From f22e62715daf1c7c75d37e9de9d54e1258e5b6c8 Mon Sep 17 00:00:00 2001
From: ddl-ebrown <ethan.brown@dominodatalab.com>
Date: Wed, 31 Jan 2024 15:52:48 -0800
Subject: [PATCH] Flyte-core add missing imagePullSecrets support

 - The console doesn't have / need a ServiceAccount, but it still needs
   credentials to be able to pull image from security registries

   Add a new imagePullSecrets value for that

 - The webhook ServiceAccount didn't have the correct imagePullSecrets
   set, so similarly could not pull images from security registries.
   Use the propeller settings

Signed-off-by: ddl-ebrown <ethan.brown@dominodatalab.com>
---
 charts/flyte-core/README.md                         | 1 +
 charts/flyte-core/templates/console/deployment.yaml | 4 ++++
 charts/flyte-core/templates/propeller/webhook.yaml  | 3 +++
 charts/flyte-core/values.yaml                       | 2 ++
 4 files changed, 10 insertions(+)

diff --git a/charts/flyte-core/README.md b/charts/flyte-core/README.md
index 5ccb9f60f0..326c67f19d 100644
--- a/charts/flyte-core/README.md
+++ b/charts/flyte-core/README.md
@@ -195,6 +195,7 @@ helm install gateway bitnami/contour -n flyte
 | flyteconsole.image.pullPolicy | string | `"IfNotPresent"` |  |
 | flyteconsole.image.repository | string | `"cr.flyte.org/flyteorg/flyteconsole"` | Docker image for Flyteconsole deployment |
 | flyteconsole.image.tag | string | `"v1.10.2"` |  |
+| flyteconsole.imagePullSecrets | list | `[]` | ImagePullSecrets to assign to the Flyteconsole deployment |
 | flyteconsole.nodeSelector | object | `{}` | nodeSelector for Flyteconsole deployment |
 | flyteconsole.podAnnotations | object | `{}` | Annotations for Flyteconsole pods |
 | flyteconsole.podEnv | object | `{}` | Additional Flyteconsole container environment variables |
diff --git a/charts/flyte-core/templates/console/deployment.yaml b/charts/flyte-core/templates/console/deployment.yaml
index 09c9e741c8..9ba1fc88ac 100644
--- a/charts/flyte-core/templates/console/deployment.yaml
+++ b/charts/flyte-core/templates/console/deployment.yaml
@@ -18,6 +18,10 @@ spec:
         {{- end }}
       labels: {{ include "flyteconsole.podLabels" . | nindent 8 }}
     spec:
+    {{- with .Values.flyteconsole.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
       securityContext:
         runAsUser: 1000
         fsGroupChangePolicy: "OnRootMismatch"
diff --git a/charts/flyte-core/templates/propeller/webhook.yaml b/charts/flyte-core/templates/propeller/webhook.yaml
index 75866a8c2b..98ce2607a0 100644
--- a/charts/flyte-core/templates/propeller/webhook.yaml
+++ b/charts/flyte-core/templates/propeller/webhook.yaml
@@ -154,6 +154,9 @@ metadata:
   annotations: {{ tpl (toYaml .) $ | nindent 4 }}
   {{- end}}
 {{- end }}
+  {{- with .Values.webhook.serviceAccount.imagePullSecrets }}
+imagePullSecrets: {{ tpl (toYaml .) $ | nindent 2 }}
+  {{- end }}
 ---
 # Create a binding from Role -> ServiceAccount
 kind: ClusterRoleBinding
diff --git a/charts/flyte-core/values.yaml b/charts/flyte-core/values.yaml
index 36a9b22e5e..94b46a53fd 100755
--- a/charts/flyte-core/values.yaml
+++ b/charts/flyte-core/values.yaml
@@ -374,6 +374,8 @@ flyteconsole:
     tracking_id: "G-0QW4DJWJ20"
   # -- Sets priorityClassName for flyte console pod(s).
   priorityClassName: ""
+   # -- ImagePullSecrets to assign to the Flyteconsole deployment
+  imagePullSecrets: []
 
 # It will enable the redoc route in ingress
 deployRedoc: false