Add imagePullSecrets as a configurable option for pulling kube-webhook-certgen from a private docker repo

[maclermo]

Problem Statement

Currently, we are setting the flags -webhook-certificate-config-base-image and -webhook-certificate-config-shell-image.

The reason we have to set these flags is that we are running a Kubernetes cluster behind a firewall that does not allow to pull from public registries for compliance reasons.

The issue we are having is that we cannot pass an imagePullSecrets directive to the Job that is created so that the images get pulled from our private registry.

Proposed Solution

Allow to set an imagePullSecrets for pulling the images

Additional Information

• Using v1.4
• Deployed with the latest helm chart /gateway-operator

Acceptance Criteria

• When supplying value to the flag webhook-certificate-config-image-pull-secret, the value must be added to imagePullSecrets[0].name in the Job's spec.
• When omitting to supply a value to the flag, no image pull secret must be specified.

[pmalek]

In 1.5 we're removing webhook altogether (#1100) as part of #949. This will fix other issues as well.

At that point you won't need any secrets for the job Pods anymore. Given that I'll close this issue.

You can test these changes already via https://hub.docker.com/r/kong/nightly-gateway-operator.

[maclermo]

We are currently testing out the operator.

Unfortunately, without the nightly version being in a stable release, we cannot go ahead with buying Enterprise (Kong Konnect and API Gateway with Advanced RateLimiter).

Do you have an ETA for the operator to be released as stable?

We were planning on buying the subscription in march.

Also, should this bump the version to v2 ? Seems to be a breaking change to me...

Thanks.

[pmalek]

Do you have an ETA for the operator to be released as stable?

1.5 should be out for March most likely.

Also, should this bump the version to v2 ? Seems to be a breaking change to me...

Flags stay as is (become no-op) so no breakage there. All other validations are covered via CRD CEL validation rules or ValidatingAdmissionPolicy.

[maclermo]

OK, I think the release timeframe would allow us to proceed with a subscription contract purchase.

I hope that it is planned that setting these no-op flags will output a big warning when launching the controller because of the false sense of concrete action that it might give to the user.

But for now, I know not to set them.

[maclermo]

Hi, sorry it's me again.

I am now using 1.5 (nightly) and I still get the same behavior.

Is there a document on how to specify the image registry and tag, and image pull secrets for the new 1.5 release?

Thanks.

[pmalek]

We've been migrating our nightly builds to a new location recently. If you're using kong/gateway-operator:nightly then that's the old location which is not going to get updated anymore at this stage.

You can find the new nightlies at

• https://hub.docker.com/r/kong/nightly-gateway-operator-oss for OSS
• https://hub.docker.com/r/kong/nightly-gateway-operator for EE

#1113 will document that in the README. Thanks for bringing this up 🙇