feat(chart): add imagePullSecrets support at per-agent and global level

[antigenius0910]

Summary

• Adds imagePullSecrets at both chart-global ($.Values.imagePullSecrets) and per-agent (agents.<name>.imagePullSecrets) level
• Per-agent value wins when set; otherwise falls back to chart-global. Both empty preserves current behaviour (no imagePullSecrets field rendered) — zero impact on existing users
• Enables multi-agent deployments where only some agents pull from a private registry, without forcing pull credentials onto every pod
• Follows the same per-agent K8s-native secrets pattern as PR feat(openab): add existingSecret support for Slack agent credentials #901 (slack.existingSecret)

Closes #910

Discord discussion: https://discord.com/channels/1491295327620169908/1491365157010542652/1507675217827201106

Changes

File	Purpose
charts/openab/values.yaml	Add chart-global imagePullSecrets: [] + per-agent imagePullSecrets: [] on the kiro agent
charts/openab/templates/deployment.yaml	Render imagePullSecrets between securityContext and initContainers using default $.Values.imagePullSecrets $cfg.imagePullSecrets
charts/openab/README.md	Document both values in the Common Values tables
charts/openab/tests/imagepullsecrets_test.yaml	6 helm-unittest cases covering default / global-only / per-agent-only / per-agent-wins-over-global / empty-list-falls-back / multi-secret

Test plan

• helm unittest charts/openab — all 113 tests pass (6 new + 107 existing)
• helm lint charts/openab — clean
• helm template testrelease charts/openab --set 'imagePullSecrets[0].name=regcred' renders imagePullSecrets at pod spec level
• helm template with no values set renders no imagePullSecrets field (backwards-compat verified)

Why not ServiceAccount imagePullSecrets?

The chart doesn't create a serviceAccountName-bound SA per agent, so operators can't reliably attach pull secrets to the right SA without touching cluster state outside the chart. Keeping the value in the chart makes it explicit, per-agent, and chart-managed.

[shaun-agent]

OpenAB PR Screening

This is auto-generated by the OpenAB project-screening flow for context collection and reviewer handoff.
Click 👍 if you find this useful. Human review will be done within 24 hours. We appreciate your support and contribution 🙏

• Title: feat(chart): add imagePullSecrets support at per-agent and global level
• Source: feat(chart): add imagePullSecrets support at per-agent and global level #911
• Status: moved to PR-Screening
• Generated at: 2026-05-23T12:04:15.869Z
• Discord thread: not available

Screening report

screening pass complete for PR #911.

GitHub comment: #911 (comment)
Project action: moved item PVTI_lADOEFbZWM4BUUALzgtmU0g from Incoming to PR-Screening in https://github.com/orgs/openabdev/projects/1

Intent

Add Helm support for Kubernetes imagePullSecrets so OpenAB agents can pull images from private registries without cluster-side manual setup or credentials applied to every pod.

Feat

Feature work. Adds global imagePullSecrets plus per-agent agents.<name>.imagePullSecrets; per-agent values win, empty defaults render no field.

Who It Serves

Deployers and agent runtime operators running Helm installs with private or mixed public/private agent images.

Rewritten Prompt

Add chart-global and per-agent image pull secret values. Render spec.imagePullSecrets only when the effective list is non-empty, document precedence, and cover default, global, per-agent, override, empty-list fallback, and multi-secret cases with helm-unittest. Verify helm lint, helm unittest, and representative helm template output.

Merge Pitch

Low-risk chart ergonomics with backward-compatible defaults. Main review concern: whether explicit per-agent [] should inherit global secrets, as implemented, or intentionally disable them for that agent.

Best-Practice Comparison

OpenClaw and Hermes Agent scheduling patterns do not apply; this is Helm/Kubernetes pod configuration, not gateway scheduling or durable job execution. Relevant practice is stable chart defaults, narrow overrides, clear precedence, and rendered-YAML tests.

Implementation Options

1. Conservative: merge current pod-level rendering and fallback semantics. Fastest, smallest scope.
2. Balanced: treat undefined per-agent value as inherit, but explicit [] as disable. Better operator control.
3. Ambitious: add optional per-agent service account imagePullSecrets later. More flexible, larger chart surface.

Comparison Table

Option	Speed	Complexity	Reliability	Maintainability	User Impact	Fit for OpenAB now
Conservative	High	Low	High	High	Good	Strong if fallback is intended
Balanced	Medium	Medium	High	High	Best	Stronger if opt-out matters
Ambitious	Low	High	Medium	Medium	Highest	Follow-up material

Recommendation

Move this to review and ask one focused question: should explicit per-agent imagePullSecrets: [] inherit the global value or disable pull secrets for that agent? If inherit is intended, merge the conservative path; otherwise adjust to the balanced semantics before merge.