Create pull secret in cluster and use it in PodSpec

- base64 encode secret values before creating the secret - Construct valid .dockerconfigjson - Cancel jobs where it will obviously fail & error handling - Check if the secret exists first, then attempts to replace it if it does.
2026-05-19 14:57:39 -02:30 · 2021-05-12 15:19:38 -04:00
parent a0840ddec2
commit 8316a1d198
2 changed files with 81 additions and 1 deletions
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@@ -3077,7 +3077,20 @@ class AWXReceptorJob:
        # Enforce EE Pull Policy
        pull_options = {"always": "Always", "missing": "IfNotPresent", "never": "Never"}
        if self.task and self.task.instance.execution_environment:
-            pod_spec['spec']['containers'][0]['imagePullPolicy'] = pull_options[self.task.instance.execution_environment.pull]
+            if self.task.instance.execution_environment.pull:
+                pod_spec['spec']['containers'][0]['imagePullPolicy'] = pull_options[self.task.instance.execution_environment.pull]
+
+        if self.task and self.task.instance.is_container_group_task:
+            # If EE credential is passed, create an imagePullSecret
+            if self.task.instance.execution_environment and self.task.instance.execution_environment.credential:
+                # Create pull secret in k8s cluster based on ee cred
+                from awx.main.scheduler.kubernetes import PodManager  # prevent circular import
+
+                pm = PodManager(self.task.instance)
+                secret_name = pm.create_secret(job=self.task.instance)
+
+                # Inject secret name into podspec
+                pod_spec['spec']['imagePullSecrets'] = [{"name": secret_name}]

        if self.task:
            pod_spec['metadata'] = deepmerge(