Add ability to specify imagePullSecrets in the workflow.spec (resolves …

…argoproj#699)
chemist · Jan 26, 2018 · 5a589fc · 5a589fc
1 parent 2f77bc1
commit 5a589fc
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ## 2.0.0-beta2 (Unreleased)
 + Add ability to specify affinity rules at both the workflow and template level
++ Add ability to specify imagePullSecrets in the workflow.spec
 - Fix issue preventing the referencing of artifacts in a container with retries
 - Fix issue preventing the use of volumes in a sidecar
 

diff --git a/pkg/apis/workflow/v1alpha1/types.go b/pkg/apis/workflow/v1alpha1/types.go
@@ -86,6 +86,12 @@ type WorkflowSpec struct {
  // Can be overridden by an affinity specified in the template
  Affinity *apiv1.Affinity `json:"affinity,omitempty"`
 
+ // ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images
+ // in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets
+ // can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet.
+ // More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
+ ImagePullSecrets []apiv1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
+
  // OnExit is a template reference which is invoked at the end of the
  // workflow, irrespective of the success, failure, or error of the
  // primary workflow.

diff --git a/pkg/apis/workflow/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/workflow/v1alpha1/zz_generated.deepcopy.go
@@ -791,6 +791,11 @@ func (in *WorkflowSpec) DeepCopyInto(out *WorkflowSpec) {
  (*in).DeepCopyInto(*out)
  }
  }
+ if in.ImagePullSecrets != nil {
+ in, out := &in.ImagePullSecrets, &out.ImagePullSecrets
+ *out = make([]v1.LocalObjectReference, len(*in))
+ copy(*out, *in)
+ }
  return
 }
 

diff --git a/workflow/controller/workflowpod.go b/workflow/controller/workflowpod.go
@@ -135,6 +135,7 @@ func (woc *wfOperationCtx) createWorkflowPod(nodeName string, mainCtr apiv1.Cont
  },
  ActiveDeadlineSeconds: tmpl.ActiveDeadlineSeconds,
  ServiceAccountName: woc.wf.Spec.ServiceAccountName,
+ ImagePullSecrets: woc.wf.Spec.ImagePullSecrets,
  },
  }
  if woc.controller.Config.InstanceID != "" {

diff --git a/workflow/controller/workflowpod_test.go b/workflow/controller/workflowpod_test.go
@@ -92,6 +92,22 @@ func TestServiceAccount(t *testing.T) {
  assert.Equal(t, pod.Spec.ServiceAccountName, "foo")
 }
 
+// TestImagePullSecrets verifies the ability to carry forward imagePullSecrets from workflow.spec
+func TestImagePullSecrets(t *testing.T) {
+ woc := newWoc()
+ woc.wf.Spec.ImagePullSecrets = []apiv1.LocalObjectReference{
+ {
+ Name: "secret-name",
+ },
+ }
+ err := woc.executeContainer(woc.wf.Spec.Entrypoint, &woc.wf.Spec.Templates[0])
+ assert.Nil(t, err)
+ podName := getPodName(woc.wf)
+ pod, err := woc.controller.kubeclientset.CoreV1().Pods("").Get(podName, metav1.GetOptions{})
+ assert.Nil(t, err)
+ assert.Equal(t, pod.Spec.ImagePullSecrets[0].Name, "secret-name")
+}
+
 // TestAffinity verifies the ability to carry forward affinity rules
 func TestAffinity(t *testing.T) {
  woc := newWoc()