Skip to content

feat: Allow Setting Image Registry and Pull Secrets Globally #266

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
borysei wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: Allow Setting Image Registry and Pull Secrets Globally #266

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions charts/openfga/Chart.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@ dependencies:
version: 9.6.0
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.13.3
digest: sha256:a152c0abc09cadc6a2158e237b67485b3177d1ed8ad9b7f0b64af300b4eb6e25
generated: "2025-03-27T13:49:29.005097735+01:00"
version: 2.31.4
digest: sha256:2e4dba7715f62620b42b8f1f021e1d1def80fbf6c22052d3d12fca4cf3875780
generated: "2025-10-15T17:08:29.453093-04:00"
2 changes: 1 addition & 1 deletion charts/openfga/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ dependencies:
repository: https://charts.bitnami.com/bitnami
condition: mysql.enabled
- name: common
version: "2.13.3"
version: "2.31.4"
repository: oci://registry-1.docker.io/bitnamicharts
tags:
- bitnami-common
20 changes: 20 additions & 0 deletions charts/openfga/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,3 +141,23 @@ Return true if a secret object should be created
key: "password"
{{- end -}}
{{- end -}}

{{- define "openfga.pullSecrets" -}}
{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.initContainer) "context" $) -}}
{{- end }}
Comment on lines +145 to +147
Copy link

@coderabbitai coderabbitai bot Oct 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Fix incorrect context parameter in helper template.

The openfga.pullSecrets helper passes $ (root context at template definition) instead of . (current context) to common.images.renderPullSecrets. This will cause the helper to receive the wrong context and fail to properly resolve image pull secrets.

Apply this diff to fix the context parameter:

 {{- define "openfga.pullSecrets" -}}
-{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.initContainer) "context" $) -}}
+{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.initContainer) "context" .) -}}
 {{- end }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
{{- define "openfga.pullSecrets" -}}
{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.initContainer) "context" $) -}}
{{- end }}
{{- define "openfga.pullSecrets" -}}
{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.initContainer) "context" .) -}}
{{- end }}
🤖 Prompt for AI Agents 
In charts/openfga/templates/_helpers.tpl around lines 145 to 147, the helper
uses `$` (root context) when calling common.images.renderPullSecrets which
causes the wrong context to be passed; change the context argument from `$` to
`.` so the current template context is forwarded to renderPullSecrets, ensuring
image and initContainer values resolve correctly.


{{/*
Job does not use the initContainer image, so by the least-priviledge principle, we do not need to include its pull
secrets.
*/}}
{{- define "openfga.jobPullSecrets" -}}
{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" $) -}}
{{- end }}
Comment on lines +153 to +155
Copy link

@coderabbitai coderabbitai bot Oct 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Fix incorrect context parameter in job helper template.

Same issue as in openfga.pullSecrets: the helper passes $ instead of . for the context parameter.

Apply this diff:

 {{- define "openfga.jobPullSecrets" -}}
-{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" $) -}}
+{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" .) -}}
 {{- end }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
{{- define "openfga.jobPullSecrets" -}}
{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" $) -}}
{{- end }}
{{- define "openfga.jobPullSecrets" -}}
{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" .) -}}
{{- end }}
🤖 Prompt for AI Agents 
In charts/openfga/templates/_helpers.tpl around lines 153 to 155, the
jobPullSecrets helper is passing the wrong context variable ($) to the include
of common.images.renderPullSecrets; update the include call to pass the current
context (.) instead of $ so the correct scope/values are available when
rendering pull secrets.


{{- define "openfga.image" -}}
{{- include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global "chart" .Chart) -}}
{{- end }}

{{- define "openfga.initContainer.image" -}}
{{- include "common.images.image" (dict "imageRoot" .Values.initContainer "global" .Values.global) -}}
{{- end }}
11 changes: 4 additions & 7 deletions charts/openfga/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,7 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- include "openfga.pullSecrets" . | nindent 6 }}
serviceAccountName: {{ include "openfga.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
Expand All @@ -43,7 +40,7 @@ spec:
- name: wait-for-migration
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.initContainer.repository }}:{{ .Values.initContainer.tag }}"
image: {{- include "openfga.initContainer.image" . }}
imagePullPolicy: {{ .Values.initContainer.pullPolicy }}
args: ["job-wr", '{{ include "openfga.fullname" . }}-migrate']
resources:
Expand All @@ -56,7 +53,7 @@ spec:
- name: migrate-database
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
image: {{ include "openfga.image" . }}
args: [ "migrate" ]
env:
{{- include "openfga.datastore.envConfig" . | nindent 12 }}
Expand Down Expand Up @@ -85,7 +82,7 @@ spec:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
image: {{ include "openfga.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args: ["run"]
ports:
Expand Down
7 changes: 2 additions & 5 deletions charts/openfga/templates/job.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,7 @@ spec:
{{- toYaml . | nindent 8}}
{{- end}}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- include "openfga.jobPullSecrets" . | nindent 6 }}
serviceAccountName: {{ include "openfga.serviceAccountName" . }}
{{- with .Values.migrate.extraInitContainers }}
initContainers:
Expand All @@ -38,7 +35,7 @@ spec:
- name: migrate-database
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
image: {{ include "openfga.image" . }}
args: ["migrate"]
env:
{{- include "openfga.datastore.envConfig" . | nindent 12 }}
Expand Down
7 changes: 2 additions & 5 deletions charts/openfga/templates/tests/test-connection.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,10 @@ metadata:
annotations:
"helm.sh/hook": test
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- include "openfga.pullSecrets" . | nindent 2 }}
containers:
- name: grpc-health-probe
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
image: {{ include "openfga.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command: ["grpc_health_probe", '-addr={{ include "openfga.fullname" . }}:{{ (split ":" .Values.grpc.addr)._1 }}']
{{- with .Values.testContainerSpec }}
Expand Down
41 changes: 36 additions & 5 deletions charts/openfga/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,26 @@
"type": "object",
"properties": {
"global": {
"type": "object"
"type": "object",
"properties": {
"imageRegistry": {
"type": "string",
"description": "The container image registry to pull images from. It is prepended to individual components repositories. For example, if global.imageRegistry is set to 'ghcr.io' and image.repository is set to 'openfga/openfga', the final image repository will be 'ghcr.io/openfga/openfga'."
},
"imagePullSecrets": {
"type": "array",
"description": "An optional list of references to secrets in the same namespace to use for pulling any of the images used by the pod spec. If specified, these secrets will be passed to individual puller implementations for them to use. For more information see https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod."
}
},
"additionalProperties": true
},
"image": {
"type": "object",
"properties": {
"registry": {
"type": "string",
"description": "The container image registry to pull the main OpenFGA image from. It is prepended to the image.repository. For example, if image.registry is set to 'ghcr.io' and image.repository is set to 'openfga/openfga', the final image repository will be 'ghcr.io/openfga/openfga'."
},
"repository": {
"type": "string",
"description": "The container repository to pull the main OpenFGA image from",
Expand All @@ -17,10 +32,18 @@
"type": "string",
"description": "Overrides the image tag of the main OpenFGA image whose default is the chart appVersion"
},
"digest": {
"type": "string",
"description": "Overrides the image digest of the main OpenFGA image. Takes precedence over tag."
},
"pullPolicy": {
"type": "string",
"description": "The image pull policy",
"default": "Always"
},
"pullSecrets": {
"type": "array",
"description": "An optional list of references to secrets in the same namespace to use for pulling the main OpenFGA image. If specified, these secrets will be passed to individual puller implementations for them to use. For more information see https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod."
}
},
"additionalProperties": false
Expand Down Expand Up @@ -86,10 +109,6 @@
"description": "Defines the pod security context for the OpenFGA pods. For more information see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod.",
"default": {}
},
"imagePullSecrets": {
"type": "array",
"description": "An optional list of references to secrets in the same namespace to use for pulling any of the images used by the pod spec. If specified, these secrets will be passed to individual puller implementations for them to use. For more information see https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod."
},
"nodeSelector": {
"type": "object",
"description": "Specifies the node which pods managed by the deployment will get assigned to. For more information see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector.",
Expand Down Expand Up @@ -1108,6 +1127,10 @@
"type": "object",
"description": "",
"properties": {
"registry": {
"type": "string",
"description": "The container image registry to pull the initContainer from. It is prepended to the initContainer image repository. For example, if initContainer.registry is set to 'ghcr.io' and initContainer.repository is set to 'groundnuty/k8s-wait-for', the final image repository will be 'ghcr.io/groundnuty/k8s-wait-for'."
},
"repository": {
"type": "string",
"description": "The container image repository to pull the initContainer from",
Expand All @@ -1118,10 +1141,18 @@
"description": "The specific initContainer image tag to pull",
"default": "v1.6"
},
"digest": {
"type": "string",
"description": "The specific initContainer image digest to pull. Takes precedence over tag."
},
"pullPolicy": {
"type": "string",
"description": "The image pull policy to apply to the initContainer",
"default": "IfNotPresent"
},
"pullSecrets": {
"type": "array",
"description": "An optional list of references to secrets in the same namespace to use for pulling the initContainer image. If specified, these secrets will be passed to individual puller implementations for them to use. For more information see https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod."
}
}
},
Expand Down
11 changes: 10 additions & 1 deletion charts/openfga/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,17 @@
global:
imageRegistry: ""
imagePullSecrets: []

replicaCount: 3

image:
registry: ""
repository: openfga/openfga
pullPolicy: Always
tag: ""
digest: ""
pullSecrets: []

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

Expand Down Expand Up @@ -49,9 +55,12 @@ securityContext:
# runAsUser: 1000

initContainer:
registry: ""
repository: groundnuty/k8s-wait-for
tag: "v2.0"
digest: ""
pullPolicy: IfNotPresent
pullSecrets: []

## Configure extra options for OpenFGA containers' liveness, readiness and startup probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
Expand Down