feat(gateway-helm-chart): add wso2.subscription.imagePullSecret

renuka-fernando · renuka-fernando · commit af767b3bb138 · 2026-05-25T19:41:30.000+05:30
Adds a one-knob shorthand for switching the gateway helm chart from the public GHCR images to the WSO2 private registry. Setting `wso2.subscription.imagePullSecret` to the name of a docker-registry Secret causes the chart to: 1. Inject that secret into every component's imagePullSecrets, additively with the existing global and per-component lists. 2. Rewrite each component's image.repository whose value still starts with `ghcr.io/wso2/api-platform/` to `registry.wso2.com/wso2-api-platform/`. Explicit overrides pass through untouched. Credentials are intentionally not accepted in values.yaml — users create the docker-registry Secret out-of-band, keeping subscription credentials out of Helm release state. Default behavior is unchanged when the field is empty. Fixes #2016
diff --git a/kubernetes/helm/gateway-helm-chart/templates/_helpers.tpl b/kubernetes/helm/gateway-helm-chart/templates/_helpers.tpl
@@ -60,3 +60,50 @@ app.kubernetes.io/component: {{ $component }}
 {{- default "default" .Values.serviceAccount.name -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Render a component image reference, applying the WSO2 subscription registry rewrite
+when wso2.subscription.imagePullSecret is set AND the repository still matches the
+default upstream prefix `ghcr.io/wso2/api-platform/`. Explicit overrides pass through.
+
+Args (dict): root, repository, tag
+*/}}
+{{- define "gateway-operator.componentImage" -}}
+{{- $root := .root -}}
+{{- $repo := .repository -}}
+{{- $tag := .tag -}}
+{{- $sub := $root.Values.wso2.subscription.imagePullSecret -}}
+{{- $defaultPrefix := "ghcr.io/wso2/api-platform/" -}}
+{{- $wso2Prefix := "registry.wso2.com/wso2-api-platform/" -}}
+{{- if and (ne $sub "") (hasPrefix $defaultPrefix $repo) -}}
+{{- printf "%s%s:%s" $wso2Prefix (trimPrefix $defaultPrefix $repo) $tag -}}
+{{- else -}}
+{{- printf "%s:%s" $repo $tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render an `imagePullSecrets:` YAML block (without indentation) by merging:
+  1. wso2.subscription.imagePullSecret (if set)
+  2. .Values.imagePullSecrets (global)
+  3. component-level imagePullSecrets (passed in)
+
+Returns an empty string when no secrets resolve, so callers can wrap in
+`{{- with (include ...) }} {{- . | nindent N }} {{- end }}`.
+
+Args (dict): root, componentPullSecrets
+*/}}
+{{- define "gateway-operator.componentImagePullSecretsBlock" -}}
+{{- $root := .root -}}
+{{- $componentPullSecrets := default (list) .componentPullSecrets -}}
+{{- $globalPullSecrets := default (list) $root.Values.imagePullSecrets -}}
+{{- $sub := $root.Values.wso2.subscription.imagePullSecret -}}
+{{- $subList := ternary (list $sub) (list) (ne $sub "") -}}
+{{- $all := concat $subList $globalPullSecrets $componentPullSecrets -}}
+{{- if $all -}}
+imagePullSecrets:
+{{- range $all }}
+  - name: {{ . }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml b/kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml
@@ -42,14 +42,8 @@ spec:
         {{- end }}
     spec:
       serviceAccountName: {{ include "gateway-operator.serviceAccountName" . }}
-      {{- $globalPullSecrets := default (list) .Values.imagePullSecrets }}
-      {{- $componentPullSecrets := default (list) $controller.imagePullSecrets }}
-      {{- $pullSecrets := concat $globalPullSecrets $componentPullSecrets }}
-      {{- if $pullSecrets }}
-      imagePullSecrets:
-        {{- range $pullSecrets }}
-        - name: {{ . }}
-        {{- end }}
+      {{- with (include "gateway-operator.componentImagePullSecretsBlock" (dict "root" . "componentPullSecrets" $controller.imagePullSecrets)) }}
+      {{- . | nindent 6 }}
       {{- end }}
       {{- with $deployment.podSecurityContext }}
       securityContext:
@@ -72,7 +66,7 @@ spec:
       {{- end }}
       containers:
         - name: gateway-controller
-          image: "{{ $controller.image.repository }}:{{ $controller.image.tag }}"
+          image: {{ include "gateway-operator.componentImage" (dict "root" . "repository" $controller.image.repository "tag" $controller.image.tag) | quote }}
           imagePullPolicy: {{ $controller.image.pullPolicy }}
           {{- with $deployment.securityContext }}
           securityContext:
diff --git a/kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-runtime/deployment.yaml b/kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-runtime/deployment.yaml
@@ -39,14 +39,8 @@ spec:
         {{- end }}
     spec:
       serviceAccountName: {{ include "gateway-operator.serviceAccountName" . }}
-      {{- $globalPullSecrets := default (list) .Values.imagePullSecrets }}
-      {{- $componentPullSecrets := default (list) $unified.imagePullSecrets }}
-      {{- $pullSecrets := concat $globalPullSecrets $componentPullSecrets }}
-      {{- if $pullSecrets }}
-      imagePullSecrets:
-        {{- range $pullSecrets }}
-        - name: {{ . }}
-        {{- end }}
+      {{- with (include "gateway-operator.componentImagePullSecretsBlock" (dict "root" . "componentPullSecrets" $unified.imagePullSecrets)) }}
+      {{- . | nindent 6 }}
       {{- end }}
       {{- with $deployment.podSecurityContext }}
       securityContext:
@@ -69,7 +63,7 @@ spec:
       {{- end }}
       containers:
         - name: gateway-runtime
-          image: "{{ $unified.image.repository }}:{{ $unified.image.tag }}"
+          image: {{ include "gateway-operator.componentImage" (dict "root" . "repository" $unified.image.repository "tag" $unified.image.tag) | quote }}
           imagePullPolicy: {{ $unified.image.pullPolicy }}
           args: ["--pol.config", "/etc/policy-engine/config.toml"]
           {{- with $deployment.securityContext }}
diff --git a/kubernetes/helm/gateway-helm-chart/values.yaml b/kubernetes/helm/gateway-helm-chart/values.yaml
@@ -6,6 +6,24 @@ fullnameOverride: ""
 
 imagePullSecrets: []
 
+# WSO2 Subscription parameters (https://wso2.com/subscription/)
+wso2:
+  subscription:
+    # Name of a docker-registry Secret (in the release namespace) holding credentials
+    # for registry.wso2.com. Setting this enables WSO2 subscription mode:
+    #   1. The secret is added to every component's imagePullSecrets.
+    #   2. Default `ghcr.io/wso2/api-platform/*` image repositories are rewritten to
+    #      `registry.wso2.com/wso2-api-platform/*`, so the released WSO2 images at
+    #      https://docker.wso2.com/ are pulled instead.
+    # Explicit image.repository overrides are preserved as-is.
+    #
+    # Create the secret with:
+    #   kubectl create secret docker-registry wso2-subscription-creds \
+    #     --docker-server=registry.wso2.com \
+    #     --docker-username=<wso2-email> \
+    #     --docker-password=<wso2-password-or-token>
+    imagePullSecret: ""
+
 commonLabels: {}
 commonAnnotations: {}
 
