feat(chart): add imagePullSecrets support at per-agent and global level

charts/openab/README.md

@@ -13,6 +13,7 @@ This page highlights commonly used values and deployment patterns. For the compl
 | `nameOverride` | Override the chart name portion used in generated resource names. For per-agent resource names, use `agents.<name>.nameOverride`. | `""` |
 | `fullnameOverride` | Override the full generated release name for chart resources. Useful when deploying multiple instances with predictable names. | `""` |
 | `serviceAccountName` | Chart-global ServiceAccount name attached to every agent pod that doesn't define its own. Empty = cluster `default` SA. Per-agent `agents.<name>.serviceAccountName` fully overrides this. Chart references an existing SA only — does not create one. Required for workload identity and pod-level RBAC. | `""` |
+| `imagePullSecrets` | Chart-global image pull secrets attached to every agent pod that doesn't define its own. Per-agent `agents.<name>.imagePullSecrets` fully overrides this. | `[]` |
 
 ### Agent values
 
@@ -53,6 +54,7 @@ Each agent lives under `agents.<name>`.
 | `persistence.existingClaim` | Reuse an existing PVC instead of creating one. | `""` |
 | `agentsMd` | Contents of `AGENTS.md` mounted into the working directory. | `""` |
 | `serviceAccountName` | Per-agent ServiceAccount name. When set (non-empty), fully overrides chart-global `serviceAccountName`. Useful when only some agents need a dedicated SA. | `""` |
+| `imagePullSecrets` | Per-agent image pull secrets. When set, fully overrides chart-global `imagePullSecrets`. Useful when only some agents pull from a private registry. | `[]` |
 | `extraInitContainers` | Additional init containers for the agent pod. | `[]` |
 | `extraContainers` | Additional sidecar containers for the agent pod. | `[]` |
 | `extraVolumeMounts` | Additional volume mounts for the main agent container. | `[]` |

charts/openab/templates/deployment.yaml

@@ -33,6 +33,10 @@ spec:
       {{- if $svcAcct }}
       serviceAccountName: {{ $svcAcct }}
       {{- end }}
+      {{- with (default $.Values.imagePullSecrets $cfg.imagePullSecrets) }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- with $cfg.extraInitContainers }}
       initContainers:
         {{- toYaml . | nindent 8 }}

charts/openab/tests/imagepullsecrets_test.yaml

@@ -0,0 +1,64 @@
+suite: imagePullSecrets support (chart-global + per-agent override)
+templates:
+  - templates/deployment.yaml
+
+tests:
+  - it: does not render imagePullSecrets when neither global nor per-agent is set
+    asserts:
+      - notExists:
+          path: spec.template.spec.imagePullSecrets
+
+  - it: renders chart-global imagePullSecrets when only the global value is set
+    set:
+      imagePullSecrets:
+        - name: regcred
+    asserts:
+      - equal:
+          path: spec.template.spec.imagePullSecrets
+          value:
+            - name: regcred
+
+  - it: renders per-agent imagePullSecrets when only the per-agent value is set
+    set:
+      agents.kiro.imagePullSecrets:
+        - name: kiro-regcred
+    asserts:
+      - equal:
+          path: spec.template.spec.imagePullSecrets
+          value:
+            - name: kiro-regcred
+
+  - it: per-agent imagePullSecrets fully overrides chart-global (no merge)
+    set:
+      imagePullSecrets:
+        - name: global-regcred
+      agents.kiro.imagePullSecrets:
+        - name: kiro-regcred
+    asserts:
+      - equal:
+          path: spec.template.spec.imagePullSecrets
+          value:
+            - name: kiro-regcred
+
+  - it: falls back to chart-global when per-agent imagePullSecrets is an empty list
+    set:
+      imagePullSecrets:
+        - name: global-regcred
+      agents.kiro.imagePullSecrets: []
+    asserts:
+      - equal:
+          path: spec.template.spec.imagePullSecrets
+          value:
+            - name: global-regcred
+
+  - it: supports multiple secrets in the list
+    set:
+      imagePullSecrets:
+        - name: regcred-a
+        - name: regcred-b
+    asserts:
+      - equal:
+          path: spec.template.spec.imagePullSecrets
+          value:
+            - name: regcred-a
+            - name: regcred-b

charts/openab/values.yaml

@@ -20,6 +20,14 @@ fullnameOverride: ""
 # serviceAccountName: "openab"
 serviceAccountName: ""
 
+# Chart-global image pull secrets, used when an agent doesn't set its own
+# `imagePullSecrets`. Per-agent values (agents.<name>.imagePullSecrets) take
+# precedence — when set, they fully override (do not merge with) this list.
+# Example:
+# imagePullSecrets:
+#   - name: regcred
+imagePullSecrets: []
+
 podSecurityContext:
   runAsNonRoot: true
   runAsUser: 1000
@@ -420,6 +428,12 @@ agents:
     # multi-agent deployments where only some agents need a dedicated SA.
     # serviceAccountName: "openab"
     serviceAccountName: ""
+    # Per-agent image pull secrets. When set, overrides the chart-global
+    # `imagePullSecrets` for this agent only. Useful in multi-agent deployments
+    # where only some agents pull from a private registry.
+    # imagePullSecrets:
+    #   - name: regcred
+    imagePullSecrets: []
     # extraInitContainers adds init containers to the pod (runs before the main container)
     extraInitContainers: []
     # extraContainers adds sidecar containers to the pod