kapp-controller should look up addition imagePullSecrets from the ServiceAccount performing installation of the Package

[dprotaso]

Describe the problem/challenge you have

It would be useful if kapp-controller could leverage the imagePullSecrets on ServiceAccounts in order to pull imgpkgBundles or images. This means I wouldn't have to specify the secret in every fetch stanza

This would make it easier to use kapp-controller without requiring secretgen controller and provide finer grained control over how secrets are being used.

Describe the solution you'd like

Steps for adding the imagePullSecret is here - https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account

Anything else you would like to add:

Note the precendence for this is that the Pods are able to pull images from private registries from two places - eithe the imagePullSecrets on the PodSpec or from imagePullSecets on the ServiceAccount.

It's not an either or but instead K8s will coalesce these secrets and try them all until one works.

eg. see the logic in the following files:
https://github.com/kubernetes/kubernetes/blob/d953755686d64207740c15c7eb1599f874f29243/pkg/credentialprovider/keyring.go#L81
https://github.com/kubernetes/kubernetes/blob/d953755686d64207740c15c7eb1599f874f29243/pkg/credentialprovider/keyring.go#L238

---

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible"
👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.

[github-actions]

This issue is being marked as stale due to a long period of inactivity and will be closed in 5 days if there is no response.

[dprotaso]

This shouldn't go stale - are we able to prioritize this