feat(t8s-cluster/management-cluster): use new KubeletEnsureSecretPulledImages feature gate

[cwrau]

This supersedes the old AlwaysPullImages admission plugin.

Summary by CodeRabbit

• New Features

  • Conditional feature gates for Kubernetes 1.33+ (enables KubeletEnsureSecretPulledImages when applicable) and version-aware admission plugin behavior (AlwaysPullImages only applied for older versions).

• Refactor

  • Configuration resolution now consistently respects cluster context across API server and kubelet settings, and outputs for admission plugins and feature gates are deterministically sorted.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[gemini-code-assist]

Summary of Changes

Hello @cwrau, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the cluster configuration to adopt the KubeletEnsureSecretPulledImages feature gate for Kubernetes versions 1.33.0 and newer. This change streamlines how image pull secrets are managed by the Kubelet, moving away from the older AlwaysPullImages admission plugin. The modifications ensure that clusters running on earlier Kubernetes versions continue to function as expected by retaining the legacy admission plugin.

Highlights

• Feature Gate Adoption: The KubeletEnsureSecretPulledImages feature gate is now conditionally enabled for Kubelet in Kubernetes versions 1.33.0 and above, providing a modern approach to image pull secret handling.
• Admission Plugin Deprecation: The AlwaysPullImages admission plugin is conditionally removed for Kubernetes 1.33.0+ clusters, as it is superseded by the new feature gate. It remains active for older Kubernetes versions to ensure backward compatibility.
• Context Propagation: Updates were made across several templates to ensure the context dictionary is correctly passed, allowing for accurate Kubernetes version-aware logic in feature gate and admission plugin configurations.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Templates now propagate a context dict through Helm includes, enabling Kubernetes-version-aware feature-gate and admission-plugin generation; AlwaysPullImages is conditionally included for Kubernetes <1.33.0, KubeletEnsureSecretPulledImages added for ≥1.33.0, and outputs are sorted before emission.

Changes

Cohort / File(s)	Summary
Feature gates & API server admission plugins charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl	Propagate (dict "context" .context) to feature-gates and admission-plugin includes; build $featureGates dict and conditionally add KubeletEnsureSecretPulledImages for Kubernetes ≥1.33.0; admission plugins now start with NodeRestriction, EventRateLimit, re-add AlwaysPullImages only for <1.33.0; both outputs are sorted then emitted as YAML.
Kubelet patches context propagation charts/t8s-cluster/templates/management-cluster/clusterClass/patches/_kubelet.tpl	Pass (dict "context" .context) into kubelet-related includes (t8s-cluster.kubelet.featureGates, t8s-cluster.kubelet.options, default patch and imagePulls includes) so kubelet feature-gates/options evaluate with the same context.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Verify Kubernetes version comparison logic (threshold 1.33.0) and boundary behavior.
• Confirm every include that needs context receives (dict "context" .context) and that no include calls were missed.
• Check sorting logic produces deterministic YAML and preserves intended ordering semantics.
• Review conditions that add/remove AlwaysPullImages and KubeletEnsureSecretPulledImages for correctness.

Possibly related PRs

• feat(t8s-cluster/management-cluster): enable ImageVolume feature flag #1786 — Modifies the same Helm helper templates for component-specific feature-gates and version-aware admission-plugin handling.

Suggested reviewers

• tasches
• marvinWolff
• teutonet-bot

Poem

🐇 I hop through templates, context in paw,
I nudge the gates and check the law,
If K8s is new, a feature springs,
If old, AlwaysPull rejoins the strings,
I sort the lists — tidy as a claw.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately reflects the main change: replacing AlwaysPullImages with the new KubeletEnsureSecretPulledImages feature gate for Kubernetes 1.33.0+.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/t8s-cluster/use-new-image-pull-verification

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a6222ae and cd043b2.

📒 Files selected for processing (2)

• charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl (3 hunks)
• charts/t8s-cluster/templates/management-cluster/clusterClass/patches/_kubelet.tpl (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• charts/t8s-cluster/templates/management-cluster/clusterClass/patches/_kubelet.tpl

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: check licenses
• GitHub Check: lint helm chart (t8s-cluster)

🔇 Additional comments (5)

charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl (5)

73-79: LGTM! Feature gates configured correctly.

The KubeletEnsureSecretPulledImages feature gate is correctly configured for Kubernetes 1.33+ and the ImageVolume feature gate is valid for both apiserver and kubelet components. The context-aware evaluation enables proper version-based feature activation.

---

84-84: LGTM! Context propagation enables version-aware feature gates.

The context dict is correctly passed to enable version checking within the t8s-cluster.featureGates template.

---

162-168: LGTM! Admission plugin migration strategy is well-designed.

The AlwaysPullImages admission plugin correctly forces image pull policy to Always for Kubernetes versions prior to 1.33, providing a bridge to the new KubeletEnsureSecretPulledImages feature gate in v1.33. The alphabetical sorting ensures deterministic output.

---

203-203: LGTM! Context propagation enables version-aware admission plugin selection.

The context is correctly passed to enable the conditional AlwaysPullImages inclusion based on Kubernetes version.

---

207-207: LGTM! Context propagation enables version-aware feature gate filtering.

The context is correctly passed alongside the component identifier to enable proper feature gate selection for the API server.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the Helm chart to use the new KubeletEnsureSecretPulledImages feature gate for Kubernetes versions 1.33.0 and newer, while retaining the AlwaysPullImages admission plugin for older versions. The changes correctly implement this version-based logic by modifying several Helm templates to conditionally enable the feature gate and the admission plugin. The necessary context is propagated through various template includes to facilitate the version check. The changes are logical and well-implemented. I have one minor suggestion to improve code clarity.

[Copilot]

Pull request overview

This PR updates the t8s-cluster Helm chart to use the new KubeletEnsureSecretPulledImages feature gate for Kubernetes 1.33.0 and later, replacing the deprecated AlwaysPullImages admission plugin. The changes ensure backward compatibility by conditionally applying the appropriate mechanism based on the Kubernetes version.

Key Changes:

• Introduces version-aware feature gate configuration for KubeletEnsureSecretPulledImages (K8s >=1.33.0)
• Makes AlwaysPullImages admission plugin conditional (only for K8s <1.33.0)
• Adds proper context passing to template helpers that require access to version information

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
charts/t8s-cluster/templates/management-cluster/clusterClass/patches/_kubelet.tpl	Updated kubelet template helpers to pass context for version-aware feature gate configuration
charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl	Added conditional logic for KubeletEnsureSecretPulledImages feature gate and AlwaysPullImages admission plugin based on K8s version; updated context passing throughout

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl (1)

162-169: Unused mustMerge for Values context.

The mustMerge on line 163 extracts .Values but it's not used in this template—only .context is needed for the version check. This appears to be leftover code.

Consider removing the unused merge:

 {{- define "t8s-cluster.clusterClass.apiServer.admissionPlugins" -}}
-  {{- $_ := mustMerge . (pick .context "Values") -}}
   {{- $admissionPlugins := list "NodeRestriction" "EventRateLimit" -}}
   {{- if semverCompare "<1.33.0" (include "t8s-cluster.k8s-version" .context) -}}
     {{- $admissionPlugins = append $admissionPlugins "AlwaysPullImages" -}}
   {{- end -}}
   {{- toYaml ($admissionPlugins | sortAlpha) -}}
 {{- end -}}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 82b78e5 and a6222ae.

📒 Files selected for processing (2)

• charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl (3 hunks)
• charts/t8s-cluster/templates/management-cluster/clusterClass/patches/_kubelet.tpl (3 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: cwrau
Repo: teutonet/teutonet-helm-charts PR: 1604
File: charts/base-cluster/templates/monitoring/metrics-server/metrics-server.yaml:20-21
Timestamp: 2025-07-24T09:41:28.072Z
Learning: The kubernetes-sigs/metrics-server Helm chart uses `v{{ .Chart.AppVersion }}` as the default image tag when `image.tag` is empty, which provides pinned versioning through the chart's AppVersion rather than using floating tags like "latest".

Learnt from: cwrau
Repo: teutonet/teutonet-helm-charts PR: 1602
File: charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy.yaml:38-40
Timestamp: 2025-07-24T09:49:40.961Z
Learning: Official Helm charts like oauth2-proxy manage image versioning automatically through their Chart.yaml appVersion field, making manual tag pinning in consumer values unnecessary and potentially harmful. The chart version itself provides reproducibility by ensuring the correct image tag is used.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Agent
• GitHub Check: lint helm chart (t8s-cluster)

🔇 Additional comments (7)

charts/t8s-cluster/templates/management-cluster/clusterClass/patches/_kubelet.tpl (3)

10-12: LGTM! Context propagation for version-aware feature gates.

The context is correctly propagated to enable downstream access to the Kubernetes version for conditional feature gate handling.

---

28-28: Context propagation is consistent.

Correctly passes context to t8s-cluster.kubelet.featureGates for version-aware evaluation.

---

41-46: Context propagation chain is complete.

The context flows correctly through the patch generation pipeline, ensuring version-aware behavior is available throughout.

charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl (4)

81-90: LGTM! Context propagation for component-specific feature gates.

The context flows correctly to the base featureGates template for version-aware evaluation.

---

204-204: LGTM! Context propagation for admission plugins.

Correctly passes context to enable version-aware conditional inclusion of AlwaysPullImages.

---

207-213: LGTM! Feature gates correctly wired for API server.

Context is properly passed to featureGates.forComponent for version-aware feature flag resolution. The existing ImageVolume feature gate (which targets "apiserver") will be correctly included via this path.

---

73-79: Well-structured conditional feature gate handling.

The logic correctly adds KubeletEnsureSecretPulledImages only for Kubernetes >= 1.33.0 when the feature becomes available. The feature gate is appropriately scoped to only the kubelet component. The t8s-cluster.k8s-version template exists and properly returns a valid semver string in the format vX.Y.Z, enabling correct version comparisons with semverCompare.