Skip to content

Commit

Permalink
Use external secret for Docker registry
Browse files Browse the repository at this point in the history
  • Loading branch information
sbrunner committed Jul 4, 2024
1 parent d38eb4a commit 5013480
Show file tree
Hide file tree
Showing 8 changed files with 212 additions and 28 deletions.
30 changes: 30 additions & 0 deletions templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -48,10 +48,12 @@ imagePullSecrets:
{{- toYaml .root.Values.global.image.pullSecrets | nindent 2 }}
{{- else }}
{{- if .root.Values.dockerregistry -}}
{{- if .root.Values.dockerregistry.enabled -}}
imagePullSecrets:
- name: {{ include "common.fullname" ( dict "root" .root "service" .root.Values "serviceName" "dockerregistry" ) }}
{{- end }}
{{- end }}
{{- end }}
serviceAccountName: {{ include "application.serviceAccountName" ( .root ) }}
securityContext: {{- toYaml .root.Values.podSecurityContext | nindent 2 }}
{{- with .service.nodeSelector }}
Expand Down Expand Up @@ -174,6 +176,34 @@ annotations:
}
{{- end }}

{{- define "application.secrets.externaldockerregistry" -}}
{
"auths": {
{{- range $registryName, $conf := . }}
{{- $url := ( default ( printf "{{ .%s-url }}" $registryName ) $conf.url ) }}
{{- $username := ( default ( printf "{{ .%s-username }}" $registryName ) $conf.username ) }}
{{- $password := ( default ( printf "{{ .%s-password }}" $registryName ) $conf.password ) }}
{{- $email := ( default ( printf "{{ .%s-email }}" $registryName ) $conf.email ) }}
{{ $url | quote }}: {
{{- if and ( hasKey $conf "username" ) ( hasKey $conf "password" ) }}
"auth": {{ printf "%s:%s" $conf.username $conf.password | b64enc | quote }},
{{- else if hasKey $conf "username" }}
"auth": {{ printf "{{ ( printf \"%s:%s\" .%s-password ) | b64enc | quote }}" $conf.username "%s" $registryName }},
{{- else if hasKey $conf "password" }}
"auth": {{ printf "{{ ( printf \"%s:%s\" .%s-username ) | b64enc | quote }}" "%s" $conf.password $registryName }},
{{- else }}
"auth": {{ printf "{{ ( printf \"%s:%s\" .%s-username .%s-password ) | b64enc | quote }}" "%s" "%s" $registryName $registryName }},
{{- end }}
"username": {{ $username | quote }},
"password": {{ $password | quote }},
"email": {{ $email | quote }}
},
{{- end }}
"fix-end-comma": {"auth": ""}
}
}
{{- end }}

{{- define "application.volumes" -}}
{{- $root := .root }}
{{- with .service.volumes }}
Expand Down
47 changes: 47 additions & 0 deletions templates/external-secret-docker-registry.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
{{- with .Values.dockerregistry }}
{{- if .enabled }}
{{- if .external }}
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: {{ include "common.fullname" ( dict "root" $ "service" . ) }}
{{- include "common.metadata" ( dict "root" $ "service" . ) | nindent 2 }}
spec:
{{- with .refreshInterval }}
refreshInterval: {{ . }}
{{- end }}
{{- with .secretStoreRef }}
secretStoreRef: {{- toYaml . | nindent 4 }}
{{- end }}
target:
{{- if not ( hasKey ( default ( dict ) .target ) "name" ) }}
name: {{ include "common.fullname" ( dict "root" $ "service" . "serviceName" "external-secret" ) }}
{{- end }}
template:
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: |-
{{- include "application.secrets.externaldockerregistry" .content | nindent 10 }}
data:
{{- range $registryName, $conf := .content }}
{{- with $conf.externalUsername }}
- secretKey: {{ $registryName }}-username
value: {{ $conf.externalUsername }}
{{- end }}
{{- with $conf.externalPassword }}
- secretKey: {{ $registryName }}-password
value: {{ $conf.externalPassword }}
{{- end }}
{{- with $conf.externalEmail }}
- secretKey: {{ $registryName }}-email
value: {{ $conf.externalEmail }}
{{- end }}
{{- with $conf.externalUrl }}
- secretKey: {{ $registryName }}-url
value: {{ $conf.externalUrl }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
4 changes: 4 additions & 0 deletions templates/secret-docker-registry.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
{{- with .Values.dockerregistry }}
{{- if .enabled }}
{{- if not .external }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -8,3 +10,5 @@ type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ include "application.secrets.dockerregistry" .content | b64enc }}
{{- end }}
{{- end }}
{{- end }}
88 changes: 70 additions & 18 deletions tests/expected.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -174,24 +174,6 @@ metadata:
annotations:
example-annotation: coucou
---
# Source: custom-pod/templates/secret-docker-registry.yaml
apiVersion: v1
kind: Secret
metadata:
name: custom-custom-pod-dockerregistry
labels:
helm.sh/chart: custom-pod
app.kubernetes.io/version: "1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: custom-pod
app.kubernetes.io/instance: custom
app.kubernetes.io/component: dockerregistry
annotations:
testAnnotation: annotation value
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: ewogICJhdXRocyI6IHsKICAgICJkb2NrZXIuaW8iOiB7CiAgICAgICJhdXRoIjogIll6SmpaMmx6WW05ME9qRXlNelE9IiwKICAgICAgInVzZXJuYW1lIjogImMyY2dpc2JvdCIsCiAgICAgICJwYXNzd29yZCI6ICIxMjM0IiwKICAgICAgImVtYWlsIjogImRvY2tlci1odWJAY2FtcHRvY2FtcC5jb20iCiAgICB9LAogICAgImdoY3IuaW8iOiB7CiAgICAgICJhdXRoIjogIll6SmpMV0p2ZEMxbmFYTXRZMms2TVRJek5BPT0iLAogICAgICAidXNlcm5hbWUiOiAiYzJjLWJvdC1naXMtY2kiLAogICAgICAicGFzc3dvcmQiOiAiMTIzNCIsCiAgICAgICJlbWFpbCI6ICJnZW9zcGF0aWFsLWJvdEBjYW1wdG9jYW1wLmNvbSIKICAgIH0sCiAgICAiaHR0cHM6Ly9pbmRleC5kb2NrZXIuaW8vdjEvIjogewogICAgICAiYXV0aCI6ICJZekpqWjJselltOTBPakV5TXpRPSIsCiAgICAgICJ1c2VybmFtZSI6ICJjMmNnaXNib3QiLAogICAgICAicGFzc3dvcmQiOiAiMTIzNCIsCiAgICAgICJlbWFpbCI6ICJkb2NrZXItaHViQGNhbXB0b2NhbXAuY29tIgogICAgfSwKICAgICJmaXgtZW5kLWNvbW1hIjogeyJhdXRoIjogIiJ9CiAgfQp9
---
# Source: custom-pod/templates/secret.yaml
apiVersion: v1
kind: Secret
Expand Down Expand Up @@ -1415,6 +1397,76 @@ spec:
port:
number: 8080
---
# Source: custom-pod/templates/external-secret-docker-registry.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: custom-custom-pod
labels:
helm.sh/chart: custom-pod
app.kubernetes.io/version: "1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: custom-pod
app.kubernetes.io/instance: custom
app.kubernetes.io/component: main
annotations:
testAnnotation: annotation value
spec:
target:
name: custom-custom-pod-external-secret
template:
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: |-
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "YzJjZ2lzYm90OjEyMzQ=",
"username": "c2cgisbot",
"password": "1234",
"email": "[email protected]"
},
"docker.io": {
"auth": "YzJjZ2lzYm90OjEyMzQ=",
"username": "c2cgisbot",
"password": "1234",
"email": "[email protected]"
},
"{{ .ghcr.io-url }}": {
"auth": {{ ( printf "%s:%s" .ghcr.io-username .ghcr.io-password ) | b64enc | quote }},
"username": "{{ .ghcr.io-username }}",
"password": "{{ .ghcr.io-password }}",
"email": "{{ .ghcr.io-email }}"
},
"ghcr.io": {
"auth": {{ ( printf "%s:my-password" .password-username ) | b64enc | quote }},
"username": "{{ .password-username }}",
"password": "my-password",
"email": "[email protected]"
},
"ghcr.io": {
"auth": {{ ( printf "my-username:%s" .user-password ) | b64enc | quote }},
"username": "my-username",
"password": "{{ .user-password }}",
"email": "[email protected]"
},
"fix-end-comma": {"auth": ""}
}
}
data:
- secretKey: ghcr.io-username
value: ghcr-username
- secretKey: ghcr.io-password
value: ghcr-password
- secretKey: ghcr.io-email
value: ghcr-email
- secretKey: ghcr.io-url
value: ghcr-url
- secretKey: password-username
value: ghcr-username
- secretKey: user-password
value: ghcr-password
---
# Source: custom-pod/templates/external-secret.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
Expand Down
20 changes: 17 additions & 3 deletions tests/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,21 +24,35 @@ ingress:
- '*.example.com'

dockerregistry:
external: true
annotations:
testAnnotation: annotation value
content:
https://index.docker.io/v1/:
docker-hub-1:
email: [email protected]
username: c2cgisbot
password: '1234'
url: https://index.docker.io/v1/
docker.io:
email: [email protected]
username: c2cgisbot
password: '1234'
url: docker.io
ghcr.io:
externalEmail: ghcr-email
externalUsername: ghcr-username
externalPassword: ghcr-password
externalUrl: ghcr-url
user:
email: [email protected]
username: c2c-bot-gis-ci
password: '1234'
username: my-username
externalPassword: ghcr-password
url: ghcr.io
password:
email: [email protected]
externalUsername: ghcr-username
password: my-password
url: ghcr.io

secrets:
enabled: true
Expand Down
13 changes: 10 additions & 3 deletions values.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,11 +48,18 @@
- **`prefixTrunc`**: Refer to _[#/definitions/prefixTrunc](#definitions/prefixTrunc)_.
- **`labels`**: Refer to _[#/definitions/labels](#definitions/labels)_.
- **`annotations`**: Refer to _[#/definitions/annotations](#definitions/annotations)_.
- **`content`** _(object, required)_: Docker registries authentication. Can contain additional properties.
- **`enabled`** _(boolean)_: Enable the Docker registry.
- **`external`** _(boolean)_: Use an external secret to the Docker registries username, password and email.
- **`content`** _(object)_: Docker registries authentication. Can contain additional properties.
- **Additional properties** _(object)_: Cannot contain additional properties.
- **`username`** _(string, required)_: Username.
- **`password`** _(string, required)_: Password.
- **`username`** _(string)_: Username.
- **`password`** _(string)_: Password.
- **`email`** _(string)_: Email.
- **`url`** _(string)_: URL, used only for external secret.
- **`externalUsername`** _(string)_: Key of the external secret for the username.
- **`externalPassword`** _(string)_: Key of the external secret for the password.
- **`externalEmail`** _(string)_: Key of the external secret for the email.
- **`externalUrl`** _(string)_: Key of the external secret for the URL.
- **`secrets`** _(object)_: Cannot contain additional properties.
- **`enabled`** _(boolean)_: Enable the Secret. Default: `true`.
- **`nameOverride`**: Refer to _[#/definitions/nameOverride](#definitions/nameOverride)_.
Expand Down
34 changes: 30 additions & 4 deletions values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -438,6 +438,14 @@
"annotations": {
"$ref": "#/definitions/annotations"
},
"enabled": {
"type": "boolean",
"description": "Enable the Docker registry"
},
"external": {
"type": "boolean",
"description": "Use an external secret to the Docker registries username, password and email"
},
"content": {
"type": "object",
"description": "Docker registries authentication",
Expand All @@ -456,13 +464,31 @@
"email": {
"type": "string",
"description": "Email"
},
"url": {
"type": "string",
"description": "URL, used only for external secret"
},
"externalUsername": {
"type": "string",
"description": "Key of the external secret for the username"
},
"externalPassword": {
"type": "string",
"description": "Key of the external secret for the password"
},
"externalEmail": {
"type": "string",
"description": "Key of the external secret for the email"
},
"externalUrl": {
"type": "string",
"description": "Key of the external secret for the URL"
}
},
"required": ["username", "password"]
}
}
}
},
"required": ["content"]
}
},
"secrets": {
"type": "object",
Expand Down
4 changes: 4 additions & 0 deletions values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,10 @@ securityContext:
ingress:
enabled: false

dockerregistry:
enabled: true
external: false

services: {}
# example:
# enabled: false
Expand Down

0 comments on commit 5013480

Please sign in to comment.