Allow to set ImagePullSecrets in pods (#444)

Author: ajanikow

.gitignore

@@ -3,3 +3,5 @@
 .gobuild
 bin
 logs
+vendor/
+.idea/

docs/Manual/Deployment/Kubernetes/DeploymentResource.md

@@ -96,6 +96,10 @@ Possible values are:
 - `IfNotPresent` (default) to pull only when the image is not found on the node.
 - `Always` to always pull the image before using it.
 
+### `spec.imagePullSecrets: []string`
+
+This setting specifies the list of image pull secrets for the docker image to use for all ArangoDB servers.
+
 ### `spec.storageEngine: string`
 
 This setting specifies the type of storage engine used for all servers

pkg/apis/deployment/v1alpha/deployment_spec.go

@@ -47,13 +47,15 @@ func validatePullPolicy(v v1.PullPolicy) error {
 
 // DeploymentSpec contains the spec part of a ArangoDeployment resource.
 type DeploymentSpec struct {
-	Mode            *DeploymentMode `json:"mode,omitempty"`
-	Environment     *Environment    `json:"environment,omitempty"`
-	StorageEngine   *StorageEngine  `json:"storageEngine,omitempty"`
-	Image           *string         `json:"image,omitempty"`
-	ImagePullPolicy *v1.PullPolicy  `json:"imagePullPolicy,omitempty"`
-	DowntimeAllowed *bool           `json:"downtimeAllowed,omitempty"`
-	DisableIPv6     *bool           `json:"disableIPv6,omitempty"`
+	Mode             *DeploymentMode `json:"mode,omitempty"`
+	Environment      *Environment    `json:"environment,omitempty"`
+	StorageEngine    *StorageEngine  `json:"storageEngine,omitempty"`
+	Image            *string         `json:"image,omitempty"`
+	ImagePullPolicy  *v1.PullPolicy  `json:"imagePullPolicy,omitempty"`
+	ImagePullSecrets []string        `json:"imagePullSecrets,omitempty"`
+	DowntimeAllowed  *bool           `json:"downtimeAllowed,omitempty"`
+	DisableIPv6      *bool           `json:"disableIPv6,omitempty"`
+
 	LocallyAttachedVolumes *bool 	`json:"locallyAttachedVolumes,omitempty"`
 
 	ExternalAccess ExternalAccessSpec `json:"externalAccess"`

pkg/apis/deployment/v1alpha/zz_generated.deepcopy.go

@@ -197,7 +197,7 @@ func (ib *imagesBuilder) fetchArangoDBImageIDAndVersion(ctx context.Context, ima
 			SecretKey:  constants.SecretKeyToken,
 		}
 	}
-	if err := k8sutil.CreateArangodPod(ib.KubeCli, true, ib.APIObject, role, id, podName, "", image, "", "", ib.Spec.GetImagePullPolicy(), "", false, terminationGracePeriod, args, env, nil, nil, nil,
+	if err := k8sutil.CreateArangodPod(ib.KubeCli, true, ib.APIObject, role, id, podName, "", image, "", "", ib.Spec.GetImagePullPolicy(), ib.Spec.ImagePullSecrets, "", false, terminationGracePeriod, args, env, nil, nil, nil,
 		tolerations, serviceAccountName, "", "", "", nil, "", v1.ResourceRequirements{}, nil, nil, nil); err != nil {
 		log.Debug().Err(err).Msg("Failed to create image ID pod")
 		return true, maskAny(err)

pkg/deployment/images.go

@@ -662,7 +662,7 @@ func (r *Resources) createPodForMember(spec api.DeploymentSpec, memberID string,
 		engine := spec.GetStorageEngine().AsArangoArgument()
 		requireUUID := group == api.ServerGroupDBServers && m.IsInitialized
 		finalizers := r.createPodFinalizers(group)
-		if err := k8sutil.CreateArangodPod(kubecli, spec.IsDevelopment(), apiObject, role, m.ID, m.PodName, m.PersistentVolumeClaimName, imageInfo.ImageID, lifecycleImage, alpineImage, spec.GetImagePullPolicy(),
+		if err := k8sutil.CreateArangodPod(kubecli, spec.IsDevelopment(), apiObject, role, m.ID, m.PodName, m.PersistentVolumeClaimName, imageInfo.ImageID, lifecycleImage, alpineImage, spec.GetImagePullPolicy(), spec.ImagePullSecrets,
 			engine, requireUUID, terminationGracePeriod, args, env, finalizers, livenessProbe, readinessProbe, tolerations, serviceAccountName, tlsKeyfileSecretName, rocksdbEncryptionSecretName,
 			clusterJWTSecretName, groupSpec.GetNodeSelector(), groupSpec.PriorityClassName, groupSpec.Resources, exporter, groupSpec.GetSidecars(), groupSpec.VolumeClaimTemplate); err != nil {
 			return maskAny(err)
@@ -755,7 +755,7 @@ func (r *Resources) createPodForMember(spec api.DeploymentSpec, memberID string,
 		if group == api.ServerGroupSyncWorkers {
 			affinityWithRole = api.ServerGroupDBServers.AsRole()
 		}
-		if err := k8sutil.CreateArangoSyncPod(kubecli, spec.IsDevelopment(), apiObject, role, m.ID, m.PodName, imageID, lifecycleImage, spec.GetImagePullPolicy(), terminationGracePeriod, args, env,
+		if err := k8sutil.CreateArangoSyncPod(kubecli, spec.IsDevelopment(), apiObject, role, m.ID, m.PodName, imageID, lifecycleImage, spec.GetImagePullPolicy(), spec.ImagePullSecrets, terminationGracePeriod, args, env,
 			livenessProbe, tolerations, serviceAccountName, tlsKeyfileSecretName, clientAuthCASecretName, masterJWTSecretName, clusterJWTSecretName, affinityWithRole, groupSpec.GetNodeSelector(),
 			groupSpec.PriorityClassName, groupSpec.Resources, groupSpec.GetSidecars()); err != nil {
 			return maskAny(err)

pkg/deployment/resources/pod_creator.go

@@ -497,7 +497,7 @@ func initLifecycleContainer(image string) (v1.Container, error) {
 }
 
 // newPod creates a basic Pod for given settings.
-func newPod(deploymentName, ns, role, id, podName string, finalizers []string, tolerations []v1.Toleration, serviceAccountName string, nodeSelector map[string]string) v1.Pod {
+func newPod(deploymentName, ns, role, id, podName string, imagePullSecrets []string, finalizers []string, tolerations []v1.Toleration, serviceAccountName string, nodeSelector map[string]string) v1.Pod {
 	hostname := CreatePodHostName(deploymentName, role, id)
 	p := v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
@@ -514,6 +514,18 @@ func newPod(deploymentName, ns, role, id, podName string, finalizers []string, t
 			NodeSelector:       nodeSelector,
 		},
 	}
+
+	// Add ImagePullSecrets
+	if imagePullSecrets != nil {
+		imagePullSecretsReference := make([]v1.LocalObjectReference, len(imagePullSecrets))
+		for id := range imagePullSecrets {
+			imagePullSecretsReference[id] = v1.LocalObjectReference{
+				Name: imagePullSecrets[id],
+			}
+		}
+		p.Spec.ImagePullSecrets = imagePullSecretsReference
+	}
+
 	return p
 }
 
@@ -530,15 +542,16 @@ type ArangodbExporterContainerConf struct {
 // If the pod already exists, nil is returned.
 // If another error occurs, that error is returned.
 func CreateArangodPod(kubecli kubernetes.Interface, developmentMode bool, deployment APIObject,
-	role, id, podName, pvcName, image, lifecycleImage, alpineImage string, imagePullPolicy v1.PullPolicy,
+	role, id, podName, pvcName, image, lifecycleImage, alpineImage string,
+	imagePullPolicy v1.PullPolicy, imagePullSecrets []string,
 	engine string, requireUUID bool, terminationGracePeriod time.Duration,
 	args []string, env map[string]EnvValue, finalizers []string,
 	livenessProbe *HTTPProbeConfig, readinessProbe *HTTPProbeConfig, tolerations []v1.Toleration, serviceAccountName string,
 	tlsKeyfileSecretName, rocksdbEncryptionSecretName string, clusterJWTSecretName string, nodeSelector map[string]string,
 	podPriorityClassName string, resources v1.ResourceRequirements, exporter *ArangodbExporterContainerConf, sidecars []v1.Container, vct *v1.PersistentVolumeClaim) error {
 
 	// Prepare basic pod
-	p := newPod(deployment.GetName(), deployment.GetNamespace(), role, id, podName, finalizers, tolerations, serviceAccountName, nodeSelector)
+	p := newPod(deployment.GetName(), deployment.GetNamespace(), role, id, podName, imagePullSecrets, finalizers, tolerations, serviceAccountName, nodeSelector)
 	terminationGracePeriodSeconds := int64(math.Ceil(terminationGracePeriod.Seconds()))
 	p.Spec.TerminationGracePeriodSeconds = &terminationGracePeriodSeconds
 
@@ -688,12 +701,13 @@ func CreateArangodPod(kubecli kubernetes.Interface, developmentMode bool, deploy
 // CreateArangoSyncPod creates a Pod that runs `arangosync`.
 // If the pod already exists, nil is returned.
 // If another error occurs, that error is returned.
-func CreateArangoSyncPod(kubecli kubernetes.Interface, developmentMode bool, deployment APIObject, role, id, podName, image, lifecycleImage string, imagePullPolicy v1.PullPolicy,
+func CreateArangoSyncPod(kubecli kubernetes.Interface, developmentMode bool, deployment APIObject, role, id, podName, image, lifecycleImage string,
+	imagePullPolicy v1.PullPolicy, imagePullSecrets []string,
 	terminationGracePeriod time.Duration, args []string, env map[string]EnvValue, livenessProbe *HTTPProbeConfig, tolerations []v1.Toleration, serviceAccountName string,
 	tlsKeyfileSecretName, clientAuthCASecretName, masterJWTSecretName, clusterJWTSecretName, affinityWithRole string, nodeSelector map[string]string,
 	podPriorityClassName string, resources v1.ResourceRequirements, sidecars []v1.Container) error {
 	// Prepare basic pod
-	p := newPod(deployment.GetName(), deployment.GetNamespace(), role, id, podName, nil, tolerations, serviceAccountName, nodeSelector)
+	p := newPod(deployment.GetName(), deployment.GetNamespace(), role, id, podName, imagePullSecrets, nil, tolerations, serviceAccountName, nodeSelector)
 	terminationGracePeriodSeconds := int64(math.Ceil(terminationGracePeriod.Seconds()))
 	p.Spec.TerminationGracePeriodSeconds = &terminationGracePeriodSeconds