feat: workload_identity - add image pull secrets (#2276)

emalihin · web-flow · commit 8d5c9a4c9e43 · 2025-02-13T13:45:49.000-08:00
diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md
@@ -152,6 +152,7 @@ Error: Get "http://localhost/api/v1/namespaces/default/serviceaccounts/your-serv
 | gcp\_sa\_description | The Service Google service account desciption; if null, will be left out | `string` | `null` | no |
 | gcp\_sa\_display\_name | The Google service account display name; if null, a default string will be used | `string` | `null` | no |
 | gcp\_sa\_name | Name for the Google service account; overrides `var.name`. | `string` | `null` | no |
+| image\_pull\_secrets | A list of references to secrets in the same namespace to use for pulling any images in pods that reference this Service Account | `list(string)` | `[]` | no |
 | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
 | k8s\_sa\_name | Name for the Kubernetes service account; overrides `var.name`. `cluster_name` and `location` must be set when this input is specified. | `string` | `null` | no |
 | k8s\_sa\_project\_id | GCP project ID of the k8s service account; overrides `var.project_id`. | `string` | `null` | no |
diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf
@@ -53,6 +53,15 @@ resource "kubernetes_service_account" "main" {
   count = var.use_existing_k8s_sa ? 0 : 1
 
   automount_service_account_token = var.automount_service_account_token
+
+  dynamic "image_pull_secret" {
+    for_each = var.image_pull_secrets
+
+    content {
+      name = image_pull_secret.value
+    }
+  }
+
   metadata {
     name      = local.k8s_given_name
     namespace = var.namespace
diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf
@@ -84,6 +84,12 @@ variable "automount_service_account_token" {
   default     = false
 }
 
+variable "image_pull_secrets" {
+  description = "A list of references to secrets in the same namespace to use for pulling any images in pods that reference this Service Account"
+  type        = list(string)
+  default     = []
+}
+
 variable "roles" {
   description = "A list of roles to be added to the created service account"
   type        = list(string)
