gravitational · webvictim · Apr 3, 2023 · Mar 31, 2023 · Apr 1, 2023 · Apr 1, 2023
diff --git a/docs/pages/reference/helm-reference/teleport-cluster.mdx b/docs/pages/reference/helm-reference/teleport-cluster.mdx
@@ -1956,6 +1956,30 @@ Allows the `imagePullPolicy` for any pods created by the chart to be overridden.
   </TabItem>
 </Tabs>
 
+## `imagePullSecrets`
+
+| Type   | Default value |
+|--------|---------------|
+| `list` | `[]`          |
+
+[Kubernetes reference](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod)
+
+A list of secrets containing authorization tokens which can be optionally used to access a private Docker registry.
+
+<Tabs>
+  <TabItem label="values.yaml">
+  ```yaml
+  imagePullSecrets:
+  - name: my-docker-registry-key
+  ```
+  </TabItem>
+  <TabItem label="--set">
+  ```shell
+  --set "imagePullSecrets[0].name=my-docker-registry-key"
+  ```
+  </TabItem>
+</Tabs>
+
 ## `initContainers`
 
 | Type   | Default value |

diff --git a/examples/chart/teleport-cluster/.lint/imagepullsecrets.yaml b/examples/chart/teleport-cluster/.lint/imagepullsecrets.yaml
@@ -0,0 +1,4 @@
+clusterName: test-standalone-cluster
+chartMode: standalone
+imagePullSecrets:
+- name: myRegistryKeySecretName
diff --git a/examples/chart/teleport-cluster/templates/auth/deployment.yaml b/examples/chart/teleport-cluster/templates/auth/deployment.yaml
@@ -87,6 +87,10 @@ spec:
 {{- if $auth.tolerations }}
       tolerations: {{- toYaml $auth.tolerations | nindent 6 }}
 {{- end }}
+{{- if $auth.imagePullSecrets }}
+      imagePullSecrets:
+  {{- toYaml $auth.imagePullSecrets | nindent 6 }}
+{{- end }}
 {{- if $auth.initContainers }}
       initContainers:
   {{- range $initContainer := $auth.initContainers }}

diff --git a/examples/chart/teleport-cluster/templates/proxy/deployment.yaml b/examples/chart/teleport-cluster/templates/proxy/deployment.yaml
@@ -93,6 +93,10 @@ spec:
 {{- end }}
 {{- if $proxy.tolerations }}
       tolerations: {{- toYaml $proxy.tolerations | nindent 6 }}
+{{- end }}
+{{- if $proxy.imagePullSecrets }}
+      imagePullSecrets:
+  {{- toYaml $proxy.imagePullSecrets | nindent 6 }}
 {{- end }}
       initContainers:
         # wait-auth-update is responsible for holding off the proxy rollout until all auths are running the

diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap
@@ -127,6 +127,9 @@ should set affinity when set in values:
             operator: In
             values:
             - teleport
+should set imagePullSecrets when set in values:
+  1: |
+    - name: myRegistryKeySecretName
 should set nodeSelector when set in values:
   1: |
     affinity:

diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap
@@ -51,6 +51,9 @@ should set affinity when set in values:
             operator: In
             values:
             - teleport
+should set imagePullSecrets when set in values:
+  1: |
+    - name: myRegistryKeySecretName
 should set nodeSelector when set in values:
   1: |
     affinity:

diff --git a/examples/chart/teleport-cluster/tests/auth_deployment_test.yaml b/examples/chart/teleport-cluster/tests/auth_deployment_test.yaml
@@ -325,6 +325,17 @@ tests:
             name: SOME_ENVIRONMENT_VARIABLE
             value: "some-value"
 
+  - it: should set imagePullSecrets when set in values
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/imagepullsecrets.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.imagePullSecrets[0].name
+          value: myRegistryKeySecretName
+      - matchSnapshot:
+          path: spec.template.spec.imagePullSecrets
+
   - it: should provision initContainer correctly when set in values
     template: auth/deployment.yaml
     values:

diff --git a/examples/chart/teleport-cluster/tests/proxy_deployment_test.yaml b/examples/chart/teleport-cluster/tests/proxy_deployment_test.yaml
@@ -343,6 +343,17 @@ tests:
             name: SOME_ENVIRONMENT_VARIABLE
             value: "some-value"
 
+  - it: should set imagePullSecrets when set in values
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/imagepullsecrets.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.imagePullSecrets[0].name
+          value: myRegistryKeySecretName
+      - matchSnapshot:
+          path: spec.template.spec.imagePullSecrets
+
   - it: should provision initContainer correctly when set in values
     template: proxy/deployment.yaml
     values:

diff --git a/examples/chart/teleport-cluster/values.schema.json b/examples/chart/teleport-cluster/values.schema.json
@@ -614,6 +614,11 @@
             "type": "string",
             "default": "public.ecr.aws/gravitational/teleport-ent"
         },
+        "imagePullSecrets": {
+            "$id": "#/properties/imagePullSecrets",
+            "type": "array",
+            "default": []
+        },
         "logLevel": {
             "$id": "#/properties/logLevel",
             "type": "string",

diff --git a/examples/chart/teleport-cluster/values.yaml b/examples/chart/teleport-cluster/values.yaml
@@ -434,6 +434,8 @@ tls:
 image: public.ecr.aws/gravitational/teleport
 # Enterprise version of the image
 enterpriseImage: public.ecr.aws/gravitational/teleport-ent
+# Optional array of imagePullSecrets, to use when pulling from a private registry
+imagePullSecrets: []
 # Teleport logging configuration
 log:
   # Log level for the Teleport process.