diff --git a/charts/openab/README.md b/charts/openab/README.md index a9e50b029..a7ddae8b1 100644 --- a/charts/openab/README.md +++ b/charts/openab/README.md @@ -13,6 +13,7 @@ This page highlights commonly used values and deployment patterns. For the compl | `nameOverride` | Override the chart name portion used in generated resource names. For per-agent resource names, use `agents..nameOverride`. | `""` | | `fullnameOverride` | Override the full generated release name for chart resources. Useful when deploying multiple instances with predictable names. | `""` | | `serviceAccountName` | Chart-global ServiceAccount name attached to every agent pod that doesn't define its own. Empty = cluster `default` SA. Per-agent `agents..serviceAccountName` fully overrides this. Chart references an existing SA only — does not create one. Required for workload identity and pod-level RBAC. | `""` | +| `imagePullSecrets` | Chart-global image pull secrets attached to every agent pod that doesn't define its own. Per-agent `agents..imagePullSecrets` fully overrides this. | `[]` | ### Agent values @@ -53,6 +54,7 @@ Each agent lives under `agents.`. | `persistence.existingClaim` | Reuse an existing PVC instead of creating one. | `""` | | `agentsMd` | Contents of `AGENTS.md` mounted into the working directory. | `""` | | `serviceAccountName` | Per-agent ServiceAccount name. When set (non-empty), fully overrides chart-global `serviceAccountName`. Useful when only some agents need a dedicated SA. | `""` | +| `imagePullSecrets` | Per-agent image pull secrets. When set, fully overrides chart-global `imagePullSecrets`. Useful when only some agents pull from a private registry. | `[]` | | `extraInitContainers` | Additional init containers for the agent pod. | `[]` | | `extraContainers` | Additional sidecar containers for the agent pod. | `[]` | | `extraVolumeMounts` | Additional volume mounts for the main agent container. | `[]` | diff --git a/charts/openab/templates/deployment.yaml b/charts/openab/templates/deployment.yaml index 1a6570613..5760bb42d 100644 --- a/charts/openab/templates/deployment.yaml +++ b/charts/openab/templates/deployment.yaml @@ -33,6 +33,10 @@ spec: {{- if $svcAcct }} serviceAccountName: {{ $svcAcct }} {{- end }} + {{- with (default $.Values.imagePullSecrets $cfg.imagePullSecrets) }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} {{- with $cfg.extraInitContainers }} initContainers: {{- toYaml . | nindent 8 }} diff --git a/charts/openab/tests/imagepullsecrets_test.yaml b/charts/openab/tests/imagepullsecrets_test.yaml new file mode 100644 index 000000000..fc5abedf0 --- /dev/null +++ b/charts/openab/tests/imagepullsecrets_test.yaml @@ -0,0 +1,64 @@ +suite: imagePullSecrets support (chart-global + per-agent override) +templates: + - templates/deployment.yaml + +tests: + - it: does not render imagePullSecrets when neither global nor per-agent is set + asserts: + - notExists: + path: spec.template.spec.imagePullSecrets + + - it: renders chart-global imagePullSecrets when only the global value is set + set: + imagePullSecrets: + - name: regcred + asserts: + - equal: + path: spec.template.spec.imagePullSecrets + value: + - name: regcred + + - it: renders per-agent imagePullSecrets when only the per-agent value is set + set: + agents.kiro.imagePullSecrets: + - name: kiro-regcred + asserts: + - equal: + path: spec.template.spec.imagePullSecrets + value: + - name: kiro-regcred + + - it: per-agent imagePullSecrets fully overrides chart-global (no merge) + set: + imagePullSecrets: + - name: global-regcred + agents.kiro.imagePullSecrets: + - name: kiro-regcred + asserts: + - equal: + path: spec.template.spec.imagePullSecrets + value: + - name: kiro-regcred + + - it: falls back to chart-global when per-agent imagePullSecrets is an empty list + set: + imagePullSecrets: + - name: global-regcred + agents.kiro.imagePullSecrets: [] + asserts: + - equal: + path: spec.template.spec.imagePullSecrets + value: + - name: global-regcred + + - it: supports multiple secrets in the list + set: + imagePullSecrets: + - name: regcred-a + - name: regcred-b + asserts: + - equal: + path: spec.template.spec.imagePullSecrets + value: + - name: regcred-a + - name: regcred-b diff --git a/charts/openab/values.yaml b/charts/openab/values.yaml index 5a28007d9..8db333258 100644 --- a/charts/openab/values.yaml +++ b/charts/openab/values.yaml @@ -20,6 +20,14 @@ fullnameOverride: "" # serviceAccountName: "openab" serviceAccountName: "" +# Chart-global image pull secrets, used when an agent doesn't set its own +# `imagePullSecrets`. Per-agent values (agents..imagePullSecrets) take +# precedence — when set, they fully override (do not merge with) this list. +# Example: +# imagePullSecrets: +# - name: regcred +imagePullSecrets: [] + podSecurityContext: runAsNonRoot: true runAsUser: 1000 @@ -420,6 +428,12 @@ agents: # multi-agent deployments where only some agents need a dedicated SA. # serviceAccountName: "openab" serviceAccountName: "" + # Per-agent image pull secrets. When set, overrides the chart-global + # `imagePullSecrets` for this agent only. Useful in multi-agent deployments + # where only some agents pull from a private registry. + # imagePullSecrets: + # - name: regcred + imagePullSecrets: [] # extraInitContainers adds init containers to the pod (runs before the main container) extraInitContainers: [] # extraContainers adds sidecar containers to the pod