coco: automate pull-secret via ESO cross-namespace

beraldoleal · beraldoleal · commit c937b9663cb5 · 2026-03-20T17:38:45.000-04:00
Peer-pods don't have access to the node's pull-secret, needed for
private repos. Use ESO kubernetes provider to sync pull-secret from
openshift-config to the workload namespace.

Signed-off-by: Beraldo Leal &lt;bleal@redhat.com&gt;
diff --git a/charts/hello-coco/templates/pod.yaml b/charts/hello-coco/templates/pod.yaml
@@ -14,11 +14,8 @@ spec:
   # not individual containers. All containers in this pod are part of the same trust boundary.
   shareProcessNamespace: true
   serviceAccountName: spire-agent
-  # TODO: Make imagePullSecrets configurable like qtodo chart pattern (values.yaml + conditional)
-  # Currently hardcoded 'global-pull-secret' which must be manually created in the namespace
-  # Should either: 1) use ServiceAccount.imagePullSecrets, or 2) be conditional from values
   imagePullSecrets:
-  - name: global-pull-secret
+  - name: pull-secret
 
   containers:
   # SPIRE Agent Sidecar
diff --git a/charts/hello-coco/templates/pull-secret-external.yaml b/charts/hello-coco/templates/pull-secret-external.yaml
@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: pull-secret
+  namespace: {{ .Release.Namespace }}
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: openshift-config
+    kind: SecretStore
+  target:
+    name: pull-secret
+    template:
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: "{{ `{{ .dockerconfigjson | toString }}` }}"
+  data:
+  - secretKey: dockerconfigjson
+    remoteRef:
+      key: pull-secret
+      property: .dockerconfigjson
diff --git a/charts/hello-coco/templates/pull-secret-rbac.yaml b/charts/hello-coco/templates/pull-secret-rbac.yaml
@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pull-secret-reader
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pull-secret-reader
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames: ["pull-secret"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get"]
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["selfsubjectrulesreviews"]
+  verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: pull-secret-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: pull-secret-reader
+subjects:
+- kind: ServiceAccount
+  name: pull-secret-reader
+  namespace: {{ .Release.Namespace }}
diff --git a/charts/hello-coco/templates/pull-secret-store.yaml b/charts/hello-coco/templates/pull-secret-store.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: openshift-config
+  namespace: {{ .Release.Namespace }}
+spec:
+  provider:
+    kubernetes:
+      remoteNamespace: openshift-config
+      server:
+        caProvider:
+          type: ConfigMap
+          name: kube-root-ca.crt
+          key: ca.crt
+      auth:
+        serviceAccount:
+          name: pull-secret-reader
