feat(helm-toolkit): add support for image pull secrets

At the moment it is very difficult to pull images from a private registry that hasn't been configured on Kubernetes nodes as there is no way to specify imagePullSecrets on pods. This change introduces a snippet that can return a set of image pull secrets using either a default or a per pod value. It also adds this new snippet to the manifests for standard job types. Change-Id: I710e1feffdf837627b80bc14320751f743e048cb
2021-12-20 22:41:36 +01:00 · 2021-12-20 22:41:36 +01:00 · 9d7baa9aa8
parent 336766d262
commit 9d7baa9aa8
14 changed files with 58 additions and 1 deletions
--- a/helm-toolkit/Chart.yaml
+++ b/helm-toolkit/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Helm-Toolkit
 name: helm-toolkit
-version: 0.2.29
+version: 0.2.30
 home: https://docs.openstack.org/openstack-helm
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
 sources:
--- a/helm-toolkit/templates/manifests/_job-bootstrap.tpl
+++ b/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@ -70,6 +70,7 @@ spec:
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
+      {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
      nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
      initContainers:
--- a/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
+++ b/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@ -71,6 +71,7 @@ spec:
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
+      {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
      nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
      initContainers:
--- a/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
+++ b/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@ -71,6 +71,7 @@ spec:
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
+      {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
      nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
      initContainers:
--- a/helm-toolkit/templates/manifests/_job-db-sync.tpl
+++ b/helm-toolkit/templates/manifests/_job-db-sync.tpl
@ -68,6 +68,7 @@ spec:
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
+      {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
      nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
      initContainers:
--- a/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
+++ b/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@ -71,6 +71,7 @@ spec:
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
      nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
      initContainers:
--- a/helm-toolkit/templates/manifests/_job-ks-service.tpl
+++ b/helm-toolkit/templates/manifests/_job-ks-service.tpl
@ -71,6 +71,7 @@ spec:
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
      nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
      initContainers:
--- a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@ -94,6 +94,7 @@ spec:
      serviceAccountName: {{ $serviceAccountName | quote }}
 {{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
      nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
      initContainers:
--- a/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@ -61,6 +61,7 @@ spec:
    spec:
      serviceAccountName: {{ $serviceAccountName | quote }}
      restartPolicy: OnFailure
+      {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
      nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
      initContainers:
--- a/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@ -66,6 +66,7 @@ spec:
    spec:
      serviceAccountName: {{ $serviceAccountName | quote }}
      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
      nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
      initContainers:
--- a/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@ -64,6 +64,7 @@ spec:
    spec:
      serviceAccountName: {{ $serviceAccountName | quote }}
      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
      nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
      initContainers:
--- a/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
+++ b/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@ -63,6 +63,7 @@ spec:
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
+      {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
      nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
      initContainers:
--- a/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
+++ b/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders image pull secrets for a pod
+values: |
+  pod:
+    image_pull_secrets:
+      default:
+        - name: some-pull-secret
+      bar:
+        - name: another-pull-secret
+usage: |
+  {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+  imagePullSecrets:
+    - name: some-pull-secret
+    - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
--- a/releasenotes/notes/helm-toolkit.yaml
+++ b/releasenotes/notes/helm-toolkit.yaml
@ -36,4 +36,5 @@ helm-toolkit:
  - 0.2.27 Correct private key size input for Certificates and remove minor version support
  - 0.2.28 Set Security context to ks-user job at pod and container level
  - 0.2.29 Enhance mariadb backup
+  - 0.2.30 Add ability to image pull secrets on pods
 ...