Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to provide imagepullsecrets for postgres cluster CRD #2721

Closed
Falcondevils opened this issue Aug 7, 2024 · 4 comments
Closed

Ability to provide imagepullsecrets for postgres cluster CRD #2721

Falcondevils opened this issue Aug 7, 2024 · 4 comments

Comments

@Falcondevils
Copy link

Falcondevils commented Aug 7, 2024
edited
Loading

Please, answer some short questions which should help us to understand your problem / question better?

  • Which image of the operator are you using? e.g. ghcr.io/zalando/postgres-operator:v1.12.2
  • Where do you run it - cloud or metal? Kubernetes or OpenShift? AWS EKS 1.29
  • Are you running Postgres Operator in production? no
  • Type of issue? feature request

I have found serious critical/high severity CVEs in zalando spilo image as it's using ubuntu 22.04. I see the issue posted in the spilo issue page. zalando/spilo#982
However it seems that's not a priority for the team to fix it.

So I wanted to fork the spilo repo, try it myself privately to modify and use it privately. Once i am successful, i would like to contribute to the project as well.
However, then i do not see imagepullsecrets field for postgres CRD.
Without this, I won't be able to use custom private spilo image with the operator.

So can someone add the feature to add imagePullSecrets field for postgres CRDs?
@teimyBr
Copy link

teimyBr commented Aug 9, 2024 

postgres-operator:
  configKubernetes:
    pod_service_account_definition: |
      {
        "apiVersion": "v1",
        "imagePullSecrets": [
          {
            "name": "hello-registry"
          }
        ],
        "kind": "ServiceAccount",
        "metadata": {
          "name": "postgres-pod"
        }
      }
    secret_name_template: "{username}.{cluster}"
  imagePullSecrets:
  - name: hello-registry

This is possible we are using this with image Pull Secrets
configKubernetes for Postgres Pods
imagePullSecrets: For Operator

@Falcondevils
Copy link
Author

Do operator and postgres cluster need to be in same namespace for this to work as postgres-pod service account will be in the namespace where postgres cluster is present?

@teimyBr
Copy link

teimyBr commented Aug 9, 2024

The Image Pull Secret must be in every namespace.
We are using here Kyverno to copy the secret everywhere needed with a Cluster Policy.

So the Operator and the PG Database can live where you want. The reason behind this service accounts is that, this gets created by the postgresoperator, so he will apply this to every postgressql resource.
And when you have the Image Pull Secret in the Service Account you not have to specify the Pull Secret for every container in your pod.

Only negativ thing you can not use 2 Different Private Registry for 2 Containers in a Pod.

This was referenced Aug 9, 2024
Open
Open
@Falcondevils
Copy link
Author

Thanks a lot for the response and linking the issues. I was able to use the suggestion to use imagepullsecrets for spilo image.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Falcondevils @teimyBr