stackrox · mclasmeier · Mar 11, 2026
@@ -347,12 +347,12 @@ The following block checks for the validity of the provided init bundle. (`helm
   {{ include "srox.fail" "A CA certificate must be specified (please make sure that either an init bundle or a cluster registration secret has been provided)" }}
 {{- end }}
 
+{{ $imagePullSecretNames := list "stackrox" }}
 [<- if not .KubectlOutput ->]
 {{/*
    Scanner setup.
   */}}
 
-{{ $imagePullSecretNames := list }}
 
 {{ $anyScannerEnabled := or (eq ._rox.scanner.disable false) (eq ._rox.scannerV4.disable false) }}
 {{ if $anyScannerEnabled }}
@@ -387,12 +387,6 @@ The following block checks for the validity of the provided init bundle. (`helm
     {{ $imagePullSecretNames = append $imagePullSecretNames "stackrox-scanner-v4" }}
   {{ end }}
 
-  {{ if not (empty $imagePullSecretNames) }}
-    {{ $imagePullSecretNames = append $imagePullSecretNames "stackrox" }}
-    {{/* Note: This must happen late, as we rely on "srox.configureImage" to collect the
-        set of all referenced images first. */}}
-    {{ include "srox.configureImagePullSecrets" (list $ "imagePullSecrets" $._rox.imagePullSecrets "secured-cluster-services-main" $imagePullSecretNames $.Release.Namespace) }}
-  {{ end }}
 {{ end }}
 
 [<- end >]
@@ -403,6 +397,7 @@ The following block checks for the validity of the provided init bundle. (`helm
      set of all referenced images first. */}}
 {{ include "srox.configureImagePullSecrets" (list $ "mainImagePullSecrets" $._rox.mainImagePullSecrets "secured-cluster-services-main" (list "stackrox") $._rox._namespace) }}
 {{ include "srox.configureImagePullSecrets" (list $ "collectorImagePullSecrets" $._rox.collectorImagePullSecrets "secured-cluster-services-collector" (list "stackrox" "collector-stackrox") $._rox._namespace) }}
+{{ include "srox.configureImagePullSecrets" (list $ "imagePullSecrets" $._rox.imagePullSecrets "secured-cluster-services-main" $imagePullSecretNames $._rox._namespace) }}
 
 {{/* Derive internal representation of specific chart configuration settings. */}}
 

@@ -19,13 +19,29 @@ expect: |
   assumeThat(.error == null) | .serviceaccounts["collector"] | saNotRefersTo(["stackrox", "stackrox-scanner", "collector-stackrox"])
   assumeThat(.error == null) | .serviceaccounts["sensor"] | saNotRefersTo(["stackrox", "stackrox-scanner", "collector-stackrox"])
   assumeThat(.error == null) | .serviceaccounts["admission-control"] | saNotRefersTo(["stackrox", "stackrox-scanner", "collector-stackrox"])
+  assumeThat(.error == null) | .serviceaccounts["scanner"] | saNotRefersTo(["stackrox", "stackrox-scanner", "collector-stackrox"])
 
   # Ensure that sensor and admission-control secrets do not reference the collector secrets in the non-error case.
 
   assumeThat(.error == null) | .serviceaccounts["sensor"] | saNotRefersTo(["secured-cluster-services-collector", "collector-stackrox"])
   assumeThat(.error == null) | .serviceaccounts["admission-control"] | saNotRefersTo(["secured-cluster-services-collector", "collector-stackrox"])
+  assumeThat(.error == null) | .serviceaccounts["scanner"] | saNotRefersTo(["secured-cluster-services-collector", "collector-stackrox"])
 
 tests:
+- name: "scanner service account references image pull secrets if scanner V4 is disabled"
+  values:
+    scanner:
+      disable: false
+    scannerV4:
+      disable: true
+  tests:
+  - name: "if image pull secrets are specified"
+    values:
+      imagePullSecrets:
+        username: euler
+        password: "0.57721"
+    expect: |
+      .serviceaccounts["scanner"] | saRefersTo(["secured-cluster-services-main"])
 - name: "with no image pull secret creation"
   expect: |
     .secrets?["secured-cluster-services-main"]? | assertThat(. == null)