From d1e536614f8f17c5cf1650235261dbab0ebe7cc0 Mon Sep 17 00:00:00 2001
From: Renku Bot <renku@datascience.ch>
Date: Wed, 15 Apr 2026 14:24:09 +0000
Subject: [PATCH 1/3] chore: create release 2.17.0


From 3f5b90a45c430e7fe5ca81f8567122948b057e95 Mon Sep 17 00:00:00 2001
From: Samuel Gaist <samuel.gaist@idiap.ch>
Date: Tue, 14 Apr 2026 13:21:28 +0200
Subject: [PATCH 2/3] feat: add configuration options for building image from
 private repositories

---
 helm-chart/renku/templates/data-service/deployment.yaml | 4 ++++
 helm-chart/renku/values.yaml                            | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/helm-chart/renku/templates/data-service/deployment.yaml b/helm-chart/renku/templates/data-service/deployment.yaml
index cb2d99dfb1..0efd1934a5 100644
--- a/helm-chart/renku/templates/data-service/deployment.yaml
+++ b/helm-chart/renku/templates/data-service/deployment.yaml
@@ -130,6 +130,8 @@ spec:
               value: {{ .Values.dataService.imageBuilders.enabled | quote }}
             - name: BUILD_OUTPUT_IMAGE_PREFIX
               value: {{ .Values.dataService.imageBuilders.outputImagePrefix | default "" | quote }}
+            - name: BUILD_OUTPUT_PRIVATE_IMAGE_PREFIX
+              value: {{ .Values.dataService.imageBuilders.outputPrivateImagePrefix | default "" | quote }}
             - name: BUILD_BUILDER_IMAGE
               value: {{ .Values.dataService.imageBuilders.builderImage | default "" | quote }}
             - name: BUILD_RUN_IMAGE
@@ -138,6 +140,8 @@ spec:
               value: {{ .Values.dataService.imageBuilders.strategyName | default "" | quote }}
             - name: BUILD_PUSH_SECRET_NAME
               value: {{ .Values.dataService.imageBuilders.pushSecretName | default "" | quote }}
+            - name: BUILD_PUSH_PRIVATE_SECRET_NAME
+              value: {{ .Values.dataService.imageBuilders.pushPrivateSecretName | default "" | quote }}
             - name: BUILD_RUN_RETENTION_AFTER_FAILED_SECONDS
               value: {{ .Values.dataService.imageBuilders.buildRunRetentionAfterFailedSeconds | default "" | quote }}
             - name: BUILD_RUN_RETENTION_AFTER_SUCCEEDED_SECONDS
diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml
index e9f7a08ce5..1f638180af 100644
--- a/helm-chart/renku/values.yaml
+++ b/helm-chart/renku/values.yaml
@@ -1237,6 +1237,8 @@ dataService:
     enabled: false
     ## The container image prefix for images built from code
     outputImagePrefix: harbor.dev.renku.ch/renku-build/
+    ## The container image prefix for images built from private code
+    outputPrivateImagePrefix: harbor.dev.renku.ch/renku-private-build/
     ## The builder image (see https://buildpacks.io/docs/for-platform-operators/concepts/builder/)
     builderImage: "ghcr.io/swissdatasciencecenter/renku-frontend-buildpacks/selector:0.4.0"
     ## The run image (see https://buildpacks.io/docs/for-platform-operators/concepts/base-images/)
@@ -1263,6 +1265,8 @@ dataService:
       #       value: arm64
     ## The name of the secret used to push images built from code.
     pushSecretName: renku-build-docker-secret
+    ## The name of the secret used to push images built from private code.
+    pushPrivateSecretName: renku-build-private-docker-secret
     ## The TTL for BuildRuns
     buildRunRetentionAfterFailedSeconds: 86400
     buildRunRetentionAfterSucceededSeconds: 86400

From fa9146b45b7d7c5b7270ed85ba304800cdc6cd55 Mon Sep 17 00:00:00 2001
From: Samuel Gaist <samuel.gaist@idiap.ch>
Date: Tue, 21 Apr 2026 10:01:49 +0200
Subject: [PATCH 3/3] feat: add configuration for session private image pull
 secret

This supplements the building part allowing to use independent
secrets for pushing during build and pulling for session
creation.

This secret is not accessible by the user.
---
 helm-chart/renku/templates/data-service/deployment.yaml | 2 ++
 helm-chart/renku/values.yaml                            | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/helm-chart/renku/templates/data-service/deployment.yaml b/helm-chart/renku/templates/data-service/deployment.yaml
index 0efd1934a5..751d46c141 100644
--- a/helm-chart/renku/templates/data-service/deployment.yaml
+++ b/helm-chart/renku/templates/data-service/deployment.yaml
@@ -142,6 +142,8 @@ spec:
               value: {{ .Values.dataService.imageBuilders.pushSecretName | default "" | quote }}
             - name: BUILD_PUSH_PRIVATE_SECRET_NAME
               value: {{ .Values.dataService.imageBuilders.pushPrivateSecretName | default "" | quote }}
+            - name: BUILD_PULL_PRIVATE_SECRET_NAME
+              value: {{ .Values.dataService.imageBuilders.pullPrivateSecretName | default "" | quote }}
             - name: BUILD_RUN_RETENTION_AFTER_FAILED_SECONDS
               value: {{ .Values.dataService.imageBuilders.buildRunRetentionAfterFailedSeconds | default "" | quote }}
             - name: BUILD_RUN_RETENTION_AFTER_SUCCEEDED_SECONDS
diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml
index 1f638180af..c603854ff9 100644
--- a/helm-chart/renku/values.yaml
+++ b/helm-chart/renku/values.yaml
@@ -1267,6 +1267,8 @@ dataService:
     pushSecretName: renku-build-docker-secret
     ## The name of the secret used to push images built from private code.
     pushPrivateSecretName: renku-build-private-docker-secret
+    ## The name of the secret used to pull images built from private code.
+    pullPrivateSecretName: renku-pull-private-docker-secret
     ## The TTL for BuildRuns
     buildRunRetentionAfterFailedSeconds: 86400
     buildRunRetentionAfterSucceededSeconds: 86400