Helm chart does not add image pull secrets to the cert-generator job

khannasumit961 · January 13, 2026, 5:50pm

I have a use case to pull the images using my private registry and image pull secrets. However, the Helm chart doesn’t allow me to add the pull secrets and it’s failing for the Job (cert-generator) which comes up first followed by the actual NGF pod. Could you please take a look and suggest on priority?

helm upgrade --install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric \
-n nginx-gateway
–version 0.0.0-edge
–set nginxGateway.image.repository=
–set nginxGateway.image.tag=0.0.0-edge
–set nginxGateway.image.pullPolicy=IfNotPresent
–set nginx.imagePullSecret= #it does exist in the same namespace
–set imagePullSecrets[0].name=
–set nginxGateway.snippetsFilters.enable=true

khannasumit961 · January 13, 2026, 6:05pm

I even tried this parameter as template for the certs job is looking for it but no luck.

{{- if or .Values.nginxGateway.serviceAccount.imagePullSecret .Values.nginxGateway.serviceAccount.imagePullSecrets }}
imagePullSecrets:
  {{- if .Values.nginxGateway.serviceAccount.imagePullSecret }}
  - name: {{ .Values.nginxGateway.serviceAccount.imagePullSecret }}
  {{- end }}
  {{- if .Values.nginxGateway.serviceAccount.imagePullSecrets }}
  {{- range .Values.nginxGateway.serviceAccount.imagePullSecrets }}
  - name: {{ . }}
  {{- end }}
  {{- end }}
{{- end }}

–set nginxGateway.serviceAccount.imagePullSecret=<secret name>

The problem here is I could see the image getting set properly but the image pull secrets

sjberman · January 14, 2026, 4:17pm

When you install with --set nginxGateway.serviceAccount.imagePullSecret, what does the installed cert generator service account YAML look like?

khannasumit961 · January 14, 2026, 6:36pm

Hello,

Here it is:

ngf-nginx-gateway-fabric-cert-generator   0         30s

k get serviceaccount -n nginx-gateway ngf-nginx-gateway-fabric-cert-generator -oyaml
apiVersion: v1
automountServiceAccountToken: false
imagePullSecrets:
- name: jfrog-registry-readonly-pullsecret
kind: ServiceAccount
metadata:
  annotations:
    helm.sh/hook: pre-install
  creationTimestamp: "2026-01-14T18:32:22Z"
  labels:
    app.kubernetes.io/instance: ngf
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: nginx-gateway-fabric
    app.kubernetes.io/version: edge
    helm.sh/chart: nginx-gateway-fabric-0.0.0-edge
  name: ngf-nginx-gateway-fabric-cert-generator
  namespace: nginx-gateway
  resourceVersion: "1120996937"
  uid: cc09b300-e506-46b7-b169-d8ac5b0db43c

sjberman · January 14, 2026, 6:47pm

Is the cert-generator job using that ServiceAccount? If you run a kubectl describe on the failing job, does it give more info?

khannasumit961 · January 14, 2026, 9:35pm

k get job -n nginx-gateway
NAME                                      STATUS    COMPLETIONS   DURATION   AGE
ngf-nginx-gateway-fabric-cert-generator   Running   0/1           3h1m       3h1m

k describe job -n nginx-gateway ngf-nginx-gateway-fabric-cer
t-generator
Name: ngf-nginx-gateway-fabric-cert-generator
Namespace: nginx-gateway
Selector: batch.kubernetes.io/controller-uid=e6d777fb-87c3-4e2a-bbca-d5598777fb14
Labels: app.kubernetes.io/instance=ngf
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=nginx-gateway-fabric
app.kubernetes.io/version=edge
helm.sh/chart=nginx-gateway-fabric-0.0.0-edge
Annotations: helm.sh/hook: pre-install, pre-upgrade
Parallelism: 1
Completions: 1
Completion Mode: NonIndexed
Suspend: false
Backoff Limit: 6
TTL Seconds After Finished: 30
Start Time: Wed, 14 Jan 2026 18:32:23 +0000
Pods Statuses: 1 Active (0 Ready) / 0 Succeeded / 1 Failed
Pod Template:
Labels: batch.kubernetes.io/controller-uid=e6d777fb-87c3-4e2a-bbca-d5598777fb14
batch.kubernetes.io/job-name=ngf-nginx-gateway-fabric-cert-generator
controller-uid=e6d777fb-87c3-4e2a-bbca-d5598777fb14
job-name=ngf-nginx-gateway-fabric-cert-generator
Service Account: ngf-nginx-gateway-fabric-cert-generator
Containers:
cert-generator:
Image: artifact.it.att.com:22609/apm0012256-dkr-idp-group/nginx-gateway-fabric:0.0.0-edge
Port:
Host Port:
SeccompProfile: RuntimeDefault
Args:
generate-certs
–service=ngf-nginx-gateway-fabric
–cluster-domain=cluster.local
–server-tls-secret=server-tls
–agent-tls-secret=agent-tls
Environment:
POD_NAMESPACE: (v1:metadata.namespace)
Mounts:
Volumes:
Node-Selectors:
Tolerations:
Events:

sjberman · January 14, 2026, 9:51pm

Are there logs? It looks like it’s running, which tells me it’s not an issue with pulling the image.

khannasumit961 · January 14, 2026, 10:04pm

If you see it’s in Failed state. Image pulling is not an issue but setting the image pull secrets for the job

khannasumit961 · January 14, 2026, 10:06pm

ngf-nginx-gateway-fabric-cert-generator-6xqjb   0/1     ImagePullBackOff   0          125m

```s
Events:
Type Reason Age From Message

Normal Pulling 20m (x25 over 125m) kubelet Pulling image “artifact.it.att.com:22609/apm0012256-dkr-idp-group/nginx-gateway-fabric:0.0.0-edge”
Warning Failed 15m (x26 over 125m) kubelet Failed to pull image “artifact.it.att.com:22609/apm0012256-dkr-idp-group/nginx-gateway-fabric:0.0.0-edge”: rpc error: code = NotFound desc = failed to pull and unpack image “artifact.it.att.com:22609/apm0012256-dkr-idp-group/nginx-gateway-fabric:0.0.0-edge”: failed to resolve reference “artifact.it.att.com:22609/apm0012256-dkr-idp-group/nginx-gateway-fabric:0.0.0-edge”: artifact.it.att.com:22609/apm0012256-dkr-idp-group/nginx-gateway-fabric:0.0.0-edge: not found
Normal BackOff 33s (x542 over 125m) kubelet Back-off pulling image “artifact.it.att.com:22609/apm0012256-dkr-idp-group/nginx-gateway-fabric:0.0.0-edge”
Warning Failed 22s (x543 over 125m) kubelet Error: ImagePullBackOff

sjberman · January 14, 2026, 10:18pm

Well the ServiceAccount properly references your image secret, and the cert-generator Job is using that ServiceAccount. So there’s no issue in using the Secret.

The error message says failed to resolve reference, which tells me that either that image and tag does not exist at that path, or maybe kube DNS can’t resolve that domain to pull the image.

khannasumit961 · January 16, 2026, 5:57pm

Thanks for the lead, I was missing “nginx” from the repo name. Able to pull the image successfully

helm upgrade --install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric -n nginx-gateway --version edge --set nginxGateway.image.repository=<private_ repo_name>/nginx/nginx-gateway-fabric --set nginxGateway.image.tag=edge --set nginxGateway.image.pullPolicy=IfNotPresent --set nginx.imagePullSecret=xxxx --set imagePullSecrets[0].name=xxxx --set nginxGateway.serviceAccount.imagePullSecret=xxxxx --set nginxGateway.snippetsFilters.enable=true

system · January 23, 2026, 5:57pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Migrate from ingress-nginx/oauth2-proxy to NGINX Ingress Controller/oauth2-proxy NGINX Ingress Controller config , reverse-proxy , sso	9	326	December 3, 2025
Why Docker won't pull latest NGINX image? General Discussion docker	2	95	October 21, 2025
NGINX acme module hasn't arrived in Docker image yet? NGINX docker , acme	4	349	November 13, 2025
Ingress NGINX Controller to NGINX Ingress Controller translation help NGINX Ingress Controller ssl , reverse-proxy , networking	9	80	January 29, 2026
Live AMA: Transitioning to the Open Source NGINX Ingress Controller from ingress-nginx - Dec 10, 11 Announcements events , announcement	58	1641	January 30, 2026

Helm chart does not add image pull secrets to the cert-generator job

Related topics