Using pullImageSecret with the sidecar injector

Networking
1

Hello, I am wondering if there is a way to configure the sidecar injector such that it will take into account imagePullSecrets when pulling the istio/proxyv2:1.6.0 (and/or any other images used by the sidecar if any)?

Looking around I am able to find information about: SidecarInjectionSpec that might be related to this, but could not find really clear documentation about how to populate the ImagePullSecrets field in this struct.

The following is an issue that talks about this: https://github.com/istio/istio/issues/4870 but it is closed leading me to believe that the issue is solved and there is a way to do this.

The documentation on istio.io is quite vague here: https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/ around these lines:

The template is applied to the following data structure at runtime.

type SidecarTemplateData struct {
DeploymentMeta *metav1.ObjectMeta
ObjectMeta *metav1.ObjectMeta
Spec *corev1.PodSpec
ProxyConfig *meshconfig.ProxyConfig // Defined by https://istio.io/docs/reference/config/service-mesh.html#proxyconfig
MeshConfig *meshconfig.MeshConfig // Defined by https://istio.io/docs/reference/config/service-mesh.html#meshconfig
}

ObjectMeta and Spec are from the pod. ProxyConfig and MeshConfig are from the istio ConfigMap in the istio-system namespace. Templates can conditionally define injected containers and volumes with this data.

Anything I can use during install (using istioctl) to configure the injector to include (my/some known) image pull secrets?

Many thanks!

2

Hello, I am wondering if there is a way to configure the sidecar injector such that it will take into account imagePullSecrets when pulling the istio/proxyv2:1.6.0 (and/or any other images used by the sidecar if any)?

Looking around I am able to find information about: SidecarInjectionSpec that might be related to this, but could not find really clear documentation about how to populate the ImagePullSecrets field in this struct.

The following is an issue that talks about this: https://github.com/istio/istio/issues/4870 but it is closed leading me to believe that the issue is solved and there is a way to do this.

The documentation on istio.io is quite vague here: https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/ around these lines:

The template is applied to the following data structure at runtime.

type SidecarTemplateData struct {
DeploymentMeta *metav1.ObjectMeta
ObjectMeta *metav1.ObjectMeta
Spec *corev1.PodSpec
ProxyConfig *meshconfig.ProxyConfig // Defined by https://istio.io/docs/reference/config/service-mesh.html#proxyconfig
MeshConfig *meshconfig.MeshConfig // Defined by https://istio.io/docs/reference/config/service-mesh.html#meshconfig
}

ObjectMeta and Spec are from the pod. ProxyConfig and MeshConfig are from the istio ConfigMap in the istio-system namespace. Templates can conditionally define injected containers and volumes with this data.

Anything I can use during install (using istioctl) to configure the injector to include (my/some known) image pull secrets?

Many thanks!

3

Was able to sort this out using this:

  • Upgrade to 1.6.8 (after noticing that there was an additional bug/fix for this that got in later this Jun - https://github.com/istio/istio/pull/24365). Initially had version 1.6 in which this did not seem to work
  • Adding the imagePullSecrets to my global values section in the install manifest to istioctl like so:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
values:
global:
imagePullSecrets:
- istio-regcred

  • And finally creating the istio-regcred secret in the namespace in which my pods were injected