From 880a39288737e814f3fbf3a4bda9b68ca8008ee3 Mon Sep 17 00:00:00 2001
From: Dario Tranchitella <dario@tranchitella.eu>
Date: Mon, 14 Apr 2025 10:24:15 +0200
Subject: [PATCH] fix(helm): pull secrets to sa instead of deployment (#785)

This change is required for the enterprise offering where the Kamaji
stable image is hosted in a container registry with authentication and
can't be pulled with no credentials: when a migrate job is spun up it
resuses the same Kamaji controller ServiceAccount which will offer its
image pull credentials.

Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
---
 charts/kamaji/templates/controller.yaml | 4 ----
 charts/kamaji/templates/rbac.yaml       | 4 ++++
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/charts/kamaji/templates/controller.yaml b/charts/kamaji/templates/controller.yaml
index 38d635d..6317838 100644
--- a/charts/kamaji/templates/controller.yaml
+++ b/charts/kamaji/templates/controller.yaml
@@ -19,10 +19,6 @@ spec:
       labels:
         {{- include "kamaji.selectorLabels" . | nindent 8 }}
     spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       serviceAccountName: {{ include "kamaji.serviceAccountName" . }}
diff --git a/charts/kamaji/templates/rbac.yaml b/charts/kamaji/templates/rbac.yaml
index aa4301d..43a1866 100644
--- a/charts/kamaji/templates/rbac.yaml
+++ b/charts/kamaji/templates/rbac.yaml
@@ -9,6 +9,10 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
   namespace: {{ .Release.Namespace }}
+{{- with .Values.imagePullSecrets }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role