Cleanup: Add new imagePullSecret field to CRD

api/v1alpha1/onload_types.go

@@ -149,6 +149,11 @@ type Spec struct {
 	// ServiceAccountName is the name of the service account that the objects
 	// created by the onload operator will use.
 	ServiceAccountName string `json:"serviceAccountName"`
+
+	// +optional
+	// ImagePullSecret is an optional secret that gets used by the objects
+	// created by the operator when pulling images from container registries.
+	ImagePullSecret *v1.LocalObjectReference `json:"imagePullSecret,omitempty"`
 }
 
 // OnloadStatus defines the observed state of Onload

config/crd/bases/onload.amd.com_onloads.yaml

@@ -89,6 +89,17 @@ spec:
                 x-kubernetes-validations:
                 - message: SetPreload and MountOnload mutually exclusive
                   rule: '!(self.setPreload && self.mountOnload)'
+              imagePullSecret:
+                description: ImagePullSecret is an optional secret that gets used
+                  by the objects created by the operator when pulling images from
+                  container registries.
+                properties:
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      TODO: Add other useful fields. apiVersion, kind, uid?'
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
               onload:
                 description: Onload is the specification of the version of onload
                   to be used by this CR

config/samples/onload/base/onload_v1alpha1_onload.yaml

@@ -43,6 +43,8 @@ metadata:
   name: onload
 spec:
   serviceAccountName: onload-operator-sa
+  # imagePullSecret:
+  #   name: secret-name
   selector:
     node-role.kubernetes.io/worker: ""
   onload:

controllers/onload_controller.go

@@ -862,7 +862,8 @@ func createModule(
 					Version:         onload.Spec.Onload.Version,
 				},
 			},
-			Selector: onload.Spec.Selector,
+			ImageRepoSecret: onload.Spec.ImagePullSecret,
+			Selector:        onload.Spec.Selector,
 		},
 	}
 
@@ -1119,6 +1120,7 @@ func (r *OnloadReconciler) createDevicePluginDaemonSet(
 					Labels: dsLabels,
 				},
 				Spec: corev1.PodSpec{
+					ImagePullSecrets:   []corev1.LocalObjectReference{},
 					ServiceAccountName: onload.Spec.ServiceAccountName,
 					Containers: []corev1.Container{
 						devicePluginContainer,
@@ -1156,6 +1158,10 @@ func (r *OnloadReconciler) createDevicePluginDaemonSet(
 		},
 	}
 
+	if onload.Spec.ImagePullSecret != nil {
+		devicePlugin.Spec.Template.Spec.ImagePullSecrets = []corev1.LocalObjectReference{*onload.Spec.ImagePullSecret}
+	}
+
 	err = controllerutil.SetControllerReference(onload, devicePlugin, r.Scheme)
 	if err != nil {
 		log.Error(err, "Failed to set controller reference for Device Plugin")

controllers/onload_controller_test.go

@@ -871,5 +871,27 @@ var _ = Describe("onload controller", func() {
 				"-libMountPath=qux",
 			),
 		)
+
+		It("should pass through imagepullsecret", func() {
+			devicePlugin := appsv1.DaemonSet{}
+			devicePluginName := types.NamespacedName{
+				Name:      onload.Name + "-onload-device-plugin-ds",
+				Namespace: onload.Namespace,
+			}
+
+			onload.Spec.ImagePullSecret = &corev1.LocalObjectReference{Name: "Steven"}
+			Expect(k8sClient.Create(ctx, onload)).To(BeNil())
+
+			Eventually(func() bool {
+				err := k8sClient.Get(ctx, devicePluginName, &devicePlugin)
+				return err == nil
+			}, timeout, pollingInterval).Should(BeTrue())
+
+			Expect(devicePlugin.Spec.Template.Spec.ImagePullSecrets).Should(
+				ContainElement(MatchFields(IgnoreExtras, Fields{
+					"Name": Equal("Steven"),
+				})),
+			)
+		})
 	})
 })