From af767b3bb1389bd5f503b26208a47daa14425f52 Mon Sep 17 00:00:00 2001 From: Renuka Fernando Date: Mon, 25 May 2026 19:41:30 +0530 Subject: [PATCH 1/2] feat(gateway-helm-chart): add wso2.subscription.imagePullSecret MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a one-knob shorthand for switching the gateway helm chart from the public GHCR images to the WSO2 private registry. Setting `wso2.subscription.imagePullSecret` to the name of a docker-registry Secret causes the chart to: 1. Inject that secret into every component's imagePullSecrets, additively with the existing global and per-component lists. 2. Rewrite each component's image.repository whose value still starts with `ghcr.io/wso2/api-platform/` to `registry.wso2.com/wso2-api-platform/`. Explicit overrides pass through untouched. Credentials are intentionally not accepted in values.yaml — users create the docker-registry Secret out-of-band, keeping subscription credentials out of Helm release state. Default behavior is unchanged when the field is empty. Fixes wso2/api-platform#2016 --- .../gateway-helm-chart/templates/_helpers.tpl | 47 +++++++++++++++++++ .../gateway/controller/deployment.yaml | 12 ++--- .../gateway/gateway-runtime/deployment.yaml | 12 ++--- .../helm/gateway-helm-chart/values.yaml | 18 +++++++ 4 files changed, 71 insertions(+), 18 deletions(-) diff --git a/kubernetes/helm/gateway-helm-chart/templates/_helpers.tpl b/kubernetes/helm/gateway-helm-chart/templates/_helpers.tpl index 8d8a9950e..e24128093 100644 --- a/kubernetes/helm/gateway-helm-chart/templates/_helpers.tpl +++ b/kubernetes/helm/gateway-helm-chart/templates/_helpers.tpl @@ -60,3 +60,50 @@ app.kubernetes.io/component: {{ $component }} {{- default "default" .Values.serviceAccount.name -}} {{- end -}} {{- end -}} + +{{/* +Render a component image reference, applying the WSO2 subscription registry rewrite +when wso2.subscription.imagePullSecret is set AND the repository still matches the +default upstream prefix `ghcr.io/wso2/api-platform/`. Explicit overrides pass through. + +Args (dict): root, repository, tag +*/}} +{{- define "gateway-operator.componentImage" -}} +{{- $root := .root -}} +{{- $repo := .repository -}} +{{- $tag := .tag -}} +{{- $sub := $root.Values.wso2.subscription.imagePullSecret -}} +{{- $defaultPrefix := "ghcr.io/wso2/api-platform/" -}} +{{- $wso2Prefix := "registry.wso2.com/wso2-api-platform/" -}} +{{- if and (ne $sub "") (hasPrefix $defaultPrefix $repo) -}} +{{- printf "%s%s:%s" $wso2Prefix (trimPrefix $defaultPrefix $repo) $tag -}} +{{- else -}} +{{- printf "%s:%s" $repo $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Render an `imagePullSecrets:` YAML block (without indentation) by merging: + 1. wso2.subscription.imagePullSecret (if set) + 2. .Values.imagePullSecrets (global) + 3. component-level imagePullSecrets (passed in) + +Returns an empty string when no secrets resolve, so callers can wrap in +`{{- with (include ...) }} {{- . | nindent N }} {{- end }}`. + +Args (dict): root, componentPullSecrets +*/}} +{{- define "gateway-operator.componentImagePullSecretsBlock" -}} +{{- $root := .root -}} +{{- $componentPullSecrets := default (list) .componentPullSecrets -}} +{{- $globalPullSecrets := default (list) $root.Values.imagePullSecrets -}} +{{- $sub := $root.Values.wso2.subscription.imagePullSecret -}} +{{- $subList := ternary (list $sub) (list) (ne $sub "") -}} +{{- $all := concat $subList $globalPullSecrets $componentPullSecrets -}} +{{- if $all -}} +imagePullSecrets: +{{- range $all }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml b/kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml index c107095e9..4e7a130f3 100644 --- a/kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml +++ b/kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml @@ -42,14 +42,8 @@ spec: {{- end }} spec: serviceAccountName: {{ include "gateway-operator.serviceAccountName" . }} - {{- $globalPullSecrets := default (list) .Values.imagePullSecrets }} - {{- $componentPullSecrets := default (list) $controller.imagePullSecrets }} - {{- $pullSecrets := concat $globalPullSecrets $componentPullSecrets }} - {{- if $pullSecrets }} - imagePullSecrets: - {{- range $pullSecrets }} - - name: {{ . }} - {{- end }} + {{- with (include "gateway-operator.componentImagePullSecretsBlock" (dict "root" . "componentPullSecrets" $controller.imagePullSecrets)) }} + {{- . | nindent 6 }} {{- end }} {{- with $deployment.podSecurityContext }} securityContext: @@ -72,7 +66,7 @@ spec: {{- end }} containers: - name: gateway-controller - image: "{{ $controller.image.repository }}:{{ $controller.image.tag }}" + image: {{ include "gateway-operator.componentImage" (dict "root" . "repository" $controller.image.repository "tag" $controller.image.tag) | quote }} imagePullPolicy: {{ $controller.image.pullPolicy }} {{- with $deployment.securityContext }} securityContext: diff --git a/kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-runtime/deployment.yaml b/kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-runtime/deployment.yaml index 7b2f39d71..d40bee41d 100644 --- a/kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-runtime/deployment.yaml +++ b/kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-runtime/deployment.yaml @@ -39,14 +39,8 @@ spec: {{- end }} spec: serviceAccountName: {{ include "gateway-operator.serviceAccountName" . }} - {{- $globalPullSecrets := default (list) .Values.imagePullSecrets }} - {{- $componentPullSecrets := default (list) $unified.imagePullSecrets }} - {{- $pullSecrets := concat $globalPullSecrets $componentPullSecrets }} - {{- if $pullSecrets }} - imagePullSecrets: - {{- range $pullSecrets }} - - name: {{ . }} - {{- end }} + {{- with (include "gateway-operator.componentImagePullSecretsBlock" (dict "root" . "componentPullSecrets" $unified.imagePullSecrets)) }} + {{- . | nindent 6 }} {{- end }} {{- with $deployment.podSecurityContext }} securityContext: @@ -69,7 +63,7 @@ spec: {{- end }} containers: - name: gateway-runtime - image: "{{ $unified.image.repository }}:{{ $unified.image.tag }}" + image: {{ include "gateway-operator.componentImage" (dict "root" . "repository" $unified.image.repository "tag" $unified.image.tag) | quote }} imagePullPolicy: {{ $unified.image.pullPolicy }} args: ["--pol.config", "/etc/policy-engine/config.toml"] {{- with $deployment.securityContext }} diff --git a/kubernetes/helm/gateway-helm-chart/values.yaml b/kubernetes/helm/gateway-helm-chart/values.yaml index 0773b873d..7f4a61148 100644 --- a/kubernetes/helm/gateway-helm-chart/values.yaml +++ b/kubernetes/helm/gateway-helm-chart/values.yaml @@ -6,6 +6,24 @@ fullnameOverride: "" imagePullSecrets: [] +# WSO2 Subscription parameters (https://wso2.com/subscription/) +wso2: + subscription: + # Name of a docker-registry Secret (in the release namespace) holding credentials + # for registry.wso2.com. Setting this enables WSO2 subscription mode: + # 1. The secret is added to every component's imagePullSecrets. + # 2. Default `ghcr.io/wso2/api-platform/*` image repositories are rewritten to + # `registry.wso2.com/wso2-api-platform/*`, so the released WSO2 images at + # https://docker.wso2.com/ are pulled instead. + # Explicit image.repository overrides are preserved as-is. + # + # Create the secret with: + # kubectl create secret docker-registry wso2-subscription-creds \ + # --docker-server=registry.wso2.com \ + # --docker-username= \ + # --docker-password= + imagePullSecret: "" + commonLabels: {} commonAnnotations: {} From 290dc91a85e9d38b9b6a2d9e6adcaab05812425e Mon Sep 17 00:00:00 2001 From: Renuka Fernando Date: Tue, 26 May 2026 10:00:27 +0530 Subject: [PATCH 2/2] refactor(gateway-helm-chart): only rewrite chart-default image repos MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously the subscription rewrite triggered for any repository value starting with `ghcr.io/wso2/api-platform/`, which silently re-mapped explicit overrides such as SHA-pinned or canary references that happen to keep the WSO2 namespace prefix (e.g. `gateway-controller-canary`). Tighten the gate from a prefix check to an exact-default match by passing each component's canonical default repository through a new `defaultRepository` parameter on the `componentImage` helper. Rewriting now happens only when the user has not overridden `image.repository`; any explicit value — including ones still under the WSO2 GHCR namespace — passes through verbatim. Addresses CodeRabbit review feedback on wso2/api-platform#2017. --- .../helm/gateway-helm-chart/templates/_helpers.tpl | 11 +++++++---- .../templates/gateway/controller/deployment.yaml | 2 +- .../templates/gateway/gateway-runtime/deployment.yaml | 2 +- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/kubernetes/helm/gateway-helm-chart/templates/_helpers.tpl b/kubernetes/helm/gateway-helm-chart/templates/_helpers.tpl index e24128093..7b3a1fe65 100644 --- a/kubernetes/helm/gateway-helm-chart/templates/_helpers.tpl +++ b/kubernetes/helm/gateway-helm-chart/templates/_helpers.tpl @@ -63,19 +63,22 @@ app.kubernetes.io/component: {{ $component }} {{/* Render a component image reference, applying the WSO2 subscription registry rewrite -when wso2.subscription.imagePullSecret is set AND the repository still matches the -default upstream prefix `ghcr.io/wso2/api-platform/`. Explicit overrides pass through. +only when wso2.subscription.imagePullSecret is set AND the repository value is +exactly the chart-canonical default for this component. Any explicit override — +including overrides that happen to stay under `ghcr.io/wso2/api-platform/` (e.g. +SHA-pinned references, canary tags) — passes through unchanged. -Args (dict): root, repository, tag +Args (dict): root, repository, defaultRepository, tag */}} {{- define "gateway-operator.componentImage" -}} {{- $root := .root -}} {{- $repo := .repository -}} +{{- $defaultRepo := .defaultRepository -}} {{- $tag := .tag -}} {{- $sub := $root.Values.wso2.subscription.imagePullSecret -}} {{- $defaultPrefix := "ghcr.io/wso2/api-platform/" -}} {{- $wso2Prefix := "registry.wso2.com/wso2-api-platform/" -}} -{{- if and (ne $sub "") (hasPrefix $defaultPrefix $repo) -}} +{{- if and (ne $sub "") (eq $repo $defaultRepo) (hasPrefix $defaultPrefix $repo) -}} {{- printf "%s%s:%s" $wso2Prefix (trimPrefix $defaultPrefix $repo) $tag -}} {{- else -}} {{- printf "%s:%s" $repo $tag -}} diff --git a/kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml b/kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml index 4e7a130f3..aff073a89 100644 --- a/kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml +++ b/kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml @@ -66,7 +66,7 @@ spec: {{- end }} containers: - name: gateway-controller - image: {{ include "gateway-operator.componentImage" (dict "root" . "repository" $controller.image.repository "tag" $controller.image.tag) | quote }} + image: {{ include "gateway-operator.componentImage" (dict "root" . "repository" $controller.image.repository "defaultRepository" "ghcr.io/wso2/api-platform/gateway-controller" "tag" $controller.image.tag) | quote }} imagePullPolicy: {{ $controller.image.pullPolicy }} {{- with $deployment.securityContext }} securityContext: diff --git a/kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-runtime/deployment.yaml b/kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-runtime/deployment.yaml index d40bee41d..c9149f716 100644 --- a/kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-runtime/deployment.yaml +++ b/kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-runtime/deployment.yaml @@ -63,7 +63,7 @@ spec: {{- end }} containers: - name: gateway-runtime - image: {{ include "gateway-operator.componentImage" (dict "root" . "repository" $unified.image.repository "tag" $unified.image.tag) | quote }} + image: {{ include "gateway-operator.componentImage" (dict "root" . "repository" $unified.image.repository "defaultRepository" "ghcr.io/wso2/api-platform/gateway-runtime" "tag" $unified.image.tag) | quote }} imagePullPolicy: {{ $unified.image.pullPolicy }} args: ["--pol.config", "/etc/policy-engine/config.toml"] {{- with $deployment.securityContext }}