Keel not detecting imagePullSecrets in k8s service accounts

[egmar]

As per https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account one can define a service account and associate imagePullSecrets with it, then specify the service account in pod spec. In result, when Kubernetes creates the pod, it would create the pod with imagePullSecrets defined in service account.

From brief investigation, it looks like Keel ignore this, and doesn't use the imagePullSecrets defined in a service account.

keel/internal/k8s/resource.go

Lines 248 to 261 in ebe0206

	// GetImagePullSecrets - returns secrets from pod spec
	func (r *GenericResource) GetImagePullSecrets() (secrets []string) {
	switch obj := r.obj.(type) {
	case *apps_v1.Deployment:
	return getImagePullSecrets(obj.Spec.Template.Spec.ImagePullSecrets)
	case *apps_v1.StatefulSet:
	return getImagePullSecrets(obj.Spec.Template.Spec.ImagePullSecrets)
	case *apps_v1.DaemonSet:
	return getImagePullSecrets(obj.Spec.Template.Spec.ImagePullSecrets)
	case *v1beta1.CronJob:
	return getImagePullSecrets(obj.Spec.JobTemplate.Spec.Template.Spec.ImagePullSecrets)
	}
	return
	}

It would be very useful, if this can be added, as keeping track of multiple places to define imagePullSecrets may lead to human errors.

[chrismith-equinix]

@egmar - Noticing the same issue. I have tried adding the imagePullSecrets to the Deployment itself, but still facing the same issue. The secret is also in the same namespace that keel is running in. Is there a workaround?

apiVersion: apps/v1
kind: Deployment
metadata:
  name: keel
  namespace: mynamespace
  labels:
    app: keel
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keel
  template:
    metadata:
      labels:
        app: keel
    spec:
      serviceAccountName: keel
      imagePullSecrets: 
      - name: mysecret
      containers:
      - name: keel
        image: "keelhq/keel:latest"
    ....