feat(artifactories): label dockerhub registry secret with secret-copier=yes#556
feat(artifactories): label dockerhub registry secret with secret-copier=yes#556AbhisHub-12 wants to merge 1 commit into
Conversation
Labels the dockerconfigjson secret so secret-copier replicates it across all namespaces, allowing image-pull-secret-injector to inject a valid imagePullSecret into every pod. Resolves the containerd 2.x DockerHub auth gap on k8s 1.34+/1.35 nodes where node-level config.toml login is ignored.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughThe ChangesRegistry Secret Label Update
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 Trivy (0.69.3)Trivy execution timed out Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
What
Adds the
secret-copier=yeslabel to the DockerHubdockerconfigjsonsecret created byartifactories/default/0.1.Why
On containerd 2.x nodes (k8s 1.34+/1.35), node-level
/etc/containerd/config.tomlDockerHub login is silently ignored, so private DockerHub pulls fail. The fix is the k8s imagePullSecret path:secret-copier=yesindefault) replicates it to every namespace — real-time on new-namespace + secret change, plus a daily reconcilePod-level injection = SA-agnostic; no service-account patching needed. This is the same label the redesigned
artifactories/standard/1.0module already sets.Scope
for_each = local.artifactories_dockerhub) — ECR path untouched.defaultnamespace (secret-copier's source) andsecret-copier+image_pull_secret_injectorto be deployed in the cluster.Test plan
default→ confirm secret-copier replicates it to a fresh namespaceimagePullSecretsinjected and pulls successfullySummary by CodeRabbit