EV-6336: feat(istio): waypoint pull secret support for private registries#4483
Merged
electricjesus merged 5 commits intomasterfrom Apr 14, 2026
Merged
EV-6336: feat(istio): waypoint pull secret support for private registries#4483electricjesus merged 5 commits intomasterfrom
electricjesus merged 5 commits intomasterfrom
Conversation
electricjesus
changed the title
caseydavenport
requested changes
Mar 4, 2026
Member
caseydavenport
left a comment
caseydavenport
left a comment
There was a problem hiding this comment.
Couple of minor comments, but overall looking good.
caseydavenport
approved these changes
Apr 14, 2026
Add ImagePullSecrets field to GlobalConfig and populate it from Installation pull secrets when rendering istiod Helm values. This makes istiod inject imagePullSecrets references into waypoint pod specs it creates, enabling image pulls from private registries.
Add a new controller that watches for istio-waypoint Gateway resources and copies pull secrets from the operator namespace to waypoint namespaces. This ensures waypoint pods can pull images from private registries. Secrets are tracked with a label for cleanup when gateways are removed or the Istio CR is deleted.
…et cleanup Replace manual cleanupAllSecrets/cleanupStaleSecrets methods with a single NewPassthrough(toCreate, toDelete) call. This follows the existing codebase pattern for managing object lifecycle through the component handler. The explicit len(pullSecrets)==0 early return is removed — the mainline reconcile logic now handles this naturally: when no secrets are needed, toCreate is empty and all existing labeled secrets flow into toDelete. Also expand the WaypointPullSecretLabel comment to explain why labels are used instead of owner references (cross-namespace cleanup needs).
Staleness check previously keyed on namespace only, so renaming a pull secret (e.g. secret-a → secret-b) left the old copy behind. Switch to NamespacedName keys built from the desired set. Also skip copying to the operator namespace to avoid overwriting source secrets, and rename controller files per review feedback.
electricjesus
force-pushed
the
worktree-graceful-wobbling-squirrel
branch
from
71abc7a to
6959b27
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Jira: EV-6336
When users create an Istio waypoint Gateway (
gatewayClassName: istio-waypoint) in their namespace, istiod automatically creates a waypoint Deployment there. On clusters with private registries (like AKS withgcr.io/unique-caldron-775), the waypoint pod fails withImagePullBackOffbecause the pull secret only exists in the operator namespace and istiod doesn't injectimagePullSecretsinto waypoint pod specs.This PR fixes the issue with two changes:
Part 1: Pass imagePullSecrets to istiod via Helm values
ImagePullSecretsfield toGlobalConfigin the Istio render packageglobal.imagePullSecretsin istiod Helm values from Installation pull secretsimagePullSecretsreferences into waypoint pod specs it createsPart 2: New waypoint sub-controller
istio-waypointGateway resources across all namespacesoperator.tigera.io/istio-waypoint-pull-secretlabel for cleanupBoth parts are no-ops when no pull secrets are configured (
omitempty/ early return).Testing:
Components affected:
pkg/render/istio,pkg/controller/istio,internal/controllerRelease Note
For PR author
make gen-filesmake gen-versions