add image pull secret support (#1127)

Co-authored-by: houseme <housemecn@gmail.com>
2026-01-16 17:20:33 +00:00 · 2025-12-12 20:25:25 +08:00
parent 0bf25fdefa
commit 08be8f5472
6 changed files with 63 additions and 18 deletions
--- a/helm/README.md
+++ b/helm/README.md
@@ -13,24 +13,32 @@ RustFS helm chart supports **standalone and distributed mode**. For standalone m

 | parameter | description | default value |
 | -- | -- | -- |
-| replicaCount   | Number of cluster nodes.   |  Default is `4`. |
-| mode.standalone.enabled | RustFS standalone mode support, namely one pod one pvc. | Default is `false` |
-| mode.distributed.enabled | RustFS distributed mode support, namely multiple pod multiple pvc. | Default is `true`. |
-| image.repository  | docker image repository.   |  rustfs/rustfs.  |
-| image.tag | the tag for rustfs docker image | "latest" |
-| secret.rustfs.access_key | RustFS Access Key ID | `rustfsadmin` |
-| secret.rustfs.secret_key | RustFS Secret Key ID | `rustfsadmin` |
-| storageclass.name | The name for StorageClass. | `local-path` |
-| storageclass.dataStorageSize | The storage size for data PVC. | `256Mi` |
-| storageclass.logStorageSize | The storage size for log PVC. | `256Mi` |
-| ingress.className | Specify the ingress class, traefik or nginx. | `nginx` |
+| replicaCount                      | Number of cluster nodes.                                           |  `4`.           |
+| imagePullSecrets                  | Secret to pull image from private registry.                        | `rustfs-regcred`|
+| imageRegistryCredentials.enabled  | To indicate whether pull image from private registry.              | `false`         |
+| imageRegistryCredentials.registry | Private registry url to pull rustfs image.                         | None            |
+| imageRegistryCredentials.username | The username to pull rustfs image from private registry.           | None            |
+| imageRegistryCredentials.password | The password to pull rustfs image from private registry.           | None            |
+| imageRegistryCredentials.email    | The email to pull rustfs image from private registry.              | None            |
+| mode.standalone.enabled           | RustFS standalone mode support, namely one pod one pvc.            | `false`         |
+| mode.distributed.enabled          | RustFS distributed mode support, namely multiple pod multiple pvc. | `true`          |
+| image.repository                  | RustFS docker image repository.                                    | `rustfs/rustfs` |
+| image.tag                         | The tag for rustfs docker image                                    | `latest`        |
+| secret.rustfs.access_key          | RustFS Access Key ID                                               | `rustfsadmin`   |
+| secret.rustfs.secret_key          | RustFS Secret Key ID                                               | `rustfsadmin`   |
+| storageclass.name                 | The name for StorageClass.                                         | `local-path`    |
+| storageclass.dataStorageSize      | The storage size for data PVC.                                     | `256Mi`         |
+| storageclass.logStorageSize       | The storage size for log PVC.                                      | `256Mi`         |
+| ingress.className                 | Specify the ingress class, traefik or nginx.                       | `nginx`         |


-**NOTE**: [`local-path`](https://github.com/rancher/local-path-provisioner) is used by k3s. If you want to use `local-path`, running the command,
+**NOTE**: 

-```
-kubectl apply -f https://raw.githubusercontent.com/rancher/local-path-provisioner/v0.0.32/deploy/local-path-storage.yaml
-```
+- The chart default pull rustfs image from dockerhub,if your rustfs image stores in private registry,you should enable `imageRegistryCredentials.enabled` to `true`,and then specify the `imageRegistryCredentials.registry/username/password/email` as well as `image.repository`,`image.tag` to pull rustfs image from your private registry.
+
+- The default storageclass is [`local-path`](https://github.com/rancher/local-path-provisioner),if you want to specify your own storageclass, try to set parameter `storageclass.name`.
+
+- The default size for data and logs dir is **256Mi** which must satisfy the production usage,you should specify `storageclass.dataStorageSize` and `storageclass.logStorageSize` to change the size, for example, 1Ti for data and  1Gi for logs.

 # Installation

@@ -41,7 +49,7 @@ kubectl apply -f https://raw.githubusercontent.com/rancher/local-path-provisione

 Due to the traefik and ingress has different session sticky/affinity annotations, and rustfs support both those two controller, you should specify parameter `ingress.className` to select the right one which suits for you.

-## Installation with traekfik controller
+## Installation with traefik controller

 If your ingress class is `traefik`, running the command:

@@ -104,4 +112,4 @@ Uninstalling the rustfs installation with command,

 ```
 helm uninstall rustfs -n rustfs
-```
+```
--- a/helm/rustfs/templates/_helpers.tpl
+++ b/helm/rustfs/templates/_helpers.tpl
@@ -71,3 +71,12 @@ Return the secret name
 {{- printf "%s-secret" (include "rustfs.fullname" .) }}
 {{- end }}
 {{- end }}
+
+{{/*
+Return image pull secret content
+*/}}
+{{- define "imagePullSecret" }}
+{{- with .Values.imageRegistryCredentials }}
+{{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" .registry .username .password .email (printf "%s:%s" .username .password | b64enc) | b64enc }}
+{{- end }}
+{{- end }}
--- a/helm/rustfs/templates/deployment.yaml
+++ b/helm/rustfs/templates/deployment.yaml
@@ -15,6 +15,10 @@ spec:
      labels:
        app: {{ include "rustfs.name" . }}
    spec:
+      {{- if .Values.imageRegistryCredentials.enabled }}
+      imagePullSecrets:
+        - name: {{ .Values.imagePullSecrets }}
+      {{- end }}
      {{- if .Values.podSecurityContext }}
      securityContext:
      {{- toYaml .Values.podSecurityContext | nindent 12 }}
--- a/helm/rustfs/templates/secret.yaml
+++ b/helm/rustfs/templates/secret.yaml
@@ -8,3 +8,14 @@ data:
  RUSTFS_ACCESS_KEY: {{ .Values.secret.rustfs.access_key | b64enc | quote }}
  RUSTFS_SECRET_KEY: {{ .Values.secret.rustfs.secret_key | b64enc | quote }}
 {{- end }}
+
+---
+{{- if .Values.imageRegistryCredentials.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.imagePullSecrets }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
--- a/helm/rustfs/templates/statefulset.yaml
+++ b/helm/rustfs/templates/statefulset.yaml
@@ -15,6 +15,10 @@ spec:
      labels:
        app: {{ include "rustfs.name" . }}
    spec:
+      {{- if .Values.imageRegistryCredentials.enabled }}
+      imagePullSecrets:
+        - name: {{ .Values.imagePullSecrets }}
+      {{- end }}
      {{- if .Values.podSecurityContext }}
      securityContext:
      {{- toYaml .Values.podSecurityContext | nindent 12 }}
--- a/helm/rustfs/values.yaml
+++ b/helm/rustfs/values.yaml
@@ -14,7 +14,16 @@ image:
  tag: "latest"

 # This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-imagePullSecrets: []
+imagePullSecrets: rustfs-regcred
+
+imageRegistryCredentials:
+  enabled: false
+  registry: ""
+  username: ""
+  password: ""
+  email: ""
+
+
 # This is to override the chart name.
 nameOverride: ""
 fullnameOverride: ""