Multiple deployments for multiple secrets / private registries?

[dwarburt]

We're migrating from one private registry to another and need to pull images from both during the transition. It seems like we'll be able to just deploy the image pull secret patcher twice, so there is one dedicated to each secret. Is this reasonable or we may face some problems?

[matgeroe]

Hi, I haven't tested this but I suppose you could enter both registries in a single .dockerconfigjson, as your image pull patch secret source
The format suggest that you can, as the registry is used as a key:
{"auths":{"your.private.registry.example.com":{"username":"janedoe","password":"xxxxxxxxxxx","email":"jdoe@example.com","auth":"c3R...zE2"}}}
https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#inspecting-the-secret-regcred

As for issues with deploying it twice, as long as you give them different names with the flag secretname, it should work.

You will have to specify the pullsecret on each deployment though, because the patcher will set the secret as the default secret in the service account in each namespace, if run two instances, they absolutely will overwrite each other.
It is my understanding that when you create a new namespace, the patcher will detect it and do its thing, which one of the patchers will get there last, will determine the default secret, so that's not reliable.

kubectl patch serviceaccount default \ -p "{\"imagePullSecrets\": [{\"name\": \"image-pull-secret\"}]}" \ -n <your-namespace>
https://github.com/titansoft-pte-ltd/imagepullsecret-patcher#why

[dwarburt]

We're running the two deployments and they are working together without conflict. Seems like it's appending the secret to the list of imagePullSecrets for the default service account instead of overwriting that list, so we're good!