How to get secret for custom Spilo image?

[okolesnykovvs]

Right now it's possible to specify docker_image to use custom Spilo image, like documentation says:

docker_image Spilo docker image for postgres instances. For production, don't rely on the default image, as it might be not the most up-to-date one. Instead, build your own Spilo image from the github repository.

But we can't specify secret for the custom image. So when I configure like:
docker_image: private_registry/company/spilo-cdp-10:1.5-p35
it fails to fetch image from the private registry.

Looking into source code - https://github.com/zalando/postgres-operator/blob/master/pkg/util/config/config.go#L78
There is no option to specify secret too.

[alexeyklyukin]

Hm... can't you set imagePullSecrets for your service account instead?

[okolesnykovvs]

@alexeyklyukin , tried to set it, but does not help. Anyway such option will not cover case if we use few registries.

[alexeyklyukin]

@okolesnykovvs did you also specify the service account you've attached your secrets to in the pod_service_account_name option of the operator configuration?

You can deal with multiple registries as well by creating multiple service accounts. It's also questionable whether one really need a single operator managing Postgres pods that run images from multiple private registries

[knan-nrk]

We would also like to set imagePullSecrets for use of a custom spilo. It's more convenient if postgres-operator can set it on the serviceaccount when it is deploying the serviceaccount and cluster, instead of the cluster creation stalling until we edit the service account in the target namespace.
Precreating the serviceaccount with the right addon in all namespaces is of course an option but not very agile. ;)

[knan-nrk]

All right. I've been testing a bit, and for us using a custom pod_service_account_definition with the imagePullSecret set works and is good enough. Like @alexeyklyukin suggested. It's then added to the serviceaccount on creation.

In the configmap:
pod_service_account_definition: '{ "apiVersion": "v1", "kind": "ServiceAccount", "metadata": { "name": "zalando-postgres-operator" }, "imagePullSecrets": [ { "name": "my-fine-secret" } ] }'

[FxKu]

Thanks @knan-nrk for the tests. This answers the question. I'll have a look where to add this explanation to the docs.

[jiandanshifu]

@alexeyklyukin
How to set parameters of "imagePullSecrets"？

[deepd]

The following worked for me:

apiVersion: "acid.zalan.do/v1"
kind: OperatorConfiguration
metadata:
  name: postgresql-operator-config
  namespace: myNamespace
configuration:
  kubernetes:
    pod_service_account_name: postgres-pod
    pod_service_account_definition: '
      {
        "apiVersion": "v1",
        "kind": "ServiceAccount",
        "metadata": {
          "name": "postgres-pod"
        },
        "imagePullSecrets": [
          {
            "name": "SECRET_NAME"
          }
        ]
      }'

[tpo]

@knan-nrk :

All right. I've been testing a bit, and for us using a custom pod_service_account_definition with the imagePullSecret set works and is good enough. Like @alexeyklyukin suggested. It's then added to the serviceaccount on creation.

In the configmap: pod_service_account_definition: '{ "apiVersion": "v1", "kind": "ServiceAccount", "metadata": { "name": "zalando-postgres-operator" }, "imagePullSecrets": [ { "name": "my-fine-secret" } ] }'

I did that and nothing happened. What do I need to do after adding this to the config map? I even redeployed all the definitions and it still didn't wind up in the pods.

(I added imagePullSecrets to the StatefulSet for the cluster after which it was picked up, however that's only a temporary hack)

[tpo]

@FxKu

Thanks @knan-nrk for the tests. This answers the question. I'll have a look where to add this explanation to the docs.

As far as I can see no mention of this landed in the docs?

[pieveee]

@tpo Have you tried it this way:

pod_service_account_definition: '{"apiVersion": "v1","imagePullSecrets":[{"name": "my-registry.example.com-cred"}],"kind": "ServiceAccount","metadata":{"name": "postgres-pod"}}'

When you look closely, a ServiceAccount postgres-pod is created as soon as the cluster manifest (e.g. minimal-postgres-manifest.yaml) is applied to K8s.

The ServiceAccount can be examined with kubectl -n <namespace_where_your_pg_cluster_is_created> get serviceaccount postgres-pod -o json

{
    "apiVersion": "v1",
    "imagePullSecrets": [
        {
            "name": "my-fine-secret"
        }
    ],
    "kind": "ServiceAccount",
    "metadata": {
        "creationTimestamp": "2022-05-03T08:54:27Z",
        "name": "postgres-pod",
        "namespace": "postgres-operator-tst",
        "resourceVersion": "32177027",
        "uid": "d3de63f6-d96c-4c24-8311-0ff500c3baaf"
    },
    "secrets": [
        {
            "name": "postgres-pod-token-s5g6z"
        }
    ]
}

Otherwise you could patch the ServiceAccount in hindsight:
kubectl -n <namespace_where_your_pg_cluster_is_created> patch serviceaccount postgres-pod -p '{"imagePullSecrets": [{"name": "my-fine-secret"}]}'

[tpo]

thanks a lot for your instructions @pieveee - I have moved on and am currently unable to verify them - however - let's hope other people looking for help will find the instructions - thanks a lot @pieveee !

[tpo]

@pieveee : I've tried setting:

$ cat configmap.yml
apiVersion: v1
kind: ConfigMap
metadata:
  name: postgres-operator
data:
[...]
pod_service_account_definition: '{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"name":"postgres-pod"},"imagePullSecrets":[{ "name":"regcreds"}]}'

however the StatefulSet won't receive the regcreds.

Do I need to restart anything? I did restart the operator.

?

I'm currently running postgres-operator:v1.8.1.

[pieveee]

@tpo Looks like the approach with ConfigMap doesn't work properly. Try to patch the ServiceAccount immediately after you have deployed the postgresql manifest:

kubectl -n NAMESPACE patch serviceaccount postgres-pod -p '{"imagePullSecrets": [{"name": "SECRET_NAME"}]}'

[tpo]

@tpo Looks like the approach with ConfigMap doesn't work properly. Try to patch the ServiceAccount immediately after you have deployed the postgresql manifest:

kubectl -n NAMESPACE patch serviceaccount postgres-pod -p '{"imagePullSecrets": [{"name": "SECRET_NAME"}]}'

That seems to be working, thanks a lot @pieveee !!!

[BigGithubFan]

Hi Pieveee, I understand that there are two places need to be replaced by the actual value: NAMESPACE and "SECRET_NAME". Could you elaborate which actual value should replace "SECRET_NAME"? Is that the value inside $HOME/.docker/config.json, for example:
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
}
}

I assume the actual value in "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" should replace "SECRET_NAME" in the kubectl command, is my understanding correct?