render imagePullSecrets in Deployment/StatefulSet (#1130)

Signed-off-by: czaloumis <80974398+czaloumis@users.noreply.github.com>
2026-01-16 17:20:33 +00:00 · 2025-12-13 05:23:35 +02:00
parent 08be8f5472
commit 1229fddb5d
6 changed files with 47 additions and 8 deletions
--- a/helm/README.md
+++ b/helm/README.md
@@ -14,7 +14,7 @@ RustFS helm chart supports **standalone and distributed mode**. For standalone m
 | parameter | description | default value |
 | -- | -- | -- |
 | replicaCount                      | Number of cluster nodes.                                           |  `4`.           |
-| imagePullSecrets                  | Secret to pull image from private registry.                        | `rustfs-regcred`|
+| imagePullSecrets                  | A List of secrets to pull image from private registry.             | `name: secret-name`|
 | imageRegistryCredentials.enabled  | To indicate whether pull image from private registry.              | `false`         |
 | imageRegistryCredentials.registry | Private registry url to pull rustfs image.                         | None            |
 | imageRegistryCredentials.username | The username to pull rustfs image from private registry.           | None            |
@@ -34,7 +34,27 @@ RustFS helm chart supports **standalone and distributed mode**. For standalone m

 **NOTE**: 

- The chart default pull rustfs image from dockerhub,if your rustfs image stores in private registry,you should enable `imageRegistryCredentials.enabled` to `true`,and then specify the `imageRegistryCredentials.registry/username/password/email` as well as `image.repository`,`image.tag` to pull rustfs image from your private registry.
+The chart pulls the rustfs image from Docker Hub by default. For private registries, provide either:
+
+- **Existing secrets**: Set `imagePullSecrets` with an array of secret names
+  ```yaml
+  imagePullSecrets:
+    - name: my-existing-secret
+  ```
+
+- **Auto-generated secret**: Enable `imageRegistryCredentials.enabled: true` and specify credentials plus your image details
+  ```yaml
+  imageRegistryCredentials:
+    enabled: true
+    registry: myregistry.com
+    username: myuser
+    password: mypass
+    email: user@example.com
+  ```
+
+Both approaches support pulling from private registries seamlessly and you can also combine them.
+
+- The chart default pull rustfs image from dockerhub, if your rustfs image stores in private registry, you can use either existing image Pull secrets with parameter `imagePullSecrets` or create one setting `imageRegistryCredentials.enabled` to `true`,and then specify the `imageRegistryCredentials.registry/username/password/email` as well as `image.repository`,`image.tag` to pull rustfs image from your private registry.

 - The default storageclass is [`local-path`](https://github.com/rancher/local-path-provisioner),if you want to specify your own storageclass, try to set parameter `storageclass.name`.

--- a/helm/rustfs/templates/_helpers.tpl
+++ b/helm/rustfs/templates/_helpers.tpl
@@ -80,3 +80,22 @@ Return image pull secret content
 {{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" .registry .username .password .email (printf "%s:%s" .username .password | b64enc) | b64enc }}
 {{- end }}
 {{- end }}
+
+{{/*
+Return the default imagePullSecret name
+*/}}
+{{- define "rustfs.imagePullSecret.name" -}}
+{{- printf "%s-registry-secret" (include "rustfs.fullname" .) }}
+{{- end }}
+
+{{/*
+Render imagePullSecrets for workloads - appends registry secret
+*/}}
+{{- define "chart.imagePullSecrets" -}}
+{{- $secrets := .Values.imagePullSecrets | default list }}
+{{- if .Values.imageRegistryCredentials.enabled }}
+{{- $secrets = append $secrets (dict "name" (include "rustfs.imagePullSecret.name" .)) }}
+{{- end }}
+{{- toYaml $secrets }}
+{{- end }}
+
--- a/helm/rustfs/templates/deployment.yaml
+++ b/helm/rustfs/templates/deployment.yaml
@@ -15,9 +15,9 @@ spec:
      labels:
        app: {{ include "rustfs.name" . }}
    spec:
-      {{- if .Values.imageRegistryCredentials.enabled }}
+      {{- with include "chart.imagePullSecrets" . }}
      imagePullSecrets:
-        - name: {{ .Values.imagePullSecrets }}
+        {{- . | nindent 8 }}
      {{- end }}
      {{- if .Values.podSecurityContext }}
      securityContext:
--- a/helm/rustfs/templates/secret.yaml
+++ b/helm/rustfs/templates/secret.yaml
@@ -14,7 +14,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Values.imagePullSecrets }}
+  name: {{ include "rustfs.imagePullSecret.name" . }}
 type: kubernetes.io/dockerconfigjson
 data:
  .dockerconfigjson: {{ template "imagePullSecret" . }}
--- a/helm/rustfs/templates/statefulset.yaml
+++ b/helm/rustfs/templates/statefulset.yaml
@@ -15,9 +15,9 @@ spec:
      labels:
        app: {{ include "rustfs.name" . }}
    spec:
-      {{- if .Values.imageRegistryCredentials.enabled }}
+      {{- with include "chart.imagePullSecrets" . }}
      imagePullSecrets:
-        - name: {{ .Values.imagePullSecrets }}
+        {{- . | nindent 8 }}
      {{- end }}
      {{- if .Values.podSecurityContext }}
      securityContext:
--- a/helm/rustfs/values.yaml
+++ b/helm/rustfs/values.yaml
@@ -14,7 +14,7 @@ image:
  tag: "latest"

 # This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-imagePullSecrets: rustfs-regcred
+imagePullSecrets: []

 imageRegistryCredentials:
  enabled: false