chore: move imagePullSecrets to pod spec level in Helm deployment templates

[joonas]

Description

The imagePullSecrets block in both watcherDeployTemplate and admissionDeployTemplate was indented inside the container list item. Kubernetes expects imagePullSecrets as a sibling of containers and volumes under spec.template.spec. When nested inside a container definition, the field is silently ignored, causing image pulls from private registries to fail with no diagnostic output.

Move the {{- if gt (len .Values.imagePullSecrets) 0 }} block from inside the container item to the pod spec level in both templates. The indentation drops from 16 spaces (container field) to 12 spaces (pod spec field), making imagePullSecrets a proper sibling of containers, serviceAccountName, and volumes.

Add two new tests that assert imagePullSecrets shares the same indentation level as containers, preventing regression.

End to End Test:
(See Pepr Excellent Examples)

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Other (security config, docs update, etc)

Checklist before merging

• Unit, Integration, docs, adr added or updated as needed
• Contributor Guide Steps followed

[samayer12]

@greptileai

[greptile-apps]

Greptile Summary

This PR fixes a silent Kubernetes misconfiguration where imagePullSecrets was nested inside a container definition instead of at spec.template.spec level, causing private-registry image pulls to fail with no error. Both watcherDeployTemplate and admissionDeployTemplate are corrected, and two regression tests using an indentation-comparison helper are added to prevent recurrence. The existing tests were also incidentally fixed to pass the required type argument they were previously omitting.

Confidence Score: 5/5

Safe to merge — the fix is correct, well-tested, and targeted.

All changes are P2 or better. The Kubernetes fix is accurate (imagePullSecrets belongs at pod spec level), the regression tests are sound, and no new risks are introduced.

No files require special attention.

Important Files Changed

Filename	Overview
src/lib/assets/helm.ts	Moves imagePullSecrets from inside the container spec to the pod spec level in both watcherDeployTemplate and admissionDeployTemplate — correct fix matching Kubernetes API semantics.
src/lib/assets/helm.test.ts	Updates existing test calls to pass the required type parameter, and adds two new regression tests asserting imagePullSecrets has the same indentation level as containers.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["spec.template.spec (pod spec)"] --> B["serviceAccountName"]
    A --> C["containers (list)"]
    A --> D["imagePullSecrets ✅ NOW HERE"]
    A --> E["volumes"]
    C --> F["- name: watcher/server\n  image: ...\n  imagePullPolicy: ..."]
    style D fill:#90EE90
    G["❌ BEFORE: imagePullSecrets was here\n(inside container item, silently ignored)"] -.-> F

Loading

_{Reviews (1): Last reviewed commit: "Merge branch 'main' into fix/helm-imagep..." | Re-trigger Greptile}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.40%. Comparing base (28928f7) to head (62fbffd).
⚠️ Report is 25 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2975   +/-   ##
=======================================
  Coverage   77.40%   77.40%           
=======================================
  Files          93       93           
  Lines        2536     2536           
  Branches      532      532           
=======================================
  Hits         1963     1963           
  Misses        446      446           
  Partials      127      127           

Files with missing lines	Coverage Δ
src/lib/assets/helm.ts	88.88% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.