Just let me specify imagePullSecret #381
Description
Is your feature request related to a problem? Please describe.
In our k8s cluster, we use a private registry. There's already a secret in that cluster, let's call it the-pull-secret, with the pull secret.
All of the pre-existing pods use that secret; now we'd like to add Cockroach to that cluster. Unlike most other charts out there, which just permit specifying an imagePullSecret in their values.yaml, Cockroach instead does this:
imagePullSecrets:
{{- if .Values.image.credentials }}
- name: {{ template "cockroachdb.fullname" . }}.db.registry
{{- end }}
So … as written, this means I cannot use the secret I already have; its name will never match.
Worse … setting image.credentials means that the Helm chart now generates a Secret object. Many of us (myself included) are doing some form of IaC: we essentially commit Helm inputs (e.g., ArgoCD), and sometimes Helm outputs (e.g., Flux) to Git. This makes it really clear what's changing in k8s's state, and offers trivial rollbacks of bad deployments.
However, it means that there cannot be secrets in Helm values.yaml files, or in the output of the template. (It's fine if it's optional; as long as I have a means to not put it there.)
Describe the solution you'd like
We already have means to get secrets, such as the pull secret, securely to the cluster. (E.g., we use sealed-secrets.) I just need the chart to allow me to say "this secret, exactly" for the pull secret, and to not attempt to generate that secret.
Describe alternatives you've considered
N/A
Additional context
See also ArgoCD, Flux, sealed-secrets
Jira issue: CRDB-36651
Jira issue: HELM-45