Change secretgen for default templating

- Change based on option scdf.registry.secret.ref if
  add default reg-creds secret ref or one with user
  defined which should allow secretgen-controller to do
  its dance while allowing user to define its own
  secret ref.
- Relates #4731

Author: jvalkeal

src/carvel/config/binder/_ytt_lib/kafka/kafka-broker-ss.yml

@@ -30,4 +30,6 @@ spec:
         env: #@ kafka_broker_container_env()
       #@ if has_image_pull_secrets():
       imagePullSecrets: #@ image_pull_secrets()
+      #@ else:
+      imagePullSecrets: [{name: reg-creds}]
       #@ end

src/carvel/config/binder/_ytt_lib/rabbitmq/rabbitmq-deployment.yml

@@ -41,6 +41,8 @@ spec:
         - containerPort: 5672
       #@ if has_image_pull_secrets():
       imagePullSecrets: #@ image_pull_secrets()
+      #@ else:
+      imagePullSecrets: [{name: reg-creds}]
       #@ end
       volumes:
       - name: rabbitmq-config-volume

src/carvel/config/dataflow-deployment.yml

@@ -58,6 +58,8 @@ spec:
       serviceAccountName: scdf-sa
       #@ if has_image_pull_secrets():
       imagePullSecrets: #@ image_pull_secrets()
+      #@ else:
+      imagePullSecrets: [{name: reg-creds}]
       #@ end
       volumes:
       - name: config

src/carvel/config/db/_ytt_lib/mysql/mysql-deployment.yml

@@ -52,6 +52,8 @@ spec:
         - "--ignore-db-dir=lost+found"
       #@ if has_image_pull_secrets():
       imagePullSecrets: #@ image_pull_secrets()
+      #@ else:
+      imagePullSecrets: [{name: reg-creds}]
       #@ end
       volumes:
       - name: data

src/carvel/config/db/_ytt_lib/postgres/postgres-deployment.yml

@@ -40,6 +40,8 @@ spec:
           name: #@ name()
       #@ if has_image_pull_secrets():
       imagePullSecrets: #@ image_pull_secrets()
+      #@ else:
+      imagePullSecrets: [{name: reg-creds}]
       #@ end
       volumes:
       - name: data

src/carvel/config/skipper-deployment.yml

@@ -63,6 +63,8 @@ spec:
       serviceAccountName: scdf-sa
       #@ if has_image_pull_secrets():
       imagePullSecrets: #@ image_pull_secrets()
+      #@ else:
+      imagePullSecrets: [{name: reg-creds}]
       #@ end
       volumes:
       - name: config

src/carvel/test/secrets.test.ts

@@ -15,14 +15,26 @@ describe('secrets', () => {
     });
     expect(result.success, result.stderr).toBeTruthy();
     const yaml = result.stdout;
+
+    // gh-4731
+    // on default we need to have pod image pull secret
+    // to ref to reg-creds which is basically no-op having
+    // dump empty secret which is valid in terms of k8s
+    // validation but just having nothing.
     const pods = findPodSpecsWithImagePullSecrets(yaml);
-    expect(pods).toHaveLength(0);
+    expect(pods).toHaveLength(5);
+
+    // all default pull secrets need to ref to reg-creds
+    const refs = pods.flatMap(p => p.imagePullSecrets?.[0].name);
+    expect(refs).toHaveLength(5);
+    expect(refs.every(r => r === 'reg-creds')).toBeTrue();
 
     const secret = findSecret(yaml, 'reg-creds');
     expect(secret).toBeTruthy();
   });
 
   it('should add carvel secretgen on default 2', async () => {
+    // see above test for as this is just same with different setup
     const result = await execYtt({
       files: ['config'],
       dataValueYamls: [
@@ -33,8 +45,14 @@ describe('secrets', () => {
     });
     expect(result.success, result.stderr).toBeTruthy();
     const yaml = result.stdout;
+
     const pods = findPodSpecsWithImagePullSecrets(yaml);
-    expect(pods).toHaveLength(0);
+    expect(pods).toHaveLength(5);
+
+    // all default pull secrets need to ref to reg-creds
+    const refs = pods.flatMap(p => p.imagePullSecrets?.[0].name);
+    expect(refs).toHaveLength(5);
+    expect(refs.every(r => r === 'reg-creds')).toBeTrue();
 
     const secret = findSecret(yaml, 'reg-creds');
     expect(secret).toBeTruthy();
@@ -52,9 +70,11 @@ describe('secrets', () => {
     });
     expect(result.success, result.stderr).toBeTruthy();
     const yaml = result.stdout;
+
     const pods = findPodSpecsWithImagePullSecrets(yaml);
     expect(pods).toHaveLength(5);
 
+    // should just have fakeref and not any other defaults
     const refs = pods.flatMap(p => p.imagePullSecrets?.[0].name);
     expect(refs).toHaveLength(5);
     expect(refs.every(r => r === 'fakeref')).toBeTrue();