diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 985c67f..d2ed620 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -48,10 +48,12 @@ imagePullSecrets: {{- toYaml .root.Values.global.image.pullSecrets | nindent 2 }} {{- else }} {{- if .root.Values.dockerregistry -}} +{{- if .root.Values.dockerregistry.enabled -}} imagePullSecrets: - name: {{ include "common.fullname" ( dict "root" .root "service" .root.Values "serviceName" "dockerregistry" ) }} {{- end }} {{- end }} +{{- end }} serviceAccountName: {{ include "application.serviceAccountName" ( .root ) }} securityContext: {{- toYaml .root.Values.podSecurityContext | nindent 2 }} {{- with .service.nodeSelector }} @@ -174,6 +176,34 @@ annotations: } {{- end }} +{{- define "application.secrets.externaldockerregistry" -}} +{ + "auths": { + {{- range $registryName, $conf := . }} + {{- $url := ( default ( printf "{{ .%s-url }}" $registryName ) $conf.url ) }} + {{- $username := ( default ( printf "{{ .%s-username }}" $registryName ) $conf.username ) }} + {{- $password := ( default ( printf "{{ .%s-password }}" $registryName ) $conf.password ) }} + {{- $email := ( default ( printf "{{ .%s-email }}" $registryName ) $conf.email ) }} + {{ $url | quote }}: { + {{- if and ( hasKey $conf "username" ) ( hasKey $conf "password" ) }} + "auth": {{ printf "%s:%s" $conf.username $conf.password | b64enc | quote }}, + {{- else if hasKey $conf "username" }} + "auth": {{ printf "{{ ( printf \"%s:%s\" .%s-password ) | b64enc | quote }}" $conf.username "%s" $registryName }}, + {{- else if hasKey $conf "password" }} + "auth": {{ printf "{{ ( printf \"%s:%s\" .%s-username ) | b64enc | quote }}" "%s" $conf.password $registryName }}, + {{- else }} + "auth": {{ printf "{{ ( printf \"%s:%s\" .%s-username .%s-password ) | b64enc | quote }}" "%s" "%s" $registryName $registryName }}, + {{- end }} + "username": {{ $username | quote }}, + "password": {{ $password | quote }}, + "email": {{ $email | quote }} + }, + {{- end }} + "fix-end-comma": {"auth": ""} + } +} +{{- end }} + {{- define "application.volumes" -}} {{- $root := .root }} {{- with .service.volumes }} diff --git a/templates/external-secret-docker-registry.yaml b/templates/external-secret-docker-registry.yaml new file mode 100644 index 0000000..f725be7 --- /dev/null +++ b/templates/external-secret-docker-registry.yaml @@ -0,0 +1,47 @@ +{{- with .Values.dockerregistry }} +{{- if .enabled }} +{{- if .external }} +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: {{ include "common.fullname" ( dict "root" $ "service" . ) }} + {{- include "common.metadata" ( dict "root" $ "service" . ) | nindent 2 }} +spec: + {{- with .refreshInterval }} + refreshInterval: {{ . }} + {{- end }} + {{- with .secretStoreRef }} + secretStoreRef: {{- toYaml . | nindent 4 }} + {{- end }} + target: + {{- if not ( hasKey ( default ( dict ) .target ) "name" ) }} + name: {{ include "common.fullname" ( dict "root" $ "service" . "serviceName" "external-secret" ) }} + {{- end }} + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: |- + {{- include "application.secrets.externaldockerregistry" .content | nindent 10 }} + data: + {{- range $registryName, $conf := .content }} + {{- with $conf.externalUsername }} + - secretKey: {{ $registryName }}-username + value: {{ $conf.externalUsername }} + {{- end }} + {{- with $conf.externalPassword }} + - secretKey: {{ $registryName }}-password + value: {{ $conf.externalPassword }} + {{- end }} + {{- with $conf.externalEmail }} + - secretKey: {{ $registryName }}-email + value: {{ $conf.externalEmail }} + {{- end }} + {{- with $conf.externalUrl }} + - secretKey: {{ $registryName }}-url + value: {{ $conf.externalUrl }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/templates/secret-docker-registry.yaml b/templates/secret-docker-registry.yaml index d1f18ae..a1d59e4 100644 --- a/templates/secret-docker-registry.yaml +++ b/templates/secret-docker-registry.yaml @@ -1,4 +1,6 @@ {{- with .Values.dockerregistry }} +{{- if .enabled }} +{{- if not .external }} apiVersion: v1 kind: Secret metadata: @@ -8,3 +10,5 @@ type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: {{ include "application.secrets.dockerregistry" .content | b64enc }} {{- end }} +{{- end }} +{{- end }} diff --git a/tests/expected.yaml b/tests/expected.yaml index c3db250..e67955e 100644 --- a/tests/expected.yaml +++ b/tests/expected.yaml @@ -174,24 +174,6 @@ metadata: annotations: example-annotation: coucou --- -# Source: custom-pod/templates/secret-docker-registry.yaml -apiVersion: v1 -kind: Secret -metadata: - name: custom-custom-pod-dockerregistry - labels: - helm.sh/chart: custom-pod - app.kubernetes.io/version: "1.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: custom-pod - app.kubernetes.io/instance: custom - app.kubernetes.io/component: dockerregistry - annotations: - testAnnotation: annotation value -type: kubernetes.io/dockerconfigjson -data: - .dockerconfigjson: ewogICJhdXRocyI6IHsKICAgICJkb2NrZXIuaW8iOiB7CiAgICAgICJhdXRoIjogIll6SmpaMmx6WW05ME9qRXlNelE9IiwKICAgICAgInVzZXJuYW1lIjogImMyY2dpc2JvdCIsCiAgICAgICJwYXNzd29yZCI6ICIxMjM0IiwKICAgICAgImVtYWlsIjogImRvY2tlci1odWJAY2FtcHRvY2FtcC5jb20iCiAgICB9LAogICAgImdoY3IuaW8iOiB7CiAgICAgICJhdXRoIjogIll6SmpMV0p2ZEMxbmFYTXRZMms2TVRJek5BPT0iLAogICAgICAidXNlcm5hbWUiOiAiYzJjLWJvdC1naXMtY2kiLAogICAgICAicGFzc3dvcmQiOiAiMTIzNCIsCiAgICAgICJlbWFpbCI6ICJnZW9zcGF0aWFsLWJvdEBjYW1wdG9jYW1wLmNvbSIKICAgIH0sCiAgICAiaHR0cHM6Ly9pbmRleC5kb2NrZXIuaW8vdjEvIjogewogICAgICAiYXV0aCI6ICJZekpqWjJselltOTBPakV5TXpRPSIsCiAgICAgICJ1c2VybmFtZSI6ICJjMmNnaXNib3QiLAogICAgICAicGFzc3dvcmQiOiAiMTIzNCIsCiAgICAgICJlbWFpbCI6ICJkb2NrZXItaHViQGNhbXB0b2NhbXAuY29tIgogICAgfSwKICAgICJmaXgtZW5kLWNvbW1hIjogeyJhdXRoIjogIiJ9CiAgfQp9 ---- # Source: custom-pod/templates/secret.yaml apiVersion: v1 kind: Secret @@ -1415,6 +1397,76 @@ spec: port: number: 8080 --- +# Source: custom-pod/templates/external-secret-docker-registry.yaml +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: custom-custom-pod + labels: + helm.sh/chart: custom-pod + app.kubernetes.io/version: "1.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: custom-pod + app.kubernetes.io/instance: custom + app.kubernetes.io/component: main + annotations: + testAnnotation: annotation value +spec: + target: + name: custom-custom-pod-external-secret + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: |- + { + "auths": { + "https://index.docker.io/v1/": { + "auth": "YzJjZ2lzYm90OjEyMzQ=", + "username": "c2cgisbot", + "password": "1234", + "email": "docker-hub@camptocamp.com" + }, + "docker.io": { + "auth": "YzJjZ2lzYm90OjEyMzQ=", + "username": "c2cgisbot", + "password": "1234", + "email": "docker-hub@camptocamp.com" + }, + "{{ .ghcr.io-url }}": { + "auth": {{ ( printf "%s:%s" .ghcr.io-username .ghcr.io-password ) | b64enc | quote }}, + "username": "{{ .ghcr.io-username }}", + "password": "{{ .ghcr.io-password }}", + "email": "{{ .ghcr.io-email }}" + }, + "ghcr.io": { + "auth": {{ ( printf "%s:my-password" .password-username ) | b64enc | quote }}, + "username": "{{ .password-username }}", + "password": "my-password", + "email": "geospatial-bot@camptocamp.com" + }, + "ghcr.io": { + "auth": {{ ( printf "my-username:%s" .user-password ) | b64enc | quote }}, + "username": "my-username", + "password": "{{ .user-password }}", + "email": "geospatial-bot@camptocamp.com" + }, + "fix-end-comma": {"auth": ""} + } + } + data: + - secretKey: ghcr.io-username + value: ghcr-username + - secretKey: ghcr.io-password + value: ghcr-password + - secretKey: ghcr.io-email + value: ghcr-email + - secretKey: ghcr.io-url + value: ghcr-url + - secretKey: password-username + value: ghcr-username + - secretKey: user-password + value: ghcr-password +--- # Source: custom-pod/templates/external-secret.yaml apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret diff --git a/tests/values.yaml b/tests/values.yaml index 2e6856d..552fd1f 100644 --- a/tests/values.yaml +++ b/tests/values.yaml @@ -24,21 +24,35 @@ ingress: - '*.example.com' dockerregistry: + external: true annotations: testAnnotation: annotation value content: - https://index.docker.io/v1/: + docker-hub-1: email: docker-hub@camptocamp.com username: c2cgisbot password: '1234' + url: https://index.docker.io/v1/ docker.io: email: docker-hub@camptocamp.com username: c2cgisbot password: '1234' + url: docker.io ghcr.io: + externalEmail: ghcr-email + externalUsername: ghcr-username + externalPassword: ghcr-password + externalUrl: ghcr-url + user: email: geospatial-bot@camptocamp.com - username: c2c-bot-gis-ci - password: '1234' + username: my-username + externalPassword: ghcr-password + url: ghcr.io + password: + email: geospatial-bot@camptocamp.com + externalUsername: ghcr-username + password: my-password + url: ghcr.io secrets: enabled: true diff --git a/values.md b/values.md index 390e954..0683644 100644 --- a/values.md +++ b/values.md @@ -48,11 +48,18 @@ - **`prefixTrunc`**: Refer to _[#/definitions/prefixTrunc](#definitions/prefixTrunc)_. - **`labels`**: Refer to _[#/definitions/labels](#definitions/labels)_. - **`annotations`**: Refer to _[#/definitions/annotations](#definitions/annotations)_. - - **`content`** _(object, required)_: Docker registries authentication. Can contain additional properties. + - **`enabled`** _(boolean)_: Enable the Docker registry. + - **`external`** _(boolean)_: Use an external secret to the Docker registries username, password and email. + - **`content`** _(object)_: Docker registries authentication. Can contain additional properties. - **Additional properties** _(object)_: Cannot contain additional properties. - - **`username`** _(string, required)_: Username. - - **`password`** _(string, required)_: Password. + - **`username`** _(string)_: Username. + - **`password`** _(string)_: Password. - **`email`** _(string)_: Email. + - **`url`** _(string)_: URL, used only for external secret. + - **`externalUsername`** _(string)_: Key of the external secret for the username. + - **`externalPassword`** _(string)_: Key of the external secret for the password. + - **`externalEmail`** _(string)_: Key of the external secret for the email. + - **`externalUrl`** _(string)_: Key of the external secret for the URL. - **`secrets`** _(object)_: Cannot contain additional properties. - **`enabled`** _(boolean)_: Enable the Secret. Default: `true`. - **`nameOverride`**: Refer to _[#/definitions/nameOverride](#definitions/nameOverride)_. diff --git a/values.schema.json b/values.schema.json index fba1723..d5534b1 100644 --- a/values.schema.json +++ b/values.schema.json @@ -438,6 +438,14 @@ "annotations": { "$ref": "#/definitions/annotations" }, + "enabled": { + "type": "boolean", + "description": "Enable the Docker registry" + }, + "external": { + "type": "boolean", + "description": "Use an external secret to the Docker registries username, password and email" + }, "content": { "type": "object", "description": "Docker registries authentication", @@ -456,13 +464,31 @@ "email": { "type": "string", "description": "Email" + }, + "url": { + "type": "string", + "description": "URL, used only for external secret" + }, + "externalUsername": { + "type": "string", + "description": "Key of the external secret for the username" + }, + "externalPassword": { + "type": "string", + "description": "Key of the external secret for the password" + }, + "externalEmail": { + "type": "string", + "description": "Key of the external secret for the email" + }, + "externalUrl": { + "type": "string", + "description": "Key of the external secret for the URL" } - }, - "required": ["username", "password"] + } } } - }, - "required": ["content"] + } }, "secrets": { "type": "object", diff --git a/values.yaml b/values.yaml index fef4259..a217f9f 100644 --- a/values.yaml +++ b/values.yaml @@ -27,6 +27,10 @@ securityContext: ingress: enabled: false +dockerregistry: + enabled: true + external: false + services: {} # example: # enabled: false