Cannot Configure imagePullSecrets for tekton-operator-proxy-webhook

[jkhelil]

Expected Behavior

When using private container registries, users should be able to configure imagePullSecrets for the tekton-operator-proxy-webhook deployment through TektonConfig to allow pulling the webhook image from private registries.

Actual Behavior

There is no mechanism in TektonConfig to configure imagePullSecrets for the tekton-operator-proxy-webhook deployment. The deployment fails to pull images from private registries with ImagePullBackOff errors.

The following TektonConfig configuration does not work:

apiVersion: operator.tekton.dev/v1alpha1
kind: TektonConfig
metadata:
  name: config
spec:
  targetNamespace: tekton-pipelines
  profile: all
  pipeline:
    options:
      deployments:
        tekton-operator-proxy-webhook:  # This deployment name is not recognized
          spec:
            template:
              spec:
                imagePullSecrets:
                  - name: private-registry

Steps to Reproduce the Problem

1. Set up a private container registry requiring authentication
2. Push the tekton-operator-proxy-webhook image to the private registry
3. Install Tekton Operator configured to use images from the private registry
4. Create a TektonConfig with proxy webhook enabled (default behavior)
5. Try to configure imagePullSecrets for tekton-operator-proxy-webhook in TektonConfig
6. Observe that the configuration is ignored and the webhook deployment fails with ImagePullBackOff

Root Cause Analysis

The tekton-operator-proxy-webhook deployment is created by the proxy reconciler (pkg/reconciler/proxy/proxy.go) but:

1. Not exposed in TektonConfig options: The deployment name tekton-operator-proxy-webhook is not available in the pipeline.options.deployments configuration
2. No imagePullSecrets support: The proxy reconciler does not read or apply imagePullSecrets from TektonConfig
3. Hardcoded deployment spec: The deployment is created with a fixed specification without considering private registry requirements

Impact

This issue affects users who:

• Use private container registries
• Need proxy functionality for Tekton workloads (corporate environments)
• Cannot disable the proxy webhook as it's required for their environment

Proposed Solution

Option 1: Add to TektonConfig Options

Extend TektonConfig to support proxy webhook configuration:

spec:
  pipeline:
    options:
      deployments:
        tekton-operator-proxy-webhook:
          spec:
            template:
              spec:
                imagePullSecrets:
                  - name: private-registry

Option 2: Global imagePullSecrets Configuration

Add a global imagePullSecrets configuration that applies to all operator-managed deployments:

spec:
  options:
    imagePullSecrets:
      - name: private-registry

Option 3: Proxy-specific Configuration

Add proxy-specific configuration section:

spec:
  proxy:
    webhook:
      imagePullSecrets:
        - name: private-registry

Additional Info

• Kubernetes version:

  Output of kubectl version:

  Client Version: v1.28.0
  Server Version: v1.28.0
  

• Tekton Pipeline version:

  Output of tkn version or kubectl get pods -n tekton-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'

  v0.53.0
  

• Tekton Operator version:

  v0.68.0
  

Workaround

Currently, the only workaround is to:

1. Modify the operator deployment directly (not recommended, gets overwritten)
2. Use a service account with imagePullSecrets in the operator namespace
3. Configure global registry authentication at the node level

Files Involved

• pkg/reconciler/proxy/proxy.go - Creates the proxy webhook deployment
• pkg/reconciler/proxy/controller.go - Proxy reconciler controller
• pkg/apis/operator/v1alpha1/*_types.go - TektonConfig API definitions

Severity

Medium - Blocks deployment in environments requiring private registries with proxy functionality.