How to bind the image pull secret for pipeline without service account?

[kevinyu98]

Expected Behavior

We have a use case where we need to bind the image pull secret to a particular pipeline but not service account, because we might not have permission to cleanup the service account, is there a workaround this?

Additional Info

• Kubernetes version:

  Output of kubectl version:
  openshift:
  Client Version: v4.3.1
  Kubernetes Version: v1.16.2

  (paste your output here)
  

• Tekton Pipeline version:

  Output of tkn version or kubectl get pods -n tekton-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'

Tekton version: v0.11.0-rc2

[Tomcli]

Probably if we can implement imagePullSecrets into podTemplate, then we can solve this issue. But is this a good approach?

[bobcatfish]

Hey @kevinyu98 can you explain more about why you can't use the service account and what you need to use the image pull secret for? Some examples would really help!

[skaegi]

One workaround / approach that has worked well for us is to create an ephemeral namespace and then configure the namespace's "default" service account with permissions as needed. We then "apply" the various Tekton and other resources in the namespace and wait for the PipelineRun to complete, collect the results, and finally delete the ephemeral namespace. All-in-all it's pretty tidy.

[Tomcli]

Thanks @bobcatfish @skaegi

We need image pull secret to pull images from our private repository. We are building a compiler to generate Tekton pipeline based on the Kubeflow pipeline DSL. In our platform, we have multiple users that share the same namespace for executing pipelines. Therefore, we want to replicate the behavior of Argo pipeline where the image pull secret is bound to a particular pipeline instead of the service account.

We are trying to work around with the service account right now, but since some of our users can be anonymous, we have to ask our server to watch and cleanup the service account for every pipeline. Thus, we want to look for an easier approach such as adding image pull secret into podTemplate.

[skaegi]

In terms of just creating the binding independent of service account management, I think the podTemplate approach suggested by @Tomcli is a reasonable approach and is identical to what Argo does. I re-opened #1779.

[animeshsingh]

thanks @skaegi any update on this?

[ghost]

Now that #1779 is reopened I think this issue can be considered a duplicate or case-study in support of it. So I'm going to close this issue and suggest that discussion of imagePullSecrets in podTemplate should be focused there. Many thanks!