Skip to content

Add image pull policy and secret handling across components #3029

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 7, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 17 additions & 15 deletions apis/offloading/v1beta1/vkoptionstemplate_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,21 +21,23 @@ import (

// VkOptionsTemplateSpec defines the desired state of VkOptionsTemplate.
type VkOptionsTemplateSpec struct {
CreateNode bool `json:"createNode"`
DisableNetworkCheck bool `json:"disableNetworkCheck"`
ContainerImage string `json:"containerImage"`
MetricsEnabled bool `json:"metricsEnabled"`
MetricsAddress string `json:"metricsAddress,omitempty"`
LabelsNotReflected []string `json:"labelsNotReflected,omitempty"`
AnnotationsNotReflected []string `json:"annotationsNotReflected,omitempty"`
ReflectorsConfig map[string]ReflectorConfig `json:"reflectorsConfig,omitempty"`
Resources corev1.ResourceRequirements `json:"resources,omitempty"`
ExtraArgs []string `json:"extraArgs,omitempty"`
ExtraAnnotations map[string]string `json:"extraAnnotations,omitempty"`
ExtraLabels map[string]string `json:"extraLabels,omitempty"`
NodeExtraAnnotations map[string]string `json:"nodeExtraAnnotations,omitempty"`
NodeExtraLabels map[string]string `json:"nodeExtraLabels,omitempty"`
Replicas *int32 `json:"replicas,omitempty"`
CreateNode bool `json:"createNode"`
DisableNetworkCheck bool `json:"disableNetworkCheck"`
ContainerImage string `json:"containerImage"`
MetricsEnabled bool `json:"metricsEnabled"`
MetricsAddress string `json:"metricsAddress,omitempty"`
LabelsNotReflected []string `json:"labelsNotReflected,omitempty"`
AnnotationsNotReflected []string `json:"annotationsNotReflected,omitempty"`
ReflectorsConfig map[string]ReflectorConfig `json:"reflectorsConfig,omitempty"`
Resources corev1.ResourceRequirements `json:"resources,omitempty"`
ExtraArgs []string `json:"extraArgs,omitempty"`
ExtraAnnotations map[string]string `json:"extraAnnotations,omitempty"`
ExtraLabels map[string]string `json:"extraLabels,omitempty"`
NodeExtraAnnotations map[string]string `json:"nodeExtraAnnotations,omitempty"`
NodeExtraLabels map[string]string `json:"nodeExtraLabels,omitempty"`
Replicas *int32 `json:"replicas,omitempty"`
ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
PullPolicy corev1.PullPolicy `json:"pullPolicy,omitempty"`
}

// ReflectorConfig contains configuration parameters of the reflector.
Expand Down
5 changes: 5 additions & 0 deletions apis/offloading/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion deployments/liqo/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@
| discovery.config.clusterID | string | `""` | Specify an unique ID for your cluster. This ID is used to identify your cluster in the peering process. |
| discovery.config.clusterLabels | object | `{}` | A set of labels that characterizes the local cluster when exposed remotely as a virtual node. It is suggested to specify the distinguishing characteristics that may be used to decide whether to offload pods on this cluster. |
| fullnameOverride | string | `""` | Override the standard full name used by Helm and associated to Kubernetes/Liqo resources. |
| imagePullSecrets | list | `[]` | Image pull secrets for all Liqo containers |
| ipam.external.enabled | bool | `false` | Use an external IPAM to allocate the IP addresses for the pods. Enabling it will disable the internal IPAM. |
| ipam.external.url | string | `""` | The URL of the external IPAM. |
| ipam.externalCIDR | string | `"10.70.0.0/16"` | The subnet used for the external CIDR. |
Expand Down Expand Up @@ -164,7 +165,7 @@
| proxy.replicas | int | `1` | Set the number of replicas for the proxy deployments |
| proxy.service.annotations | object | `{}` | |
| proxy.service.type | string | `"ClusterIP"` | |
| pullPolicy | string | `"IfNotPresent"` | The pullPolicy for liqo pods. |
| pullPolicy | string | `"IfNotPresent"` | Image pull policy for all Liqo containers |
| requirements.kernel.enabled | bool | `true` | Enable/Disable the kernel requirements check. |
| storage.enabled | bool | `true` | Enable/Disable the liqo virtual storage class on the local cluster. You will be able to offload your persistent volumes, while other clusters will be able to schedule their persistent workloads on the current cluster. |
| storage.realStorageClassName | string | `""` | Name of the real storage class to use in the local cluster. |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,24 @@ spec:
additionalProperties:
type: string
type: object
imagePullSecrets:
items:
description: |-
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
type: array
labelsNotReflected:
items:
type: string
Expand All @@ -87,6 +105,10 @@ spec:
additionalProperties:
type: string
type: object
pullPolicy:
description: PullPolicy describes a policy for if/when to pull a container
image
type: string
reflectorsConfig:
additionalProperties:
description: ReflectorConfig contains configuration parameters of
Expand Down
10 changes: 10 additions & 0 deletions deployments/liqo/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -240,3 +240,13 @@ Get the Container security context
{{- define "liqo.containerSecurityContext" -}}
allowPrivilegeEscalation: false
{{- end -}}

{{/*
Get the image pull secrets
*/}}
{{- define "liqo.imagePullSecrets" -}}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml .Values.imagePullSecrets | nindent 0 }}
{{- end -}}
{{- end -}}
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ spec:
securityContext:
{{- include "liqo.podSecurityContext" . | nindent 8 }}
serviceAccountName: {{ include "liqo.prefixedName" $ctrlManagerConfig }}
{{- include "liqo.imagePullSecrets" . | nindent 6 }}
containers:
- image: {{ .Values.controllerManager.image.name }}{{ include "liqo.suffix" $ctrlManagerConfig }}:{{ include "liqo.version" $ctrlManagerConfig }}
imagePullPolicy: {{ .Values.pullPolicy }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ spec:
securityContext:
{{- include "liqo.podSecurityContext" . | nindent 8 }}
serviceAccountName: {{ include "liqo.prefixedName" $crdReplicatorConfig }}
{{- include "liqo.imagePullSecrets" . | nindent 6 }}
containers:
- image: {{ .Values.crdReplicator.image.name }}{{ include "liqo.suffix" $crdReplicatorConfig }}:{{ include "liqo.version" $crdReplicatorConfig }}
imagePullPolicy: {{ .Values.pullPolicy }}
Expand Down
1 change: 1 addition & 0 deletions deployments/liqo/templates/liqo-fabric-daemonset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ spec:
{{- toYaml .Values.networking.fabric.tolerations | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "liqo.prefixedName" $fabricConfig }}
{{- include "liqo.imagePullSecrets" . | nindent 6 }}
containers:
- image: {{ .Values.networking.fabric.image.name }}{{ include "liqo.suffix" $fabricConfig }}:{{ include "liqo.version" $fabricConfig }}
imagePullPolicy: {{ .Values.pullPolicy }}
Expand Down
1 change: 1 addition & 0 deletions deployments/liqo/templates/liqo-ipam-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ spec:
securityContext:
{{- include "liqo.podSecurityContext" . | nindent 8 }}
serviceAccountName: {{ include "liqo.prefixedName" $ipamConfig }}
{{- include "liqo.imagePullSecrets" . | nindent 6 }}
containers:
- image: {{ .Values.ipam.internal.image.name }}{{ include "liqo.suffix" $ipamConfig }}:{{ include "liqo.version" $ipamConfig }}
imagePullPolicy: {{ .Values.pullPolicy }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ spec:
securityContext:
{{- include "liqo.podSecurityContext" . | nindent 8 }}
serviceAccountName: {{ include "liqo.prefixedName" $metricConfig }}
{{- include "liqo.imagePullSecrets" . | nindent 6 }}
initContainers:
- name: {{ $certConfig.name }}
imagePullPolicy: {{ .Values.pullPolicy }}
Expand Down
1 change: 1 addition & 0 deletions deployments/liqo/templates/liqo-proxy-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ spec:
spec:
securityContext:
{{- include "liqo.podSecurityContext" . | nindent 8 }}
{{- include "liqo.imagePullSecrets" . | nindent 6 }}
containers:
- image: {{ .Values.proxy.image.name }}{{ include "liqo.suffix" $proxyConfig }}:{{ include "liqo.version" $proxyConfig }}
imagePullPolicy: {{ .Values.pullPolicy }}
Expand Down
1 change: 1 addition & 0 deletions deployments/liqo/templates/liqo-telemetry-cronjob.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ spec:
securityContext:
{{- include "liqo.podSecurityContext" . | nindent 12 }}
serviceAccountName: {{ include "liqo.prefixedName" $telemetryCronConfig }}
{{- include "liqo.imagePullSecrets" . | nindent 10 }}
restartPolicy: Never
containers:
- image: {{ .Values.telemetry.image.name }}{{ include "liqo.suffix" $telemetryCronConfig }}:{{ include "liqo.version" $telemetryCronConfig }}
Expand Down
4 changes: 4 additions & 0 deletions deployments/liqo/templates/liqo-vk-options-template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@ spec:
annotationsNotReflected:
{{- toYaml .Values.offloading.reflection.skip.annotations | nindent 4 }}
{{- end }}
{{- if .Values.pullPolicy }}
pullPolicy: {{ .Values.pullPolicy }}
{{- end }}
{{- include "liqo.imagePullSecrets" . | nindent 2 }}
reflectorsConfig:
pod:
workers: {{ .Values.offloading.reflection.pod.workers }}
Expand Down
1 change: 1 addition & 0 deletions deployments/liqo/templates/liqo-webhook-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ spec:
securityContext:
{{- include "liqo.podSecurityContext" . | nindent 8 }}
serviceAccountName: {{ include "liqo.prefixedName" $webhookConfig }}
{{- include "liqo.imagePullSecrets" . | nindent 6 }}
containers:
- image: {{ .Values.webhook.image.name }}{{ include "liqo.suffix" $webhookConfig }}:{{ include "liqo.version" $webhookConfig }}
imagePullPolicy: {{ .Values.pullPolicy }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ spec:
spec:
serviceAccount: "{{"{{ .Name }}"}}"
serviceAccountName: "{{"{{ .Name }}"}}"
{{- include "liqo.imagePullSecrets" . | nindent 14 }}
containers:
- name: gateway
image: {{ .Values.networking.gatewayTemplates.container.gateway.image.name }}{{ include "liqo.suffix" $gatewayConfig }}:{{ include "liqo.version" $gatewayConfig }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ spec:
spec:
serviceAccount: "{{"{{ .Name }}"}}"
serviceAccountName: "{{"{{ .Name }}"}}"
{{- include "liqo.imagePullSecrets" . | nindent 14 }}
containers:
- name: gateway
image: {{ .Values.networking.gatewayTemplates.container.gateway.image.name }}{{ include "liqo.suffix" $gatewayConfig }}:{{ include "liqo.version" $gatewayConfig }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ spec:
spec:
serviceAccount: "{{"{{ .Name }}"}}"
serviceAccountName: "{{"{{ .Name }}"}}"
{{- include "liqo.imagePullSecrets" . | nindent 14 }}
containers:
- name: gateway
image: {{ .Values.networking.gatewayTemplates.container.gateway.image.name }}{{ include "liqo.suffix" $gatewayConfig }}:{{ include "liqo.version" $gatewayConfig }}
Expand Down
1 change: 1 addition & 0 deletions deployments/liqo/templates/pre-delete-job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ spec:
{{- include "liqo.podSecurityContext" . | nindent 8 }}
restartPolicy: Never
serviceAccountName: {{ include "liqo.prefixedName" $predelete}}
{{- include "liqo.imagePullSecrets" . | nindent 6 }}
containers:
- name: pre-delete-job
image: {{ .Values.uninstaller.image.name }}{{ include "liqo.suffix" $predelete }}:{{ include "liqo.version" $predelete }}
Expand Down
10 changes: 7 additions & 3 deletions deployments/liqo/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,13 @@ nameOverride: ""
# -- Override the standard full name used by Helm and associated to Kubernetes/Liqo resources.
fullnameOverride: ""

# -- Image pull policy for all Liqo containers
pullPolicy: IfNotPresent

# -- Image pull secrets for all Liqo containers
imagePullSecrets: []
# - name: regcred

metrics:
# -- Enable/Disable the metrics server in every liqo component.
enabled: false
Expand Down Expand Up @@ -289,9 +296,6 @@ storage:
# -- Namespace where liqo will deploy specific PVCs. Internal parameter, do not change.
storageNamespace: liqo-storage

# -- The pullPolicy for liqo pods.
pullPolicy: "IfNotPresent"

common:
# -- NodeSelector for all liqo pods, excluding virtual kubelet.
nodeSelector: {}
Expand Down
17 changes: 12 additions & 5 deletions pkg/vkMachinery/forge/forge.go
Original file line number Diff line number Diff line change
Expand Up @@ -133,13 +133,19 @@ func forgeVKContainers(
})
}

pullPolicy := v1.PullIfNotPresent
if opts.Spec.PullPolicy != "" {
pullPolicy = opts.Spec.PullPolicy
}

return []v1.Container{
{
Name: vk.ContainerName,
Resources: opts.Spec.Resources,
Image: opts.Spec.ContainerImage,
Command: command,
Args: args,
Name: vk.ContainerName,
Resources: opts.Spec.Resources,
Image: opts.Spec.ContainerImage,
ImagePullPolicy: pullPolicy,
Command: command,
Args: args,
Env: []v1.EnvVar{
{
Name: "POD_IP",
Expand Down Expand Up @@ -172,6 +178,7 @@ func forgeVKPodSpec(vkNamespace string, homeCluster liqov1beta1.ClusterID, local
virtualNode.Spec.StorageClasses, virtualNode.Spec.IngressClasses, virtualNode.Spec.LoadBalancerClasses,
opts),
ServiceAccountName: virtualNode.Name,
ImagePullSecrets: opts.Spec.ImagePullSecrets,
}
}

Expand Down