luneski/onelab-k8s-1.27
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(statefulset): roll pods when docker registry auth changes; doc stale pull secret recovery

Browse Source 
Made-with: Cursor
This commit is contained in:
timotheereausanofi
2026-03-20 10:25:47 +01:00
parent e2d50d8d16
commit e0e294a944
3 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
gitops/charts/onelab/templates/statefulset-postgres.yaml
View File

@@ -20,6 +20,12 @@ spec:
app.kubernetes.io/component: postgres
app.kubernetes.io/name: {{ include "onelab.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
annotations:
{{- if .Values.registry.createPullSecret }}
checksum/docker-registry: {{ include "onelab.dockerconfigjson" . | sha256sum | quote }}
{{- else if not (empty .Values.imagePullSecrets) }}
checksum/image-pull-secrets: {{ .Values.imagePullSecrets | toJson | sha256sum | quote }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:

6
gitops/charts/onelab/templates/statefulset-rabbitmq.yaml
View File

@@ -20,6 +20,12 @@ spec:
app.kubernetes.io/component: rabbitmq
app.kubernetes.io/name: {{ include "onelab.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
annotations:
{{- if .Values.registry.createPullSecret }}
checksum/docker-registry: {{ include "onelab.dockerconfigjson" . | sha256sum | quote }}
{{- else if not (empty .Values.imagePullSecrets) }}
checksum/image-pull-secrets: {{ .Values.imagePullSecrets | toJson | sha256sum | quote }}
{{- end }}
spec:
hostname: onelab
{{- with .Values.imagePullSecrets }}

10
gitops/docs/BOOTSTRAP.md
View File

@@ -15,6 +15,16 @@ kubectl create secret docker-registry hub-andrewalliance -n onelab \
…and set `registry.createPullSecret: false` plus `imagePullSecrets: [{ name: hub-andrewalliance }]`.
### StatefulSet pods still get `401 Unauthorized` / `ImagePullBackOff` after enabling registry auth
If `db-0` / `rabbitmq-0` were created **before** `imagePullSecrets` existed, their **Pod** spec can still use anonymous pulls until they are recreated:
```bash
kubectl delete pod -n onelab db-0 rabbitmq-0
```
The chart adds a pod-template checksum so a `helm upgrade` after changing registry credentials normally rolls these pods; a one-time delete is enough if you toggled pull secrets outside that path.
## 2. Argo CD + private Git (`git.luneski.fr`)
If the Application shows `authentication required: Unauthorized`, register the repo in Argo CD (CLI or UI):