ROB-397 - global imagePullSecret for Helm chart

[Avi-Robusta]

What

Adds an optional global.imagePullSecrets to the Robusta Helm chart so a single value applies the image pull secret to every component, instead of configuring several separate per-component keys.

Covers:

• runner (deployment + ServiceAccount)
• kubewatch / forwarder (deployment pod-level)
• runtime pods the runner launches (KRR, Popeye) — automatically, via the runner ServiceAccount they default to (RUNNER_SERVICE_ACCOUNT), so no code changes needed

Semantics (backwards compatible)

• New global.imagePullSecrets, default [].
• Override: a per-component value (e.g. runner.imagePullSecrets) wins over the global for that component; components without one fall back to global.
• Empty global → render is byte-for-byte unchanged.

Verification

helm template dry-renders confirm:

Scenario	Result
default (nothing set)	no imagePullSecrets rendered anywhere
global only	same secret on runner deployment + runner SA + forwarder deployment
each component individually	each resource gets its own
global + local	local wins; components without a local fall back to global

Follow-up (not in this PR)

The Holmes subchart change lives in the holmesgpt repo (deployment + SA templates + values.yaml) and requires repackaging the bundled holmes-*.tgz — separate PR.

Linear: ROB-397

🤖 Generated with Claude Code

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5822fb1d-3ca8-4c87-8d21-acfe4c034f9f

📥 Commits

Reviewing files that changed from the base of the PR and between 0107096 and c7a37e8.

📒 Files selected for processing (5)

• docs/setup-robusta/proxies.rst
• helm/robusta/templates/forwarder.yaml
• helm/robusta/templates/runner-service-account.yaml
• helm/robusta/templates/runner.yaml
• helm/robusta/values.yaml

✅ Files skipped from review due to trivial changes (1)

• docs/setup-robusta/proxies.rst

🚧 Files skipped from review as they are similar to previous changes (4)

• helm/robusta/templates/runner.yaml
• helm/robusta/templates/forwarder.yaml
• helm/robusta/values.yaml
• helm/robusta/templates/runner-service-account.yaml

---

Walkthrough

Adds global.imagePullSecrets to helm/robusta/values.yaml with documentation describing how per-component values override or inherit the global setting. Updates runner, runner ServiceAccount, and forwarder templates to resolve imagePullSecrets with fallback to the global value when component-level settings are unset. Adds configuration documentation in proxies.rst covering usage, scope, and override behavior for private image registries.

Changes

global.imagePullSecrets fallback support

Layer / File(s)	Summary
Values schema: global key and per-component inheritance documentation helm/robusta/values.yaml	Introduces global.imagePullSecrets: [] with documentation describing scope across runner, kubewatch, holmes, and runtime pods; adds override/inheritance documentation comments to kubewatch.imagePullSecrets, runnerServiceAccount.imagePullSecrets, and runner.imagePullSecrets, explaining how per-component settings override or inherit the global value when unset.
Template fallback logic across deployments helm/robusta/templates/runner.yaml, helm/robusta/templates/runner-service-account.yaml, helm/robusta/templates/forwarder.yaml	Updates all three templates to compute a local $pullSecrets variable using the per-component value or falling back to global.imagePullSecrets when unset; conditionally renders imagePullSecrets block only when the resolved list is non-empty.
Private registry auth documentation docs/setup-robusta/proxies.rst	Adds a note documenting global.imagePullSecrets scope (runner, kubewatch, runtime pods), the separate holmes.imagePullSecrets requirement for the HolmesGPT subchart, per-component override semantics, and an example Helm values snippet.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~13 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a global imagePullSecrets configuration to the Helm chart, which is the primary focus of the PR.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, explaining the feature, its scope, backwards compatibility, and verification approach.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch avi/rob-397-optional-global-imagepullsecret-for-helm-chart

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ Docker image ready for 8384a46 (built in 31s)

• us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:8384a46

⚠️ Warning: does not support ARM (ARM images are built on release only - not on every PR)

Use this tag to pull the image for testing.

📋 Copy commands

⚠️ Temporary images are deleted after 30 days. Copy to a permanent registry before using them:

gcloud auth configure-docker us-central1-docker.pkg.dev
docker pull us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:8384a46
docker tag us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:8384a46 me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:8384a46
docker push me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:8384a46

Patch Helm values in one line:

helm upgrade --install robusta robusta/robusta \
  --reuse-values \
  --set runner.image=me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:8384a46

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@helm/robusta/templates/runner.yaml`:
- Around line 37-40: The `default` function in Helm treats empty lists as falsy
values, causing explicit empty-list overrides (like `runner.imagePullSecrets:
[]`) to incorrectly fall back to the global default. Replace the chained
`default` approach with conditional logic that explicitly checks if the
runner-level value is nil or undefined before falling back to the global value.
Apply this fix to all 4 locations mentioned: runner.yaml at the imagePullSecrets
assignment, runner-service-account.yaml at the ServiceAccount imagePullSecrets,
forwarder.yaml at the Deployment imagePullSecrets, and
forwarder-service-account.yaml at the ServiceAccount imagePullSecrets. Use Go
template conditionals (such as checking `eq` against nil or using `if`
statements) to preserve intentional empty-list overrides while still providing
fallback to global defaults when the component-level value is not set.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c5a7f544-9c97-44c6-947d-6cfba5c2e9bd

📥 Commits

Reviewing files that changed from the base of the PR and between 2a181c2 and 0029760.

📒 Files selected for processing (6)

• docs/setup-robusta/proxies.rst
• helm/robusta/templates/forwarder-service-account.yaml
• helm/robusta/templates/forwarder.yaml
• helm/robusta/templates/runner-service-account.yaml
• helm/robusta/templates/runner.yaml
• helm/robusta/values.yaml

[Avi-Robusta]

Good catch — fixed. Switched from | default to an explicit nil-check so an explicit empty list is honored as "use none" rather than falling back to the global:

{{- $pullSecrets := .Values.runner.imagePullSecrets }}
{{- if kindIs "invalid" $pullSecrets }}{{ $pullSecrets = .Values.global.imagePullSecrets }}{{ end }}

The per-component defaults in values.yaml are now ~ (null) instead of [], so the semantics are:

• null (default) → inherit global.imagePullSecrets
• [] explicit → override with none (opt out)
• non-empty list → use it

Applied to all three robusta locations (runner deployment, runner SA, forwarder deployment). Note forwarder-service-account.yaml no longer has an imagePullSecrets block — it was removed earlier since the kubewatch SA spawns no runtime pods, so that 4th location in the comment is moot. Same fix also applied to the Holmes subchart (separate repo/PR).

Verified via helm template: default renders nothing; global-only applies everywhere; explicit [] on the runner opts it out while the runner SA + forwarder still inherit the global.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@helm/robusta/values.yaml`:
- Around line 36-41: The comment describing the imagePullSecrets configuration
incorrectly states that the global value applies to Holmes, but the bundled
Holmes subchart does not currently support the global.imagePullSecrets
reference. Either remove Holmes from the list of components in the comment
(keeping only runner, kubewatch, and runtime pods), or add a clarification note
indicating that Holmes support requires a separate subchart update. Update lines
36-37 in the comment block above the imagePullSecrets field accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 99fb7895-196c-465d-83c8-10c392c70ee9

📥 Commits

Reviewing files that changed from the base of the PR and between 9aa1b23 and e287327.

📒 Files selected for processing (5)

• docs/setup-robusta/proxies.rst
• helm/robusta/templates/forwarder.yaml
• helm/robusta/templates/runner-service-account.yaml
• helm/robusta/templates/runner.yaml
• helm/robusta/values.yaml

✅ Files skipped from review due to trivial changes (1)

• docs/setup-robusta/proxies.rst

🚧 Files skipped from review as they are similar to previous changes (3)

• helm/robusta/templates/runner-service-account.yaml
• helm/robusta/templates/forwarder.yaml
• helm/robusta/templates/runner.yaml

[Avi-Robusta]

Update: after discussion we went with the simpler, conventional behavior instead of the kindIs "invalid" approach from my previous comment.

{{- $pullSecrets := .Values.runner.imagePullSecrets | default .Values.global.imagePullSecrets }}

Semantics:

• component sets its own imagePullSecrets → that value is used
• component empty/unset ([], the default) → inherits global.imagePullSecrets

We intentionally dropped the "explicit [] opts a component out even when a global is set" case. Supporting it required a null-vs-empty-list distinction (~ defaults + kindIs) that was confusing, and the opt-out scenario isn't meaningful in practice (you wouldn't configure a global registry credential and then deliberately make one workload unable to pull). All component defaults stay [].

Verified via helm template: default → nothing rendered; global-only → applied to runner deploy + runner SA + forwarder deploy; per-component → overrides global for that component.