configurable pull secrets, no defaults

Author: nicktrn

apps/supervisor/src/env.ts

@@ -42,6 +42,7 @@ const Env = z.object({
   DOCKER_NETWORK: z.string().default("host"),
   OTEL_EXPORTER_OTLP_ENDPOINT: z.string().url(),
   ENFORCE_MACHINE_PRESETS: z.coerce.boolean().default(false),
+  KUBERNETES_IMAGE_PULL_SECRETS: z.string().optional(), // csv
 
   // Used by the resource monitor
   OVERRIDE_CPU_TOTAL: z.coerce.number().optional(),

apps/supervisor/src/index.ts

@@ -97,6 +97,7 @@ class ManagedSupervisor {
         workloadApiDomain,
         workloadApiPort: workloadApiPortExternal,
         warmStartUrl: this.warmStartUrl,
+        imagePullSecrets: env.KUBERNETES_IMAGE_PULL_SECRETS?.split(","),
       });
     } else {
       this.resourceMonitor = new DockerResourceMonitor(new Docker());

apps/supervisor/src/workloadManager/kubernetes.ts

@@ -182,18 +182,15 @@ export class KubernetesWorkloadManager implements WorkloadManager {
     }
   }
 
+  private getImagePullSecrets(): k8s.V1LocalObjectReference[] | undefined {
+    return this.opts.imagePullSecrets?.map((name) => ({ name }));
+  }
+
   get #defaultPodSpec(): Omit<k8s.V1PodSpec, "containers"> {
     return {
       restartPolicy: "Never",
       automountServiceAccountToken: false,
-      imagePullSecrets: [
-        {
-          name: "registry-trigger",
-        },
-        {
-          name: "registry-trigger-failover",
-        },
-      ],
+      imagePullSecrets: this.getImagePullSecrets(),
       nodeSelector: {
         nodetype: "worker-re2",
       },

apps/supervisor/src/workloadManager/types.ts

@@ -5,6 +5,7 @@ export interface WorkloadManagerOptions {
   workloadApiDomain?: string; // If unset, will use orchestrator-specific default
   workloadApiPort: number;
   warmStartUrl?: string;
+  imagePullSecrets?: string[];
 }
 
 export interface WorkloadManager {