address either through an external service via controller.reportIngressStatus.externalService,
diff --git a/docs/content/installation/installing-nic/installation-with-helm.md b/docs/content/installation/installing-nic/installation-with-helm.md
index 25f3aae9f5..1b86e9774e 100644
--- a/docs/content/installation/installing-nic/installation-with-helm.md
+++ b/docs/content/installation/installing-nic/installation-with-helm.md
@@ -22,7 +22,7 @@ h2 {
- A [Kubernetes Version Supported by the Ingress Controller](https://docs.nginx.com/nginx-ingress-controller/technical-specifications/#supported-kubernetes-versions)
- Helm 3.0+.
- If you’d like to use NGINX Plus:
- - To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from [here](https://docs.nginx.com/nginx-ingress-controller/installation/nic-images/using-the-jwt-token-docker-secret). Make sure to specify the secret using `controller.serviceAccount.imagePullSecretName` parameter.
+ - To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from [here](https://docs.nginx.com/nginx-ingress-controller/installation/nic-images/using-the-jwt-token-docker-secret). Make sure to specify the secret using `controller.serviceAccount.imagePullSecretName` or `controller.serviceAccount.imagePullSecretsNames` parameter.
- Alternatively, pull an Ingress Controller image with NGINX Plus and push it to your private registry by following the instructions from [here]({{< relref "installation/nic-images/pulling-ingress-controller-image" >}}).
- Alternatively, you can build an Ingress Controller image with NGINX Plus and push it to your private registry by following the instructions from [here]({{< relref "installation/building-nginx-ingress-controller.md" >}}).
- Update the `controller.image.repository` field of the `values-plus.yaml` accordingly.
@@ -380,6 +380,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
| **controller.serviceAccount.annotations** | The annotations of the Ingress Controller service account. | {} |
| **controller.serviceAccount.name** | The name of the service account of the Ingress Controller pods. Used for RBAC. | Autogenerated |
| **controller.serviceAccount.imagePullSecretName** | The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. | "" |
+| **controller.serviceAccount.imagePullSecretsNames** | The list of secret names containing docker registry credentials. Secret must exist in the same namespace as the helm release. | [] |
| **controller.serviceMonitor.name** | The name of the serviceMonitor. | Autogenerated |
| **controller.serviceMonitor.create** | Create a ServiceMonitor custom resource. | false |
| **controller.serviceMonitor.labels** | Kubernetes object labels to attach to the serviceMonitor object. | "" |
diff --git a/docs/content/installation/installing-nic/installation-with-operator.md b/docs/content/installation/installing-nic/installation-with-operator.md
index ebbb1ff9e0..51925dfedc 100644
--- a/docs/content/installation/installing-nic/installation-with-operator.md
+++ b/docs/content/installation/installing-nic/installation-with-operator.md
@@ -58,7 +58,7 @@ spec:
imagePullSecretName: ""
```
-{{}}For NGINX Plus, change the `image.repository` and `image.tag` values and change `nginxPlus` to `True`. If required, set the `serviceAccount.imagePullSecretName` to the name of the pre-created docker config secret that should be associated with the ServiceAccount.{{}}
+{{}}For NGINX Plus, change the `image.repository` and `image.tag` values and change `nginxPlus` to `True`. If required, set the `serviceAccount.imagePullSecretName` or `serviceAccount.imagePullSecretsNames` to the name of the pre-created docker config secret that should be associated with the ServiceAccount.{{}}
## Deploy NGINX Ingress Controller
diff --git a/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md b/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md
index fe1b57bfd7..09a61ab584 100644
--- a/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md
+++ b/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md
@@ -103,7 +103,7 @@ The [Installation with Helm ]({{< relref "installation/installing-nic/installati
1. Change the `nginxplus` argument to `true`.
1. Change the `repository` argument to the NGINX Ingress Controller image you intend to use.
- 1. Add an argument to `imagePullSecretName` to allow Docker to pull the image from the private registry.
+ 2. Add an argument to `imagePullSecretName` or `imagePullSecretsNames` to allow Docker to pull the image from the private registry.
The following code block shows snippets of the parameters you will need to change, and an example of their contents:
@@ -130,6 +130,7 @@ The [Installation with Helm ]({{< relref "installation/installing-nic/installati
## The name of the secret containing docker registry credentials.
## Secret must exist in the same namespace as the helm release.
+ ## Note that also imagePullSecretsNames can be used here if multiple secrets need to be set.
imagePullSecretName: regcred
```