Closed
Description
Currently, we can add image pull secrets only when an external registry is used like this:
containerRegistry:
inCluster: false
external:
url: my-registry.example.com
certificate:
kind: secret
name: my-registry-credentials
However, when we use an in-cluster registry, customers would probably still want to add pull secrets for workspace base images.
I would suggest to deprecate the certificate
block under external
and moving it directly under containerRegistry
. Like this:
containerRegistry:
inCluster: false
external:
url: my-registry.example.com
certificate:
kind: secret
name: my-registry-credentials
(probably rename “certificate” to “credentials”, however, we probably want to keep this consistent to other occurences of “credentials”, e.g. for the object storage)
That would also allow adding workspace pull secrets when the in-cluster registry is used like this (see also #10791):
containerRegistry:
inCluster: true
certificate:
kind: secret
name: my-registry-credentials
privateBaseImageRegistries:
- my-registry.example.com
- my-other-registry.example.com
In this case, we need to merge the in-cluster container secret with the secret given here to allow accessing both registries.
- code pointer
- see also this change where we do this in KOTS already. Once we have this natively supported in the installer, we can replace this hack in KOTS.
- See also - internal discussion about this