Skip to content

Commit

Permalink
set registry default auth secret as imagepullsecret (#1179)
Browse files Browse the repository at this point in the history
  • Loading branch information
nilsgstrabo authored Aug 29, 2024
1 parent 2c9726b commit b6eb860
Show file tree
Hide file tree
Showing 21 changed files with 309 additions and 86 deletions.
3 changes: 2 additions & 1 deletion .vscode/launch.json
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@
"RADIXOPERATOR_APP_ROLLING_UPDATE_MAX_SURGE": "25%",
"RADIXOPERATOR_APP_READINESS_PROBE_INITIAL_DELAY_SECONDS": "5",
"RADIXOPERATOR_APP_READINESS_PROBE_PERIOD_SECONDS": "10",
"RADIX_ACTIVE_CLUSTERNAME": "weekly-23",
"RADIX_ACTIVE_CLUSTERNAME": "weekly-35",
"RADIX_IMAGE_BUILDER": "radix-image-builder:master-latest",
"RADIX_TEKTON_IMAGE": "radix-tekton:main-latest",
"RADIXOPERATOR_JOB_SCHEDULER": "radix-job-scheduler:main-latest",
Expand Down Expand Up @@ -150,6 +150,7 @@
"RADIXOPERATOR_CERTIFICATE_AUTOMATION_CLUSTER_ISSUER": "digicert-http01",
"RADIXOPERATOR_CERTIFICATE_AUTOMATION_DURATION": "2160h",
"RADIXOPERATOR_CERTIFICATE_AUTOMATION_RENEW_BEFORE": "720h",
"RADIX_EXTERNAL_REGISTRY_DEFAULT_AUTH_SECRET": "radix-external-registry-default-auth",
"LOG_LEVEL": "info",
"LOG_PRETTY": "true"
},
Expand Down
4 changes: 2 additions & 2 deletions charts/radix-operator/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: radix-operator
version: 1.37.10
appVersion: 1.57.18
version: 1.38.0
appVersion: 1.58.0
kubeVersion: ">=1.24.0"
description: Radix Operator
keywords:
Expand Down
4 changes: 3 additions & 1 deletion charts/radix-operator/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,9 @@ spec:
- name: RADIXOPERATOR_CERTIFICATE_AUTOMATION_DURATION
value: {{ .Values.ingress.certificate.automation.duration }}
- name: RADIXOPERATOR_CERTIFICATE_AUTOMATION_RENEW_BEFORE
value: {{ .Values.ingress.certificate.automation.renewBefore }}
value: {{ .Values.ingress.certificate.automation.renewBefore }}
- name: RADIX_EXTERNAL_REGISTRY_DEFAULT_AUTH_SECRET
value: {{ .Values.externalRegistryDefaultAuthSecret }}
livenessProbe:
httpGet:
path: /healthz
Expand Down
1 change: 1 addition & 0 deletions charts/radix-operator/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,7 @@ logLevel: "INFO"
logPretty: false
oauthProxyDefaultIssuerUrl: https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0/v2.0
oauthProxyImage: quay.io/oauth2-proxy/oauth2-proxy:v7.2.0
externalRegistryDefaultAuthSecret: "" # Name of the secret containing default container registry credentials for pulling images when building with buildah and pulling external images for components and jobs

seccompProfile:
fileNameOnNode: allow-buildah.json
Expand Down
10 changes: 9 additions & 1 deletion pkg/apis/batch/kubejob.go
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,7 @@ func (s *syncer) buildJob(ctx context.Context, batchJob *radixv1.RadixBatchJob,
Volumes: volumes,
SecurityContext: securitycontext.Pod(securitycontext.WithPodSeccompProfile(corev1.SeccompProfileTypeRuntimeDefault)),
RestartPolicy: corev1.RestartPolicyNever,
ImagePullSecrets: rd.Spec.ImagePullSecrets,
ImagePullSecrets: s.getJobPodImagePullSecrets(rd),
Affinity: operatorUtils.GetAffinityForBatchJob(ctx, jobComponent, node),
Tolerations: operatorUtils.GetScheduledJobPodSpecTolerations(node),
ActiveDeadlineSeconds: timeLimitSeconds,
Expand All @@ -197,6 +197,14 @@ func (s *syncer) buildJob(ctx context.Context, batchJob *radixv1.RadixBatchJob,
return job, nil
}

func (s *syncer) getJobPodImagePullSecrets(rd *radixv1.RadixDeployment) []corev1.LocalObjectReference {
imagePullSecrets := rd.Spec.ImagePullSecrets
if s.config != nil {
imagePullSecrets = append(imagePullSecrets, s.config.ContainerRegistryConfig.ImagePullSecretsFromExternalRegistryAuth()...)
}
return imagePullSecrets
}

func (s *syncer) getVolumes(ctx context.Context, namespace, environment string, batchJob *radixv1.RadixBatchJob, radixJobComponent *radixv1.RadixDeployJobComponent, radixDeploymentName string) ([]corev1.Volume, error) {
volumes, err := deployment.GetVolumes(ctx, s.kubeClient, s.kubeUtil, namespace, environment, radixJobComponent, radixDeploymentName)
if err != nil {
Expand Down
5 changes: 4 additions & 1 deletion pkg/apis/batch/syncer.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
"fmt"

"github.com/equinor/radix-operator/pkg/apis/config"
"github.com/equinor/radix-operator/pkg/apis/kube"
radixv1 "github.com/equinor/radix-operator/pkg/apis/radix/v1"
radixlabels "github.com/equinor/radix-operator/pkg/apis/utils/labels"
Expand All @@ -21,12 +22,13 @@ type Syncer interface {
}

// NewSyncer Constructor os RadixBatches Syncer
func NewSyncer(kubeclient kubernetes.Interface, kubeUtil *kube.Kube, radixClient radixclient.Interface, radixBatch *radixv1.RadixBatch) Syncer {
func NewSyncer(kubeclient kubernetes.Interface, kubeUtil *kube.Kube, radixClient radixclient.Interface, radixBatch *radixv1.RadixBatch, config *config.Config) Syncer {
return &syncer{
kubeClient: kubeclient,
kubeUtil: kubeUtil,
radixClient: radixClient,
radixBatch: radixBatch,
config: config,
}
}

Expand All @@ -35,6 +37,7 @@ type syncer struct {
kubeUtil *kube.Kube
radixClient radixclient.Interface
radixBatch *radixv1.RadixBatch
config *config.Config
}

// OnSync Syncs RadixBatches
Expand Down
Loading

0 comments on commit b6eb860

Please sign in to comment.