Skip to content

[DND-487] feat: support global.imagePullSecrets across Opik chart#6968

Open
jms200 wants to merge 3 commits into
mainfrom
jms200/DND-487/global-image-pull-secrets
Open

[DND-487] feat: support global.imagePullSecrets across Opik chart#6968
jms200 wants to merge 3 commits into
mainfrom
jms200/DND-487/global-image-pull-secrets

Conversation

@jms200

@jms200 jms200 commented Jun 4, 2026
edited by Copilot AI
Loading

Copy link
Copy Markdown
Contributor

Details

Adds an opik.imagePullSecrets helper that resolves the imagePullSecrets list with parent-chart precedence:

  1. .Values.global.imagePullSecrets — propagated from the parent comet-ml-helm-chart global: block. When set, used exclusively.
  2. chart-local field — .Values.imagePullSecrets for app pods, .Values.clickhouse.imagePullSecrets for ClickHouse pods. Used when (1) is unset.

Pairs with comet-ml-helm-chart #466.

Wired into:

  • templates/deployment.yaml (all Opik app pods, served by the component range loop)
  • templates/clickhouseinstallation.yaml (CHI pod template — already at spec.templates.podTemplates[].spec)
  • templates/clickhouse-backup-cronjob.yaml (CH backup CronJob)

Drive-by fix: templates/clickhouse-backup-cronjob.yaml had imagePullSecrets: nested inside containers[0]: (indented at column 12), which is not a valid PodSpec location — the Kubernetes API server silently dropped it. The helper now places it at the PodSpec level (column 10), which is correct. Anyone relying on clickhouse.imagePullSecrets for the backup job today was silently broken; this fixes that.

For default customers (no global.imagePullSecrets set), render output is identical to main except for the CronJob fix above.

Change checklist

  • Adds support for .Values.global.imagePullSecrets with strict precedence over chart-local fields
  • Helper opik.imagePullSecrets added to templates/_helpers.tpl
  • All three pull-secret call sites wired through the helper
  • Drive-by: moves the CH backup CronJob imagePullSecrets from container-level (silently dropped) to PodSpec-level
  • values.yaml documents the new global.imagePullSecrets field
  • README.md regenerated via helm-docs
  • Merge conflicts with main resolved

Issues

AI-WATERMARK

AI-WATERMARK: yes

  • If yes:
    • Tools: GitHub Copilot Coding Agent
    • Model(s): claude-sonnet-4.6
    • Scope: Merge conflict resolution in deployment/helm_chart/opik/README.md
    • Human verification: Required

Testing

Render-tested locally with helm template across three value scenarios:

Scenario App pods CH pods (CHI) CH backup CronJob
None set (empty) (empty) (empty)
Local set (imagePullSecrets + clickhouse.imagePullSecrets) opik-app-secret opik-ch-secret opik-ch-secret (now at PodSpec level)
global.imagePullSecrets set customer-global (wins) customer-global (wins) customer-global (wins)

helm lint passes locally. CI lint-helm-chart passes on this PR.

Documentation

  • values.yaml: global.imagePullSecrets annotated with helm-docs # -- syntax so it renders in the chart README table
  • README.md: regenerated via helm-docs to surface the new field; merge conflict with main resolved by taking main's updated version badge and preserving the global.imagePullSecrets values table entry

@jms200
[DND-487] feat: support global.imagePullSecrets across Opik chart
7b5cc18 
Adds an `opik.imagePullSecrets` helper that resolves the imagePullSecrets
list with parent-chart precedence:

  1. .Values.global.imagePullSecrets  (propagated from comet-ml-helm-chart;
                                       when set, used exclusively)
  2. local chart field                (.Values.imagePullSecrets for app pods,
                                       .Values.clickhouse.imagePullSecrets for CH)

Pairs with comet-ml-helm-chart PR #466.

Wired into:
- templates/deployment.yaml          (all Opik app pods, served by the
                                      component range loop)
- templates/clickhouseinstallation.yaml (CHI pod template — already at
                                         spec.templates.podTemplates[].spec)
- templates/clickhouse-backup-cronjob.yaml (CH backup CronJob)

Drive-by fix: clickhouse-backup-cronjob had `imagePullSecrets:` nested
inside `containers[0]:` (column 12), which is not a valid PodSpec
location — Kubernetes silently dropped it. The helper places it at
PodSpec level (column 10) which is correct.
@jms200 jms200 requested review from a team as code owners June 4, 2026 12:50
baz-reviewer[bot]
baz-reviewer Bot reviewed Jun 4, 2026
View reviewed changes
Comment thread deployment/helm_chart/opik/templates/_helpers.tpl
@jms200
[DND-487] chore: regenerate helm-docs for global.imagePullSecrets field
cce75c2 
Re-runs helm-docs after the values.yaml update so the rendered
README table picks up the new global.imagePullSecrets field
description. Also sweeps prior README drift (version badge bump
from 2.0.48 to current 2.0.56 from upstream Chart.yaml bumps).
@github-actions github-actions Bot added the documentation Improvements or additions to documentation label Jun 4, 2026
@jms200 jms200 requested a review from liyaka June 4, 2026 14:19
@jms200

jms200 commented Jun 4, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown
Contributor Author

Part of a 3-PR set for DND-487 — must merge in this order:

  1. opik #6968 (chart release publishes new opik subchart version)
  2. code-panels #222 (chart release publishes new comet-python-panels-orchestrator version)
  3. comet-ml-helm-chart #466 — last, after Chart.yaml dependencies: versions auto-bump to the new sub-chart releases (release automation handles the bump)

andrescrz
andrescrz previously approved these changes Jun 10, 2026
View reviewed changes
@andrescrz

andrescrz commented Jun 10, 2026

Copy link
Copy Markdown
Member

@copilot resolve the merge conflicts in this pull request

Merge remote-tracking branch 'origin/main' into jms200/DND-487/global…
ef5cbb7 
…-image-pull-secrets

# Conflicts:
#	deployment/helm_chart/opik/README.md

Copilot AI commented Jun 10, 2026

Copy link
Copy Markdown

@copilot resolve the merge conflicts in this pull request

Done — resolved the single conflict in deployment/helm_chart/opik/README.md (version badge 2.0.56 vs 2.0.57 from main). Took main's badge and Helm version note, keeping the global.imagePullSecrets row from this branch. Merge commit: ef5cbb7.

Copilot AI requested a review from andrescrz June 10, 2026 08:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrescrz andrescrz andrescrz approved these changes

@liyaka liyaka Awaiting requested review from liyaka

+1 more reviewer

@baz-reviewer baz-reviewer[bot] baz-reviewer[bot] approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@jms200 jms200

Labels

documentation Improvements or additions to documentation Infrastructure

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jms200 @andrescrz