Add: dockersecret (#83)

* Add: #83 * Fix: #82 Co-authored-by: airlockgithubci <[email protected]>
ergon · Feb 15, 2021 · 5a605bd · 5a605bd
1 parent f01c3be
commit 5a605bd
Show file tree

Hide file tree

Showing 9 changed files with 68 additions and 9 deletions.
diff --git a/.github/helm-docs-generate.sh b/.github/helm-docs-generate.sh
@@ -8,7 +8,8 @@ echo -e "\033[0;31m Make sure that the documentation has been updated. \033[0m"
 git config user.name "$TECHNICAL_USER"
 git config user.email "$TECHNICAL_USER@users.noreply.github.com"
 
-git checkout  ${BRANCH_NAME}
+git fetch
+git checkout ${BRANCH_NAME}
 
 ./helm-docs
 

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -79,4 +79,4 @@ jobs:
           kubectl create secret docker-registry dockersecret --docker-username=${{ secrets.DOCKER_USER }} --docker-password=${{ secrets.DOCKER_USER_TOKEN }}
           kubectl create secret generic microgatewaysecrets --from-literal=license="${{ secrets.WAF_LICENSE }}" --from-literal=passphrase="${{ secrets.WAF_PASSPHRASE }}"
       - name: Run chart-testing (install)
-        run: ct install --config .github/ct.yaml
+        run: ct install --config .github/ct.yaml
diff --git a/charts/microgateway/Chart.yaml b/charts/microgateway/Chart.yaml
@@ -14,5 +14,5 @@ maintainers:
   - email: [email protected]
     name: Airlock
 name: microgateway
-version: 0.6.4
+version: 0.6.5
 appVersion: "1.0"
diff --git a/charts/microgateway/README.md b/charts/microgateway/README.md
@@ -6,7 +6,7 @@ It is the lightweight, container-based deployment form of the *Airlock Gateway*,
 
 The Airlock helm charts are used internally for testing the *Airlock Microgateway*. We make them available publicly under the [MIT license](https://github.com/ergon/airlock-helm-charts/blob/master/LICENSE).
 
-The current chart version is: 0.6.4
+The current chart version is: 0.6.5
 
 ## About Ergon
 *Airlock* is a registered trademark of [Ergon](https://www.ergon.ch). Ergon is a Swiss leader in leveraging digitalisation to create unique and effective client benefits, from conception to market, the result of which is the international distribution of globally revered products.
@@ -139,6 +139,11 @@ The following table lists configuration parameters of the Airlock Microgateway c
 | image.pullPolicy | string | `"IfNotPresent"` | Pull policy (`Always`, `IfNotPresent`, `Never`) |
 | image.repository | string | `"ergon/airlock-microgateway"` | Image repository |
 | image.tag | string | `"1.0"` | Image tag |
+| imageCredentials | object | `{"enabled":false,"password":"","registry":"https://index.docker.io/v1/","username":""}` | Creates a imagePullSecret with the provided values. |
+| imageCredentials.enabled | bool | `false` | Enable the imagePullSecret creation. |
+| imageCredentials.password | string | `""` | imagePullSecret password/Token |
+| imageCredentials.registry | string | `"https://index.docker.io/v1/"` | imagePullSecret registry |
+| imageCredentials.username | string | `""` | imagePullSecret username |
 | imagePullSecrets | list | `[]` | Reference to one or more secrets to use when pulling images. |
 | ingress | object | See `ingress.*`: | [Kubernetes Ingress](#kubernetes-ingress) |
 | ingress.annotations | object | `{"nginx.ingress.kubernetes.io/rewrite-target":"/"}` | Annotations to set on the ingress. |
@@ -317,7 +322,7 @@ Finally, apply the Helm chart configuration file with `-f` parameter.
   ```
 
 :information_source: **Possible settings**:<br>
-Please refer to the [Echo-Server Helm chart](https://ealenn.github.io/Echo-Server/pages/helm.html) to see all possible parameters of the Echo-Server Helm chart.
+Please refer to the [Echo-Server Helm chart](https://artifacthub.io/packages/helm/ealenn/echo-server) to see all possible parameters of the Echo-Server Helm chart.
 
 ## DSL configuration
 The Helm chart provides three different possibilities to configure the Microgateway.
@@ -764,7 +769,8 @@ This is why it is better to create a secret containing license and passphrase us
 
 #### Credentials to pull image from Docker registry
 The Microgateway image is published in a private Docker registry to which only granted accounts have access.
-In order to download this image, the credentials must be configured in a secret and passed to the Helm chart to use when downloading the image.
+In order to download this image, the Helm chart needs the Docker credentials to authenticate against the Docker registry. 
+Either an already existing Docker secret is provided (`imagePullSecrets`) during the installation of the Microgateway, or a Kubernetes secret is created with the provided credentials (`imageCredentials`).    
 
   The example below shows how to create a secret with the credentials to download the image from the Docker registry.
   ```
@@ -778,6 +784,14 @@ In order to download this image, the credentials must be configured in a secret
       - name: "docker-secret"
   ```
 
+  The following example shows how to configure the Helm chart so that a Kubernetes credential is created. 
+```
+imageCredentials:
+  enabled: true
+  username: <username>
+  password: <access_token>
+```
+
 #### Certificates for Microgateway
 The Microgateway can be configured to use a specific certificate for frontend and/or backend connections. The certificate must be stored in a secret
 and passed to the Helm chart to use it.

diff --git a/charts/microgateway/README.md.gotmpl b/charts/microgateway/README.md.gotmpl
@@ -216,7 +216,7 @@ Finally, apply the Helm chart configuration file with `-f` parameter.
   ```
 
 :information_source: **Possible settings**:<br>
-Please refer to the [Echo-Server Helm chart](https://ealenn.github.io/Echo-Server/pages/helm.html) to see all possible parameters of the Echo-Server Helm chart.
+Please refer to the [Echo-Server Helm chart](https://artifacthub.io/packages/helm/ealenn/echo-server) to see all possible parameters of the Echo-Server Helm chart.
 
 ## DSL configuration
 The Helm chart provides three different possibilities to configure the Microgateway.
@@ -663,7 +663,8 @@ This is why it is better to create a secret containing license and passphrase us
 
 #### Credentials to pull image from Docker registry
 The Microgateway image is published in a private Docker registry to which only granted accounts have access.
-In order to download this image, the credentials must be configured in a secret and passed to the Helm chart to use when downloading the image.
+In order to download this image, the Helm chart needs the Docker credentials to authenticate against the Docker registry. 
+Either an already existing Docker secret is provided (`imagePullSecrets`) during the installation of the Microgateway, or a Kubernetes secret is created with the provided credentials (`imageCredentials`).    
 
   The example below shows how to create a secret with the credentials to download the image from the Docker registry.
   ```
@@ -677,6 +678,14 @@ In order to download this image, the credentials must be configured in a secret
       - name: "docker-secret"
   ```
 
+  The following example shows how to configure the Helm chart so that a Kubernetes credential is created. 
+```
+imageCredentials:
+  enabled: true
+  username: <username>
+  password: <access_token>
+```
+
 #### Certificates for Microgateway
 The Microgateway can be configured to use a specific certificate for frontend and/or backend connections. The certificate must be stored in a secret
 and passed to the Helm chart to use it.

diff --git a/charts/microgateway/templates/_helpers.tpl b/charts/microgateway/templates/_helpers.tpl
@@ -80,6 +80,15 @@ Get the secret name
 {{- end -}}
 {{- end -}}
 
+{{/*
+Create imagePullSecret
+*/}}
+{{- define "imagePullSecret" }}
+{{- if .Values.imageCredentials.enabled }}
+  {{- printf "{\"auths\": {\"%s\": {\"username\":\"%s\",\"password\":\"%s\",\"auth\":\"%s\"}}}" .Values.imageCredentials.registry .Values.imageCredentials.username .Values.imageCredentials.password (printf "%s:%s" .Values.imageCredentials.username .Values.imageCredentials.password | b64enc) | b64enc }}
+{{- end -}}
+{{- end }}
+
 {{/*
 Return true if apache expert settings should be created
 */}}

diff --git a/charts/microgateway/templates/deployment.yaml b/charts/microgateway/templates/deployment.yaml
@@ -19,9 +19,14 @@ spec:
         checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }}
         {{- end }}
     spec:
-    {{- with .Values.imagePullSecrets }}
+    {{- if or .Values.imagePullSecrets .Values.imageCredentials.enabled }}
       imagePullSecrets:
+      {{- with .Values.imagePullSecrets -}}
         {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.imageCredentials.enabled }}
+        - name: {{ template "microgateway.fullname" . }}-dockerregcred
+      {{- end }}
     {{- end }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}

diff --git a/charts/microgateway/templates/dockersecret.yaml b/charts/microgateway/templates/dockersecret.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.imageCredentials.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "microgateway.fullname" . }}-dockerregcred
+  labels:
+    {{- include "microgateway.labels" . | nindent 4 }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
diff --git a/charts/microgateway/values.yaml b/charts/microgateway/values.yaml
@@ -141,6 +141,16 @@ commonLabels: {}
 # imagePullSecrets -- Reference to one or more secrets to use when pulling images.
 imagePullSecrets: []
   # - name: "image-pull-secret"
+# imageCredentials -- Creates a imagePullSecret with the provided values.
+imageCredentials:
+  # imageCredentials.enabled -- Enable the imagePullSecret creation.
+  enabled: false
+  # imageCredentials.registry -- imagePullSecret registry
+  registry: "https://index.docker.io/v1/"
+  # imageCredentials.username -- imagePullSecret username
+  username: ""
+  # imageCredentials.password -- imagePullSecret password/Token
+  password: ""
 # nameOverride -- Provide a name in place of `microgateway`.
 nameOverride: ""
 # fullnameOverride -- Provide a name to substitute for the full names of resources.