camptocamp · sbrunner · Aug 13, 2024 · Jul 4, 2024
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -50,10 +50,12 @@ imagePullSecrets:
 {{- toYaml .root.Values.global.image.pullSecrets | nindent 2 }}
 {{- else }}
 {{- if .root.Values.dockerregistry -}}
+{{- if .root.Values.dockerregistry.enabled -}}
 imagePullSecrets:
   - name: {{ include "common.fullname" ( dict "root" .root "service" .root.Values "serviceName" "dockerregistry" ) }}
 {{- end }}
 {{- end }}
+{{- end }}
 serviceAccountName: {{ include "application.serviceAccountName" ( .root ) }}
 securityContext: {{- toYaml .root.Values.podSecurityContext | nindent 2 }}
 {{- with .service.nodeSelector }}
@@ -176,6 +178,34 @@ annotations:
 }
 {{- end }}
 
+{{- define "application.secrets.externaldockerregistry" -}}
+{
+  "auths": {
+    {{- range $registryName, $conf := . }}
+    {{- $url := ( default ( printf "{{ .%s-url }}" $registryName ) $conf.url ) }}
+    {{- $username := ( default ( printf "{{ .%s-username }}" $registryName ) $conf.username ) }}
+    {{- $password := ( default ( printf "{{ .%s-password }}" $registryName ) $conf.password ) }}
+    {{- $email := ( default ( printf "{{ .%s-email }}" $registryName ) $conf.email ) }}
+    {{ $url | quote }}: {
+      {{- if and ( hasKey $conf "username" ) ( hasKey $conf "password" ) }}
+      "auth": {{ printf "%s:%s" $conf.username $conf.password | b64enc | quote }},
+      {{- else if hasKey $conf "username" }}
+      "auth": {{ printf "{{ ( printf \"%s:%s\" .%s-password ) | b64enc | quote }}" $conf.username "%s" $registryName }},
+      {{- else if hasKey $conf "password" }}
+      "auth": {{ printf "{{ ( printf \"%s:%s\" .%s-username ) | b64enc | quote }}" "%s" $conf.password $registryName }},
+      {{- else }}
+      "auth": {{ printf "{{ ( printf \"%s:%s\" .%s-username .%s-password ) | b64enc | quote }}" "%s" "%s" $registryName $registryName }},
+      {{- end }}
+      "username": {{ $username | quote }},
+      "password": {{ $password | quote }},
+      "email": {{ $email | quote }}
+    },
+    {{- end }}
+    "fix-end-comma": {"auth": ""}
+  }
+}
+{{- end }}
+
 {{- define "application.volumes" -}}
 {{- $root := .root }}
 {{- with .service.volumes }}

diff --git a/templates/external-secret-docker-registry.yaml b/templates/external-secret-docker-registry.yaml
@@ -0,0 +1,51 @@
+{{- with .Values.dockerregistry }}
+{{- if .enabled }}
+{{- if .external }}
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ include "common.fullname" ( dict "root" $ "service" . ) }}
+  {{- include "common.metadata" ( dict "root" $ "service" . ) | nindent 2 }}
+spec:
+  {{- with .refreshInterval }}
+  refreshInterval: {{ . }}
+  {{- end }}
+  {{- with .secretStoreRef }}
+  secretStoreRef: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  target:
+    {{- if not ( hasKey ( default ( dict ) .target ) "name" ) }}
+    name: {{ include "common.fullname" ( dict "root" $ "service" . "serviceName" "external-secret" ) }}
+    {{- end }}
+    template:
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: |-
+          {{- include "application.secrets.externaldockerregistry" .content | nindent 10 }}
+  data:
+  {{- range $registryName, $conf := .content }}
+  {{- with $conf.externalUsername }}
+    - secretKey: {{ $registryName }}-username
+      remoteRef:
+        key: {{ $conf.externalUsername }}
+  {{- end }}
+  {{- with $conf.externalPassword }}
+    - secretKey: {{ $registryName }}-password
+      remoteRef:
+        key: {{ $conf.externalPassword }}
+  {{- end }}
+  {{- with $conf.externalEmail }}
+    - secretKey: {{ $registryName }}-email
+      remoteRef:
+        key: {{ $conf.externalEmail }}
+  {{- end }}
+  {{- with $conf.externalUrl }}
+    - secretKey: {{ $registryName }}-url
+      remoteRef:
+        key: {{ $conf.externalUrl }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/templates/secret-docker-registry.yaml b/templates/secret-docker-registry.yaml
@@ -1,4 +1,6 @@
 {{- with .Values.dockerregistry }}
+{{- if .enabled }}
+{{- if not .external }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -8,3 +10,5 @@ type: kubernetes.io/dockerconfigjson
 data:
   .dockerconfigjson: {{ include "application.secrets.dockerregistry" .content | b64enc }}
 {{- end }}
+{{- end }}
+{{- end }}
diff --git a/tests/expected.yaml b/tests/expected.yaml
@@ -174,24 +174,6 @@ metadata:
   annotations:
     example-annotation: coucou
 ---
-# Source: custom-pod/templates/secret-docker-registry.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: custom-custom-pod-dockerregistry
-  labels:
-    helm.sh/chart: custom-pod
-    app.kubernetes.io/version: "1.0"
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: custom-pod
-    app.kubernetes.io/instance: custom
-    app.kubernetes.io/component: dockerregistry
-  annotations:
-    testAnnotation: annotation value
-type: kubernetes.io/dockerconfigjson
-data:
-  .dockerconfigjson: ewogICJhdXRocyI6IHsKICAgICJkb2NrZXIuaW8iOiB7CiAgICAgICJhdXRoIjogIll6SmpaMmx6WW05ME9qRXlNelE9IiwKICAgICAgInVzZXJuYW1lIjogImMyY2dpc2JvdCIsCiAgICAgICJwYXNzd29yZCI6ICIxMjM0IiwKICAgICAgImVtYWlsIjogImRvY2tlci1odWJAY2FtcHRvY2FtcC5jb20iCiAgICB9LAogICAgImdoY3IuaW8iOiB7CiAgICAgICJhdXRoIjogIll6SmpMV0p2ZEMxbmFYTXRZMms2TVRJek5BPT0iLAogICAgICAidXNlcm5hbWUiOiAiYzJjLWJvdC1naXMtY2kiLAogICAgICAicGFzc3dvcmQiOiAiMTIzNCIsCiAgICAgICJlbWFpbCI6ICJnZW9zcGF0aWFsLWJvdEBjYW1wdG9jYW1wLmNvbSIKICAgIH0sCiAgICAiaHR0cHM6Ly9pbmRleC5kb2NrZXIuaW8vdjEvIjogewogICAgICAiYXV0aCI6ICJZekpqWjJselltOTBPakV5TXpRPSIsCiAgICAgICJ1c2VybmFtZSI6ICJjMmNnaXNib3QiLAogICAgICAicGFzc3dvcmQiOiAiMTIzNCIsCiAgICAgICJlbWFpbCI6ICJkb2NrZXItaHViQGNhbXB0b2NhbXAuY29tIgogICAgfSwKICAgICJmaXgtZW5kLWNvbW1hIjogeyJhdXRoIjogIiJ9CiAgfQp9
----
 # Source: custom-pod/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -1419,6 +1401,82 @@ spec:
                 port:
                   number: 8080
 ---
+# Source: custom-pod/templates/external-secret-docker-registry.yaml
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: custom-custom-pod
+  labels:
+    helm.sh/chart: custom-pod
+    app.kubernetes.io/version: "1.0"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: custom-pod
+    app.kubernetes.io/instance: custom
+    app.kubernetes.io/component: main
+  annotations:
+    testAnnotation: annotation value
+spec:
+  target:
+    name: custom-custom-pod-external-secret
+    template:
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: |-
+          {
+            "auths": {
+              "https://index.docker.io/v1/": {
+                "auth": "YzJjZ2lzYm90OjEyMzQ=",
+                "username": "c2cgisbot",
+                "password": "1234",
+                "email": "[email protected]"
+              },
+              "docker.io": {
+                "auth": "YzJjZ2lzYm90OjEyMzQ=",
+                "username": "c2cgisbot",
+                "password": "1234",
+                "email": "[email protected]"
+              },
+              "{{ .ghcr.io-url }}": {
+                "auth": {{ ( printf "%s:%s" .ghcr.io-username .ghcr.io-password ) | b64enc | quote }},
+                "username": "{{ .ghcr.io-username }}",
+                "password": "{{ .ghcr.io-password }}",
+                "email": "{{ .ghcr.io-email }}"
+              },
+              "ghcr.io": {
+                "auth": {{ ( printf "%s:my-password" .password-username ) | b64enc | quote }},
+                "username": "{{ .password-username }}",
+                "password": "my-password",
+                "email": "[email protected]"
+              },
+              "ghcr.io": {
+                "auth": {{ ( printf "my-username:%s" .user-password ) | b64enc | quote }},
+                "username": "my-username",
+                "password": "{{ .user-password }}",
+                "email": "[email protected]"
+              },
+              "fix-end-comma": {"auth": ""}
+            }
+          }
+  data:
+    - secretKey: ghcr.io-username
+      remoteRef:
+        key: ghcr-username
+    - secretKey: ghcr.io-password
+      remoteRef:
+        key: ghcr-password
+    - secretKey: ghcr.io-email
+      remoteRef:
+        key: ghcr-email
+    - secretKey: ghcr.io-url
+      remoteRef:
+        key: ghcr-url
+    - secretKey: password-username
+      remoteRef:
+        key: ghcr-username
+    - secretKey: user-password
+      remoteRef:
+        key: ghcr-password
+---
 # Source: custom-pod/templates/external-secret.yaml
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret

diff --git a/tests/values.yaml b/tests/values.yaml
@@ -24,21 +24,35 @@ ingress:
         - '*.example.com'
 
 dockerregistry:
+  external: true
   annotations:
     testAnnotation: annotation value
   content:
-    https://index.docker.io/v1/:
+    docker-hub-1:
       email: [email protected]
       username: c2cgisbot
       password: '1234'
+      url: https://index.docker.io/v1/
     docker.io:
       email: [email protected]
       username: c2cgisbot
       password: '1234'
+      url: docker.io
     ghcr.io:
+      externalEmail: ghcr-email
+      externalUsername: ghcr-username
+      externalPassword: ghcr-password
+      externalUrl: ghcr-url
+    user:
       email: [email protected]
-      username: c2c-bot-gis-ci
-      password: '1234'
+      username: my-username
+      externalPassword: ghcr-password
+      url: ghcr.io
+    password:
+      email: [email protected]
+      externalUsername: ghcr-username
+      password: my-password
+      url: ghcr.io
 
 secrets:
   enabled: true

diff --git a/values.md b/values.md
@@ -48,11 +48,18 @@
   - **`prefixTrunc`**: Refer to _[#/definitions/prefixTrunc](#definitions/prefixTrunc)_.
   - **`labels`**: Refer to _[#/definitions/labels](#definitions/labels)_.
   - **`annotations`**: Refer to _[#/definitions/annotations](#definitions/annotations)_.
-  - **`content`** _(object, required)_: Docker registries authentication. Can contain additional properties.
+  - **`enabled`** _(boolean)_: Enable the Docker registry.
+  - **`external`** _(boolean)_: Use an external secret to the Docker registries username, password and email.
+  - **`content`** _(object)_: Docker registries authentication. Can contain additional properties.
     - **Additional properties** _(object)_: Cannot contain additional properties.
-      - **`username`** _(string, required)_: Username.
-      - **`password`** _(string, required)_: Password.
+      - **`username`** _(string)_: Username.
+      - **`password`** _(string)_: Password.
       - **`email`** _(string)_: Email.
+      - **`url`** _(string)_: URL, used only for external secret.
+      - **`externalUsername`** _(string)_: Key of the external secret for the username.
+      - **`externalPassword`** _(string)_: Key of the external secret for the password.
+      - **`externalEmail`** _(string)_: Key of the external secret for the email.
+      - **`externalUrl`** _(string)_: Key of the external secret for the URL.
 - **`secrets`** _(object)_: Cannot contain additional properties.
   - **`enabled`** _(boolean)_: Enable the Secret. Default: `true`.
   - **`nameOverride`**: Refer to _[#/definitions/nameOverride](#definitions/nameOverride)_.

diff --git a/values.schema.json b/values.schema.json
@@ -442,6 +442,14 @@
         "annotations": {
           "$ref": "#/definitions/annotations"
         },
+        "enabled": {
+          "type": "boolean",
+          "description": "Enable the Docker registry"
+        },
+        "external": {
+          "type": "boolean",
+          "description": "Use an external secret to the Docker registries username, password and email"
+        },
         "content": {
           "type": "object",
           "description": "Docker registries authentication",
@@ -460,13 +468,31 @@
               "email": {
                 "type": "string",
                 "description": "Email"
+              },
+              "url": {
+                "type": "string",
+                "description": "URL, used only for external secret"
+              },
+              "externalUsername": {
+                "type": "string",
+                "description": "Key of the external secret for the username"
+              },
+              "externalPassword": {
+                "type": "string",
+                "description": "Key of the external secret for the password"
+              },
+              "externalEmail": {
+                "type": "string",
+                "description": "Key of the external secret for the email"
+              },
+              "externalUrl": {
+                "type": "string",
+                "description": "Key of the external secret for the URL"
               }
-            },
-            "required": ["username", "password"]
+            }
           }
         }
-      },
-      "required": ["content"]
+      }
     },
     "secrets": {
       "type": "object",

diff --git a/values.yaml b/values.yaml
@@ -27,6 +27,10 @@ securityContext:
 ingress:
   enabled: false
 
+dockerregistry:
+  enabled: true
+  external: false
+
 services: {}
 #   example:
 #     enabled: false