ClusterStack & ClusterStore support using a private registry.

[genevieve]

While using the ClusterStack resource in our cluster (in order to use it with the builder resource), we discovered that the CRD does not support using images from a private registry. For the Build/Image resources, we can point to our builder image in that same private registry as the creds are wired up fine and the controller can access the image.

{"level":"error","ts":"2021-03-16T21:58:11.929Z","logger":"controller.Stacks","caller":"controller/controller.go:480","msg":"Reconcile error","commit":"d4de54b","error":"GET https://repo-url: UNAUTHORIZED: access to the requested resource is not authorized","stacktrace":"knative.dev/pkg/controller.(*Impl).handleErr\n\t/workspace/vendor/knative.dev/pkg/controller/controller.go:480\nknative.dev/pkg/controller.(*Impl).processNextWorkItem\n\t/workspace/vendor/knative.dev/pkg/controller/controller.go:466\nknative.dev/pkg/controller.(*Impl).RunContext.func3\n\t/workspace/vendor/knative.dev/pkg/controller/controller.go:403"}

From this conversation it sounds like the issue is figuring out how to provide imagePullSecrets to these cluster scoped resources. I don't currently have a solution for modeling this and wanted to open this issue so we can track discussions around this feature.

[c0d1ngm0nk3y]

We would like to tackle this issue since we have the same use case.

Our proposal is to introduce a field(ObjectReference to a ServiceAccount) to ClusterStore and to ClusterStack. Just like it is done in ClusterBuilder. Those credentials can be used to access the private registry.

From our understanding, this is the smallest step to support the use-case of a private registry for ClusterStack and ClusterStore.

Any remarks, notes, objections ?

Tagging my pair: @Haegi

[genevieve]

This would work for us. Thanks @c0d1ngm0nk3y

[tarzzz]

Great work! Is there a timeline for when this will be available in a release?