CP-35716: fix defaults.image.pullSecrets not applying to workload templates #606
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…plates While adding comprehensive per-type unit tests for defaults.* properties, discovered that defaults.image.pullSecrets was not being applied to most workload templates. Only config-loader-job.yaml and helmless-job.yaml were using the correct generateImagePullSecrets helper; six other templates used legacy helpers that did not fall back to defaults.image.pullSecrets. Functional Change: Before: Setting defaults.image.pullSecrets had no effect on agent-deploy, aggregator-deploy, agent-daemonset, webhook-deploy, backfill-job, or init-cert-job templates. Users had to set the deprecated top-level imagePullSecrets or configure each component individually. After: Setting defaults.image.pullSecrets applies to all workload templates. Backwards compatibility with the deprecated imagePullSecrets is preserved. Root Cause: Six templates were using legacy imagePullSecrets helpers that had different fallback chains: 1. cloudzero-agent.server.imagePullSecrets - only checked .Values.imagePullSecrets 2. cloudzero-agent.insightsController.server.imagePullSecrets - checked insightsController.server.imagePullSecrets -> imagePullSecrets 3. cloudzero-agent.initBackfillJob.imagePullSecrets - checked backFillValues.imagePullSecrets -> insightsController.server.imagePullSecrets -> imagePullSecrets 4. cloudzero-agent.initCertJob.imagePullSecrets - similar chain None of these helpers included defaults.image.pullSecrets in their fallback chain. Solution: 1. Updated generateImagePullSecrets helper (_helpers.tpl:1137-1142) to include deprecated imagePullSecrets as final fallback: .image.pullSecrets | default .root.Values.defaults.image.pullSecrets | default .root.Values.imagePullSecrets 2. Updated six templates to use generateImagePullSecrets: - agent-deploy.yaml (line 310) - aggregator-deploy.yaml (line 159) - agent-daemonset.yaml (line 190) - webhook-deploy.yaml (line 86) - backfill-job.yaml (line 122) - init-cert-job.yaml (line 54) 3. Also fixed aggregator-service.yaml to use generateLabels for consistency with other templates (removes app.kubernetes.io/component which was inconsistently applied across resources). Validation: - All 395 Helm unit tests pass (8 new tests added for defaults.image.pullSecrets) - New tests verify defaults.image.pullSecrets applies to Deployment, DaemonSet, Job, and CronJob resources - New tests verify backwards compatibility with deprecated imagePullSecrets - Manual helm template verification confirms imagePullSecrets renders correctly when defaults.image.pullSecrets is set
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
While adding comprehensive per-type unit tests for defaults.* properties, discovered that defaults.image.pullSecrets was not being applied to most workload templates. Only config-loader-job.yaml and helmless-job.yaml were using the correct generateImagePullSecrets helper; six other templates used legacy helpers that did not fall back to defaults.image.pullSecrets.
Functional Change:
Before: Setting defaults.image.pullSecrets had no effect on agent-deploy, aggregator-deploy, agent-daemonset, webhook-deploy, backfill-job, or init-cert-job templates. Users had to set the deprecated top-level imagePullSecrets or configure each component individually.
After: Setting defaults.image.pullSecrets applies to all workload templates. Backwards compatibility with the deprecated imagePullSecrets is preserved.
Root Cause:
Six templates were using legacy imagePullSecrets helpers that had different fallback chains:
None of these helpers included defaults.image.pullSecrets in their fallback chain.
Solution:
Updated generateImagePullSecrets helper (_helpers.tpl:1137-1142) to include deprecated imagePullSecrets as final fallback: .image.pullSecrets | default .root.Values.defaults.image.pullSecrets | default .root.Values.imagePullSecrets
Updated six templates to use generateImagePullSecrets:
Also fixed aggregator-service.yaml to use generateLabels for consistency with other templates (removes app.kubernetes.io/component which was inconsistently applied across resources).
Validation: