imagePullSecrets must be duplicated on every controller manifest

[brantb]

The recommended approach to using imagePullSecrets is to attach them to a service account (usually default). This eliminates the need to duplicate the imagePullSecret on every controller that requires it.

However, this doesn't work with Flux today. Unless the controller explicitly specifies an imagePullSecret, Flux won't be able to poll its images.

I feel it would be much easier to add an imagePullSecret to the flux ServiceAccount like this:

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    name: flux
  name: flux
imagePullSecrets:
  - name: my-private-registry

[squaremo]

@brantb Good point, that is a better way to use imagePullSecrets and flux ought to support it.

Adding each imagePullSecret to the serviceAccount used by flux doesn't necessarily help. For one thing, flux will have a service account in its own namespace, which can have imagePullSecrets only from that namespace. So you'd have to replicate secrets from other namespaces into flux's namespace.

Also, giving the pod a service account with an imagePullSecret doesn't mean the processes in the pod get access to the secret -- it would have to be looked up via the Kubernetes API. So not quite as convenient as it first looks.

A better way may be for flux to chase imagePullSecrets associated via the service accounts, as it does (more directly) for imagePullSecrets mentioned in the resource directly.

[brantb]

My "add the secret to Flux's ServiceAccount" idea was based on only a vague understanding of how service accounts in k8s work, so I'm glad you suggested a better way. 👍