Conditionally set backendImages credentials

[cypres]

Description

For deployments that only use public images, and forego a key for NGC, it was difficuly to avoid image pull secrets.

Even if a secret was not specified the config map would still contain

apiVersion: v1
data:
  config.yaml: |
    workflow:
      backend_images:
        credential:
          secretKey: .dockerconfigjson
          secretName: nvcr-secret

With the default values it was not easy to remove that configuration due to how Helm patches values.

You would need to first set credential: null to delete the inherited map, then a second later file sets credential: {}

Instead of changing the default values, which would be a breaking change, add a template that only adds the credential structure when needed.

Issue #None

Checklist

• I am familiar with the Contributing Guidelines.
• New or existing tests cover these changes.
• The documentation is up to date with these changes.

Summary by CodeRabbit

Release Notes

• New Features

  • Conditional rendering of secret configurations and credentials in deployments based on environment settings.
  • Improved secret management for public registry configurations with dynamic validation.

• Tests

  • Added test coverage for public registry secret rendering scenarios.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR extends Helm chart deployment infrastructure to conditionally render secrets. It adds Bazel build targets to expose deployment values, introduces a helper function to determine when secrets should be rendered based on configuration and Kubernetes state, and applies that helper to filter workflow backend image credentials in the config template.

Changes

Conditional Secret Rendering in Helm Charts

Layer / File(s)	Summary
Build targets and data dependencies deployments/BUILD, deployments/charts/BUILD	New values filegroup packages deployment values under values/** with public visibility. Shell test target service_public_registry_secret_render_test declares data dependencies on the service target and the values filegroup.
Helm template helpers for conditional secret rendering deployments/charts/service/templates/_helpers.tpl	New osmo.config-secret-ref-enabled helper checks whether a secret should be rendered by evaluating the secret name against nvcr-secret, inspecting Values.global.imagePullSecret, and using lookup to detect namespace presence. The osmo.configmap-volume-mounts and osmo.configmap-volumes helpers are updated to emit mounts and volume definitions conditionally based on the helper's result.
Config template secret filtering deployments/charts/service/templates/configs.yaml	The workflow YAML emission now deep-copies the workflow object, inspects backend_images.credential.secretName, and clears the credential when osmo.config-secret-ref-enabled returns false before outputting the result.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Secrets now know when to hide,
With helpers checking far and wide—
Deep copies guard the workflow's heart,
As conditional renders play their part.
Build and helm in harmony glide! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Conditionally set backendImages credentials' directly describes the main change: adding conditional rendering logic for backend image credentials in Helm templates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch harnholm/fix-backendImages-credentials

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Trivy (0.69.3)

Trivy execution failed: 2026-05-16T23:12:16Z FATAL Fatal error run error: fs scan error: scan error: scan failed: failed analysis: post analysis error: post analysis error: cloudformation scan error: fs filter error: fs filter error: walk error range error: stat smartylint.json: no such file or directory: range error: stat smartylint.json: no such file or directory

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

deployments/BUILD (1)

19-23: ⚡ Quick win

Consider excluding temporary and hidden files from the glob.

The glob pattern includes all files under values/ without exclusions, which may inadvertently capture editor backups, temporary files, or hidden system files (e.g., .swp, *~, .DS_Store). This can lead to build cache pollution and unnecessary rebuilds.

🧹 Proposed exclusions

 filegroup(
     name = "values",
-    srcs = glob(["values/**"]),
+    srcs = glob(
+        ["values/**"],
+        exclude = [
+            "**/*~",
+            "**/*.swp",
+            "**/*.bak",
+            "**/.DS_Store",
+        ],
+    ),
     visibility = ["//visibility:public"],
 )

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deployments/BUILD` around lines 19 - 23, The filegroup named "values" uses
srcs = glob(["values/**"]) which currently captures hidden and temp files;
update the glob call in the filegroup to add an exclude list that omits common
editor and system artifacts (e.g., patterns for *.swp, *~, .DS_Store and hidden
dotfiles) so only intended files are included; modify the srcs = glob(...)
invocation to pass an excludes=[...] argument with patterns for editor backups
and hidden files to prevent build cache pollution.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@deployments/charts/service/templates/configs.yaml`:
- Around line 42-44: When the secret-ref check returns "false", remove the
credential key instead of assigning an empty dict; replace the line that does
'{{- $_ := set $backendImages "credential" dict }}' with a call that deletes the
key (e.g. use the Sprig unset function: '{{- $_ := unset $backendImages
"credential" }}'), then keep the subsequent '{{- $_ := set $workflow
"backend_images" $backendImages }}' to persist the updated map so credential is
absent from the emitted config.yaml.

---

Nitpick comments:
In `@deployments/BUILD`:
- Around line 19-23: The filegroup named "values" uses srcs =
glob(["values/**"]) which currently captures hidden and temp files; update the
glob call in the filegroup to add an exclude list that omits common editor and
system artifacts (e.g., patterns for *.swp, *~, .DS_Store and hidden dotfiles)
so only intended files are included; modify the srcs = glob(...) invocation to
pass an excludes=[...] argument with patterns for editor backups and hidden
files to prevent build cache pollution.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e173ab87-eeaf-4615-beff-692969820db1

📥 Commits

Reviewing files that changed from the base of the PR and between 663bfe9 and e9d05ff.

📒 Files selected for processing (4)

• deployments/BUILD
• deployments/charts/BUILD
• deployments/charts/service/templates/_helpers.tpl
• deployments/charts/service/templates/configs.yaml