Skip to content

EV-6336: feat(istio): waypoint pull secret support for private registries#4483

Open
electricjesus wants to merge 2 commits intomasterfrom
worktree-graceful-wobbling-squirrel
Open

EV-6336: feat(istio): waypoint pull secret support for private registries#4483
electricjesus wants to merge 2 commits intomasterfrom
worktree-graceful-wobbling-squirrel

Conversation

@electricjesus
Copy link
Member

@electricjesus electricjesus commented Feb 27, 2026
edited by atlassian bot
Loading

Description

Jira: EV-6336

When users create an Istio waypoint Gateway (gatewayClassName: istio-waypoint) in their namespace, istiod automatically creates a waypoint Deployment there. On clusters with private registries (like AKS with gcr.io/unique-caldron-775), the waypoint pod fails with ImagePullBackOff because the pull secret only exists in the operator namespace and istiod doesn't inject imagePullSecrets into waypoint pod specs.

This PR fixes the issue with two changes:

Part 1: Pass imagePullSecrets to istiod via Helm values

  • Adds ImagePullSecrets field to GlobalConfig in the Istio render package
  • Populates global.imagePullSecrets in istiod Helm values from Installation pull secrets
  • This makes istiod inject imagePullSecrets references into waypoint pod specs it creates

Part 2: New waypoint sub-controller

  • Watches for istio-waypoint Gateway resources across all namespaces
  • Copies pull Secret objects from the operator namespace to waypoint namespaces so the references resolve
  • Tracks copied secrets with operator.tigera.io/istio-waypoint-pull-secret label for cleanup
  • Cleans up stale secrets when gateways are removed or Istio CR is deleted

Both parts are no-ops when no pull secrets are configured (omitempty / early return).

Testing:

  • Unit tests for Helm values serialization (render package)
  • 8 controller tests covering: no secrets, single/multiple gateways, same/different namespaces, gateway deletion cleanup, non-matching gatewayClassName, Istio CR deletion, and missing Installation
  • All existing istio controller and render tests continue to pass

Components affected: pkg/render/istio, pkg/controller/istio, internal/controller

Release Note

Istio waypoint Gateways now work on clusters with private registries. The operator passes imagePullSecrets to istiod via Helm values and copies pull secrets to namespaces containing waypoint Gateways.

For PR author

  • Tests for change.
  • If changing pkg/apis/, run make gen-files
  • If changing versions, run make gen-versions

@electricjesus
feat(istio): pass imagePullSecrets to istiod via Helm values
493f04e 
Add ImagePullSecrets field to GlobalConfig and populate it from
Installation pull secrets when rendering istiod Helm values. This
makes istiod inject imagePullSecrets references into waypoint pod
specs it creates, enabling image pulls from private registries.
@electricjesus
feat(istio): add waypoint pull secret sub-controller
492e2d4 
Add a new controller that watches for istio-waypoint Gateway resources
and copies pull secrets from the operator namespace to waypoint
namespaces. This ensures waypoint pods can pull images from private
registries. Secrets are tracked with a label for cleanup when gateways
are removed or the Istio CR is deleted.
@electricjesus electricjesus requested a review from a team as a code owner February 27, 2026 11:17
@marvin-tigera marvin-tigera added this to the v1.42.0 milestone Feb 27, 2026
@electricjesus electricjesus changed the title feat(istio): waypoint pull secret support for private registries EV-6336: feat(istio): waypoint pull secret support for private registries Feb 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

docs-pr-required release-note-required

Projects

None yet

Milestone

v1.42.0

Development

Successfully merging this pull request may close these issues.

2 participants

@electricjesus @marvin-tigera