Bug #113227 MySQL Operator - Support for pulling sidecar images from private registy
Submitted: 27 Nov 2023 3:48 Modified: 6 Feb 16:12
Reporter: Prasad Kris Email Updates:
Status: Won't fix Impact on me:
Category:MySQL Operator Severity:S4 (Feature request)
Version: OS:Any
Assigned to: CPU Architecture:Any
Tags: kubernetes, mysql-operator

[27 Nov 2023 3:48] Prasad Kris

The MySQL operator currently doesn't allow pulling sidecar images from private registries. This is an issue when enabling metrics, and we would love to keep the exporter image private. The operator does have a provision for specifying a private repository using the imageRepository: (https://dev.mysql.com/doc/mysql-operator/en/mysql-operator-properties.html#mysql-operator-...) parameter, but that's only applicable for the main (MySQL) container and the router deployment.

How to repeat:
The operator currently doesn't allow an option to pull sidecar images from private repositories. This can be easily replicated by attempting to create an InnoDB deployment with a private metrics sidecar image:

It will result in errors like below:

  Warning  Failed     75s                kubelet            Failed to pull image "docker.example.com/docker/mysqld_exporter:v0.15.0": failed to pull and unpack image "docker.example.com/docker/mysqld_exporter:v0.15.0": failed to resolve reference "docker.example.com/docker/mysqld_exporter:v0.15.0": failed to authorize: failed to fetch anonymous token: unexpected status: 403 Forbidden
[23 Jan 16:18] MySQL Verification Team
Thanks for the report. I will change this bug report to feature request.
[6 Feb 16:12] Andrey Hristov
Posted by developer:
in case of metrics you can pass the full container image URI. Registries that need authentication are also allowed. For this one needs to provide  pull secrets as in .spec.imagePullSecrets array like this:

apiVersion: mysql.oracle.com/v2
kind: InnoDBCluster
  name: mycluster
  instances: 3
    instances: 1
  secretName: mypwds
  - name : priv-reg-secret

priv-reg-secret needs to be created in advance and should be a K8s secret of type docker-registry
kubectl -n $NAMESPACE create secret docker-registry priv-reg-secret --docker-server=https://$REGISTRY_IP:5000/v2/ \
                                                                    --docker-username=user \
                                                                    --docker-password=pass \
[6 Feb 16:19] Andrey Hristov
Posted by developer:
In case the Helm chart is used, then the solution is similar

    enabled: true
    secretName: priv-reg-secret