Summary
The operator Helm chart already exposes operator.imagePullSecrets (deploy/charts/operator/values.yaml:27), but that value is consumed only by the operator's own Deployment template (deploy/charts/operator/templates/deployment.yaml:27-28). It does not cascade to the workloads the operator reconciles (MCPServer proxy-runner pods, MCPRegistry pods, VirtualMCPServer pods, EmbeddingServer pods, MCPRemoteProxy pods).
Currently, every CR that pulls from a private registry must specify its own image-pull-secret reference (or rely on the cluster-default ServiceAccount). For deployments where every CR pulls from the same private registry — which is common in an enterprise install of the operator — this is per-CR toil with no DRY mechanism at the operator/chart level.
Proposal
Add a chart value that the operator picks up at startup and applies as a default to every workload it spawns when the corresponding CR doesn't set its own. Suggested shape:
operator:
# Default image pull secrets applied to all workloads spawned by the operator
# (proxy-runner, MCPRegistry, VirtualMCPServer, EmbeddingServer, MCPRemoteProxy).
# Per-CR settings, when present, take precedence.
defaultImagePullSecrets: []
The chart would render this into the operator Deployment as either an env var (e.g. THV_DEFAULT_IMAGE_PULL_SECRETS=regcred,otherscred) or a mounted ConfigMap, and the operator's reconcilers would consult it as a fallback when constructing each workload's PodSpec and ServiceAccount.
Precedence
When both a chart-level default and a CR-level value are set, the CR-level value should win. Suggested merge: chart-level provides defaults, CR-level appends/overrides (matching how podTemplateSpec already merges in MCPRegistry/VMCP).
Why not just use the cluster-default ServiceAccount?
For MCPServer (and ideally MCPRemoteProxy/EmbeddingServer once their gaps are fixed), the operator creates a dedicated ServiceAccount per workload. Pre-populating the namespace's default ServiceAccount with imagePullSecrets does not help, because the spawned pods don't use it.
Related issues
This chart-level default complements the CR-level fields above; it does not replace them.
Summary
The operator Helm chart already exposes
operator.imagePullSecrets(deploy/charts/operator/values.yaml:27), but that value is consumed only by the operator's own Deployment template (deploy/charts/operator/templates/deployment.yaml:27-28). It does not cascade to the workloads the operator reconciles (MCPServer proxy-runner pods, MCPRegistry pods, VirtualMCPServer pods, EmbeddingServer pods, MCPRemoteProxy pods).Currently, every CR that pulls from a private registry must specify its own image-pull-secret reference (or rely on the cluster-default ServiceAccount). For deployments where every CR pulls from the same private registry — which is common in an enterprise install of the operator — this is per-CR toil with no DRY mechanism at the operator/chart level.
Proposal
Add a chart value that the operator picks up at startup and applies as a default to every workload it spawns when the corresponding CR doesn't set its own. Suggested shape:
The chart would render this into the operator Deployment as either an env var (e.g.
THV_DEFAULT_IMAGE_PULL_SECRETS=regcred,otherscred) or a mounted ConfigMap, and the operator's reconcilers would consult it as a fallback when constructing each workload's PodSpec and ServiceAccount.Precedence
When both a chart-level default and a CR-level value are set, the CR-level value should win. Suggested merge: chart-level provides defaults, CR-level appends/overrides (matching how
podTemplateSpecalready merges in MCPRegistry/VMCP).Why not just use the cluster-default ServiceAccount?
For MCPServer (and ideally MCPRemoteProxy/EmbeddingServer once their gaps are fixed), the operator creates a dedicated ServiceAccount per workload. Pre-populating the namespace's
defaultServiceAccount with imagePullSecrets does not help, because the spawned pods don't use it.Related issues
spec.resourceOverrides.proxyDeployment.imagePullSecretsfield (bug)podTemplateSpecmerge silently dropsimagePullSecrets(bug)imagePullSecretsfield on MCPRegistry and VirtualMCPServer (enhancement)This chart-level default complements the CR-level fields above; it does not replace them.