Add registry.secretNames and registry.connections options to Helm chart

Your Name · aeroyorch · commit f9165b454884 · 2025-11-09T14:49:16.000+01:00
diff --git a/chart/docs/production-guide.rst b/chart/docs/production-guide.rst
@@ -661,12 +661,14 @@ flower Basic Auth using the ``_CMD`` or ``_SECRET`` variant without disabling th
 +-------------------------------------------------------+------------------------------------------+------------------------------------------------+
 | ``<RELEASE_NAME>-pgbouncer-certificates``             |                                          |                                                |
 +-------------------------------------------------------+------------------------------------------+------------------------------------------------+
-| ``<RELEASE_NAME>-registry``                           | ``.Values.registry.secretName``          |                                                |
-+-------------------------------------------------------+------------------------------------------+------------------------------------------------+
 | ``<RELEASE_NAME>-kerberos-keytab``                    |                                          |                                                |
 +-------------------------------------------------------+------------------------------------------+------------------------------------------------+
 | ``<RELEASE_NAME>-flower``                             | ``.Values.flower.secretName``            | ``AIRFLOW__CELERY__FLOWER_BASIC_AUTH``         |
 +-------------------------------------------------------+------------------------------------------+------------------------------------------------+
 
+A secret named ``<RELEASE_NAME>-registry`` is also created when ``.Values.registry.connection`` is
+defined and neither ``.Values.registry.secretName`` nor ``.Values.imagePullSecrets`` is set. However,
+this behavior is deprecated in favor of explicitly defining ``.Values.imagePullSecrets``.
+
 You can read more about advanced ways of setting configuration variables in the
 :doc:`apache-airflow:howto/set-config`.
diff --git a/chart/files/pod-template-file.kubernetes-helm-yaml b/chart/files/pod-template-file.kubernetes-helm-yaml
@@ -216,10 +216,7 @@ spec:
   {{- if .Values.workers.runtimeClassName }}
   runtimeClassName: {{ .Values.workers.runtimeClassName }}
   {{- end }}
-  {{- if or .Values.registry.secretName .Values.registry.connection }}
-  imagePullSecrets:
-    - name: {{ template "registry_secret" . }}
-  {{- end }}
+  imagePullSecrets: {{- include "image_pull_secrets" . | nindent 4 }}
   {{- if .Values.workers.hostAliases }}
   hostAliases: {{- toYaml .Values.workers.hostAliases | nindent 4 }}
   {{- end }}
diff --git a/chart/templates/_helpers.yaml b/chart/templates/_helpers.yaml
@@ -460,8 +460,20 @@ If release name contains chart name it will be used as a full name.
   {{- default (printf "%s-pgbouncer-stats" (include "airflow.fullname" .)) .Values.pgbouncer.metricsExporterSidecar.statsSecretName }}
 {{- end }}
 
-{{- define "registry_secret" -}}
-  {{- default (printf "%s-registry" (include "airflow.fullname" .)) .Values.registry.secretName }}
+{{- define "image_pull_secrets" -}}
+  {{- $secrets := (default (list .Values.registry.secretName) .Values.imagePullSecrets) -}}
+  {{- $secrets = ($secrets | compact | uniq) -}}
+  {{- if and (not $secrets) (or .Values.registry.connection) -}}
+    {{- $secrets = append $secrets (printf "%s-registry" (include "airflow.fullname" .)) -}}
+  {{- end -}}
+  {{- $out := list -}}
+  {{- range $n := $secrets }}
+    {{- if kindIs "string" $n }}
+      {{- $n = dict "name" $n -}}
+    {{- end -}}
+    {{- $out = append $out (dict "name" $n.name) -}}
+  {{- end -}}
+  {{- toYaml $out -}}
 {{- end }}
 
 {{- define "elasticsearch_secret" -}}
diff --git a/chart/templates/api-server/api-server-deployment.yaml b/chart/templates/api-server/api-server-deployment.yaml
@@ -122,10 +122,7 @@ spec:
       topologySpreadConstraints: {{- toYaml $topologySpreadConstraints | nindent 8 }}
       restartPolicy: Always
       securityContext: {{ $securityContext | nindent 8 }}
-      {{- if or .Values.registry.secretName .Values.registry.connection }}
-      imagePullSecrets:
-        - name: {{ template "registry_secret" . }}
-      {{- end }}
+      imagePullSecrets: {{- include "image_pull_secrets" . | nindent 8 }}
       initContainers:
         {{- if .Values.apiServer.waitForMigrations.enabled }}
         - name: wait-for-airflow-migrations
diff --git a/chart/templates/cleanup/cleanup-cronjob.yaml b/chart/templates/cleanup/cleanup-cronjob.yaml
@@ -86,10 +86,7 @@ spec:
           tolerations: {{- toYaml $tolerations | nindent 12 }}
           topologySpreadConstraints: {{- toYaml $topologySpreadConstraints | nindent 12 }}
           serviceAccountName: {{ include "cleanup.serviceAccountName" . }}
-          {{- if or .Values.registry.secretName .Values.registry.connection }}
-          imagePullSecrets:
-            - name: {{ template "registry_secret" . }}
-          {{- end }}
+          imagePullSecrets: {{- include "image_pull_secrets" . | nindent 12 }}
           securityContext: {{ $securityContext | nindent 12 }}
           containers:
             - name: airflow-cleanup-pods
diff --git a/chart/templates/dag-processor/dag-processor-deployment.yaml b/chart/templates/dag-processor/dag-processor-deployment.yaml
@@ -116,10 +116,7 @@ spec:
       restartPolicy: Always
       serviceAccountName: {{ include "dagProcessor.serviceAccountName" . }}
       securityContext: {{ $securityContext | nindent 8 }}
-      {{- if or .Values.registry.secretName .Values.registry.connection }}
-      imagePullSecrets:
-        - name: {{ template "registry_secret" . }}
-      {{- end }}
+      imagePullSecrets: {{ include "image_pull_secrets" . | nindent 8 }}
       initContainers:
         {{- if .Values.dagProcessor.waitForMigrations.enabled }}
         - name: wait-for-airflow-migrations
diff --git a/chart/templates/flower/flower-deployment.yaml b/chart/templates/flower/flower-deployment.yaml
@@ -85,10 +85,7 @@ spec:
       {{- end }}
       restartPolicy: Always
       securityContext: {{ $securityContext | nindent 8 }}
-      {{- if or .Values.registry.secretName .Values.registry.connection }}
-      imagePullSecrets:
-        - name: {{ template "registry_secret" . }}
-      {{- end }}
+      imagePullSecrets: {{- include "image_pull_secrets" . | nindent 8 }}
       containers:
         - name: flower
           image: {{ template "flower_image" . }}
diff --git a/chart/templates/jobs/create-user-job.yaml b/chart/templates/jobs/create-user-job.yaml
@@ -86,10 +86,7 @@ spec:
       tolerations: {{- toYaml $tolerations | nindent 8 }}
       topologySpreadConstraints: {{- toYaml $topologySpreadConstraints | nindent 8 }}
       serviceAccountName: {{ include "createUserJob.serviceAccountName" . }}
-      {{- if or .Values.registry.secretName .Values.registry.connection }}
-      imagePullSecrets:
-        - name: {{ template "registry_secret" . }}
-      {{- end }}
+      imagePullSecrets: {{- include "image_pull_secrets" . | nindent 8 }}
       {{- if .Values.createUserJob.extraInitContainers }}
       initContainers:
         {{- tpl (toYaml .Values.createUserJob.extraInitContainers) . | nindent 8 }}
diff --git a/chart/templates/jobs/migrate-database-job.yaml b/chart/templates/jobs/migrate-database-job.yaml
@@ -86,10 +86,7 @@ spec:
       tolerations: {{- toYaml $tolerations | nindent 8 }}
       topologySpreadConstraints: {{- toYaml $topologySpreadConstraints | nindent 8 }}
       serviceAccountName: {{ include "migrateDatabaseJob.serviceAccountName" . }}
-      {{- if or .Values.registry.secretName .Values.registry.connection }}
-      imagePullSecrets:
-        - name: {{ template "registry_secret" . }}
-      {{- end }}
+      imagePullSecrets: {{- include "image_pull_secrets" . | nindent 8 }}
       {{- if .Values.migrateDatabaseJob.extraInitContainers }}
       initContainers:
         {{- tpl (toYaml .Values.migrateDatabaseJob.extraInitContainers) . | nindent 8 }}
diff --git a/chart/templates/pgbouncer/pgbouncer-deployment.yaml b/chart/templates/pgbouncer/pgbouncer-deployment.yaml
@@ -90,10 +90,7 @@ spec:
       serviceAccountName: {{ include "pgbouncer.serviceAccountName" . }}
       securityContext: {{ $securityContext | nindent 8 }}
       restartPolicy: Always
-      {{- if or .Values.registry.secretName .Values.registry.connection }}
-      imagePullSecrets:
-        - name: {{ template "registry_secret" . }}
-      {{- end }}
+      imagePullSecrets: {{- include "image_pull_secrets" . | nindent 8 }}
       containers:
         - name: pgbouncer
           image: {{ template "pgbouncer_image" . }}
diff --git a/chart/templates/redis/redis-statefulset.yaml b/chart/templates/redis/redis-statefulset.yaml
@@ -82,10 +82,7 @@ spec:
       {{- if .Values.schedulerName }}
       schedulerName: {{ .Values.schedulerName }}
       {{- end }}
-      {{- if or .Values.registry.secretName .Values.registry.connection }}
-      imagePullSecrets:
-        - name: {{ template "registry_secret" . }}
-      {{- end }}
+      imagePullSecrets: {{ include "image_pull_secrets" . | nindent 8 }}
       securityContext: {{ $securityContext | nindent 8 }}
       containers:
         - name: redis
diff --git a/chart/templates/scheduler/scheduler-deployment.yaml b/chart/templates/scheduler/scheduler-deployment.yaml
@@ -138,10 +138,7 @@ spec:
       terminationGracePeriodSeconds: {{ .Values.scheduler.terminationGracePeriodSeconds }}
       serviceAccountName: {{ include "scheduler.serviceAccountName" . }}
       securityContext: {{ $securityContext | nindent 8 }}
-      {{- if or .Values.registry.secretName .Values.registry.connection }}
-      imagePullSecrets:
-        - name: {{ template "registry_secret" . }}
-      {{- end }}
+      imagePullSecrets: {{ include "image_pull_secrets" . | nindent 8 }}
       {{- if .Values.scheduler.hostAliases }}
       hostAliases: {{- toYaml .Values.scheduler.hostAliases | nindent 8 }}
       {{- end }}
diff --git a/chart/templates/secrets/registry-secret.yaml b/chart/templates/secrets/registry-secret.yaml
@@ -20,7 +20,7 @@
 ################################
 ## Registry Secret
 #################################
-{{- if (and .Values.registry.connection (not .Values.registry.secretName)) }}
+{{- if (and (or .Values.registry.connection) (not (or .Values.registry.secretName .Values.imagePullSecrets))) }}
 apiVersion: v1
 kind: Secret
 metadata:
diff --git a/chart/templates/statsd/statsd-deployment.yaml b/chart/templates/statsd/statsd-deployment.yaml
@@ -86,10 +86,7 @@ spec:
       serviceAccountName: {{ include "statsd.serviceAccountName" . }}
       securityContext: {{ $securityContext | nindent 8 }}
       restartPolicy: Always
-      {{- if or .Values.registry.secretName .Values.registry.connection }}
-      imagePullSecrets:
-        - name: {{ template "registry_secret" . }}
-      {{- end }}
+      imagePullSecrets: {{ include "image_pull_secrets" . | nindent 8 }}
       containers:
         - name: statsd
           image: {{ template "statsd_image" . }}
diff --git a/chart/templates/triggerer/triggerer-deployment.yaml b/chart/templates/triggerer/triggerer-deployment.yaml
@@ -130,10 +130,7 @@ spec:
       restartPolicy: Always
       serviceAccountName: {{ include "triggerer.serviceAccountName" . }}
       securityContext: {{ $securityContext | nindent 8 }}
-      {{- if or .Values.registry.secretName .Values.registry.connection }}
-      imagePullSecrets:
-        - name: {{ template "registry_secret" . }}
-      {{- end }}
+      imagePullSecrets: {{ include "image_pull_secrets" . | nindent 8 }}
       initContainers:
         {{- if .Values.triggerer.waitForMigrations.enabled }}
         - name: wait-for-airflow-migrations
diff --git a/chart/templates/webserver/webserver-deployment.yaml b/chart/templates/webserver/webserver-deployment.yaml
@@ -131,10 +131,7 @@ spec:
       restartPolicy: Always
       terminationGracePeriodSeconds: {{ .Values.webserver.terminationGracePeriodSeconds }}
       securityContext: {{ $securityContext | nindent 8 }}
-      {{- if or .Values.registry.secretName .Values.registry.connection }}
-      imagePullSecrets:
-        - name: {{ template "registry_secret" . }}
-      {{- end }}
+      imagePullSecrets: {{- include "image_pull_secrets" . | nindent 8 }}
       initContainers:
         {{- if .Values.webserver.waitForMigrations.enabled }}
         - name: wait-for-airflow-migrations
diff --git a/chart/templates/workers/worker-deployment.yaml b/chart/templates/workers/worker-deployment.yaml
@@ -142,10 +142,7 @@ spec:
       serviceAccountName: {{ include "worker.serviceAccountName" . }}
       {{- end }}
       securityContext: {{ $securityContext | nindent 8 }}
-      {{- if or .Values.registry.secretName .Values.registry.connection }}
-      imagePullSecrets:
-        - name: {{ template "registry_secret" . }}
-      {{- end }}
+      imagePullSecrets: {{ include "image_pull_secrets" . | nindent 8 }}
       initContainers:
         {{- if and $persistence .Values.workers.persistence.fixPermissions }}
         - name: volume-permissions
diff --git a/chart/values.schema.json b/chart/values.schema.json
@@ -226,6 +226,23 @@
                 "type": "string"
             }
         },
+        "imagePullSecrets": {
+            "description": "List of existing Kubernetes secrets containing Base64 encoded credentials to connect to private registries (will get passed to imagePullSecrets).",
+            "type": "array",
+            "default": [],
+            "x-docsSection": "Kubernetes",
+            "items": {
+                "oneOf": [
+                    {
+                        "type": "string"
+                    },
+                    {
+                        "$ref": "#/definitions/io.k8s.api.core.v1.LocalObjectReference"
+                    }
+                ]
+            },
+            "uniqueItems": true
+        },
         "ingress": {
             "description": "Ingress configuration.",
             "type": "object",
@@ -8360,15 +8377,15 @@
             "additionalProperties": false,
             "properties": {
                 "secretName": {
-                    "description": "Name of the Kubernetes secret containing Base64 encoded credentials to connect to a private registry (will get passed to imagePullSecrets).",
+                    "description": "Name of the Kubernetes secret containing Base64 encoded credentials to connect to a private registry (will get passed to imagePullSecrets) (Deprecated - renamed to `registry.secretNames`).",
                     "type": [
                         "string",
                         "null"
                     ],
                     "default": null
                 },
                 "connection": {
-                    "description": "Credentials to connect to a private registry, these will get Base64 encoded and stored in a secret (will get passed to imagePullSecrets).",
+                    "description": "Credentials to connect to a private registry, these will get Base64 encoded and stored in a secret (will get passed to imagePullSecrets) (create manually the credentials secret and add to `imagePullSecrets` instead).",
                     "type": "object",
                     "default": {},
                     "additionalProperties": false,
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -139,6 +139,10 @@ schedulerName: ~
 # Add common labels to all objects and pods defined in this chart.
 labels: {}
 
+# List of existing Kubernetes secrets containing Base64 encoded credentials to connect to private
+# registries. Items can be either strings or {name: secret} objects.
+imagePullSecrets: []
+
 # Ingress configuration
 ingress:
   # Enable all ingress resources
@@ -2729,11 +2733,16 @@ redis:
   labels: {}
 
   podAnnotations: {}
-# Auth secret for a private registry
+
+# Auth secret for a private registry (Deprecated - use `imagePullSecrets` instead)
 # This is used if pulling airflow images from a private registry
 registry:
+  # Name of the Kubernetes secret containing Base64 encoded credentials to connect to a private registry
+  # (Deprecated - renamed to `imagePullSecrets`).
   secretName: ~
 
+  # Credentials to connect to a private registry, these will get Base64 encoded and stored in a secret
+  # (Deprecated - create manually the credentials secret and add to `imagePullSecrets` instead).
   # Example:
   # connection:
   #   user: ~
diff --git a/helm-tests/tests/helm_tests/airflow_aux/test_airflow_common.py b/helm-tests/tests/helm_tests/airflow_aux/test_airflow_common.py
@@ -491,3 +491,62 @@ def test_priority_class_name(self):
                 priority = doc["spec"]["template"]["spec"]["priorityClassName"]
 
             assert priority == f"low-priority-{component}"
+
+    @pytest.mark.parametrize(
+        ("image_pull_secrets", "registry_secret_name", "registry_connection", "expected_image_pull_secrets"),
+        [
+            ([], None, {}, []),
+            (
+                [],
+                None,
+                {"host": "example.com", "user": "user", "pass": "pass", "email": "user@example.com"},
+                ["test-basic-registry"],
+            ),
+            ([], "regcred", {}, ["regcred"]),
+            (["regcred2"], "regcred", {}, ["regcred2"]),
+            (
+                ["regcred2"],
+                None,
+                {"host": "example.com", "user": "user", "pass": "pass", "email": "user@example.com"},
+                ["regcred2"],
+            ),
+            (["regcred", {"name": "regcred2"}, ""], None, {}, ["regcred", "regcred2"]),
+        ],
+    )
+    def test_image_pull_secrets(
+        self, image_pull_secrets, registry_secret_name, registry_connection, expected_image_pull_secrets
+    ):
+        release_name = "test-basic"
+        docs = render_chart(
+            name=release_name,
+            values={
+                "imagePullSecrets": image_pull_secrets,
+                "registry": {"secretName": registry_secret_name, "connection": registry_connection},
+                "flower": {"enabled": True},
+                "pgbouncer": {"enabled": True},
+                "cleanup": {"enabled": True},
+            },
+            show_only=[
+                "templates/flower/flower-deployment.yaml",
+                "templates/pgbouncer/pgbouncer-deployment.yaml",
+                "templates/scheduler/scheduler-deployment.yaml",
+                "templates/statsd/statsd-deployment.yaml",
+                "templates/triggerer/triggerer-deployment.yaml",
+                "templates/dag-processor/dag-processor-deployment.yaml",
+                "templates/webserver/webserver-deployment.yaml",
+                "templates/workers/worker-deployment.yaml",
+                "templates/cleanup/cleanup-cronjob.yaml",
+                "templates/jobs/migrate-database-job.yaml",
+                "templates/jobs/create-user-job.yaml",
+            ],
+        )
+
+        expected_image_pull_secrets = [{"name": name} for name in expected_image_pull_secrets]
+
+        for doc in docs:
+            got_image_pull_secrets = (
+                doc["spec"]["jobTemplate"]["spec"]["template"]["spec"]["imagePullSecrets"]
+                if doc["kind"] == "CronJob"
+                else doc["spec"]["template"]["spec"]["imagePullSecrets"]
+            )
+            assert got_image_pull_secrets == expected_image_pull_secrets
