Implement first image pull secrets

Also add missing mailhog-image parameter

ArgoCdApplicationStrategy: use valuesObject for easier debugging of our
YAML objects.

Co-authored-by: Aaron Frey <[email protected]>

Author: 2 people

applications/cluster-resources/mailhog-helm-values.ftl.yaml

@@ -1,9 +1,14 @@
-<#if image?has_content>
+<#assign DockerImageParser=statics['com.cloudogu.gitops.utils.DockerImageParser']>
+<#if config.features.mail.helm.image?has_content>
+<#assign imageObject = DockerImageParser.parse(config.features.mail.helm.image)>
 image:
-  repository: ${image?split(":")[0]}
-  <#if image?contains(":")>
-  tag: ${image?split(":")[1]}
-  </#if>
+  repository: ${imageObject.registryAndRepositoryAsString}
+<#if imageObject.tag?has_content>  tag: ${imageObject.tag}</#if>
+</#if>
+
+<#if config.registry.createImagePullSecrets?has_content && config.registry.twoRegistries?has_content>
+imagePullSecrets: 
+ - name: proxy-registry
 </#if>
 
 service:

applications/cluster-resources/secrets/external-secrets/values.ftl.yaml

@@ -1,8 +1,8 @@
-<#if skipCrds == true>
+<#assign DockerImageParser=statics['com.cloudogu.gitops.utils.DockerImageParser']>
+<#if config.application.skipCrds == true>
 installCRDs: false
 </#if>
-
-<#if podResources == true>
+<#if config.application.podResources == true>
 certController:
   resources:
     limits:
@@ -20,12 +20,44 @@ webhook:
     requests:
       memory: 25Mi
       cpu: 50m
-
+      
 resources:
   limits:
     memory: 80Mi
     cpu: 500m
   requests:
     memory: 40Mi
     cpu: 50m
+</#if>
+<#if config.registry.createImagePullSecrets?has_content && config.registry.twoRegistries?has_content>
+imagePullSecrets:
+  - name: proxy-registry
+</#if>
+<#if config.features.secrets.externalSecrets.helm.image?has_content>
+<#assign imageObject = DockerImageParser.parse(config.features.secrets.externalSecrets.helm.image)>
+image:
+  repository: ${imageObject.registryAndRepositoryAsString}
+  tag: ${imageObject.tag}
+</#if>
+<#if config.features.secrets.externalSecrets.helm.certControllerImage?has_content>
+<#assign certControllerimageObject = DockerImageParser.parse(config.features.secrets.externalSecrets.helm.certControllerImage)>
+certController:
+  image:
+    repository: ${certControllerimageObject.registryAndRepositoryAsString}
+    tag: ${certControllerimageObject.tag}
+  <#if config.registry.createImagePullSecrets?has_content && config.registry.twoRegistries?has_content>
+  imagePullSecrets:
+    - name: proxy-registry
+  </#if>
+</#if>
+<#if config.features.secrets.externalSecrets.helm.webhookImage?has_content>
+<#assign webhookImageObject = DockerImageParser.parse(config.features.secrets.externalSecrets.helm.webhookImage)>
+webhook:
+  image:
+    repository: ${webhookImageObject.registryAndRepositoryAsString}
+    tag: ${webhookImageObject.tag}
+  <#if config.registry.createImagePullSecrets?has_content && config.registry.twoRegistries?has_content>
+  imagePullSecrets:
+    - name: proxy-registry
+  </#if>
 </#if>

applications/cluster-resources/secrets/vault/values.ftl.yaml

@@ -0,0 +1,44 @@
+<#assign DockerImageParser=statics['com.cloudogu.gitops.utils.DockerImageParser']>
+ui: 
+  enabled: true
+  externalPort: 80
+<#if config.application.remote>
+  serviceType: "LoadBalancer"
+<#else>
+  serviceType: NodePort
+  serviceNodePort: 8200
+</#if>
+injector: 
+  enabled: false
+<#if config.registry.createImagePullSecrets?has_content && config.registry.twoRegistries?has_content>
+global:
+  imagePullSecrets:
+  - name: proxy-registry
+</#if>
+<#if config.features.secrets.vault.helm.image?has_content 
+  || url?has_content 
+  || config.application.podResources == true>
+server:
+</#if>
+<#if config.features.secrets.vault.helm.image?has_content>
+<#assign imageObject = DockerImageParser.parse(config.features.secrets.vault.helm.image)>
+  image:
+      repository: ${imageObject.registryAndRepositoryAsString}
+      tag: ${imageObject.tag}
+</#if>
+<#if url?has_content>
+  ingress:
+    enabled: true
+    hosts:
+      - host: ${url.host}
+</#if>
+
+<#if config.application.podResources == true>
+  resources:
+      limits:
+        memory: 200Mi
+        cpu: 500m
+      requests:
+        memory: 100Mi
+        cpu: 50m
+</#if>

docs/configuration.schema.json

@@ -270,7 +270,7 @@
             }
           },
           "additionalProperties" : false,
-          "description" : "Config parameters for the internal Mail Server"
+          "description" : "Config parameters for mail servers"
         },
         "monitoring" : {
           "type" : "object",
@@ -516,6 +516,10 @@
     "registry" : {
       "type" : "object",
       "properties" : {
+        "createImagePullSecrets" : {
+          "type" : "boolean",
+          "description" : "Create image pull secrets for registry and proxy-registry for all GOP namespaces and helm charts. Use this if your cluster is not auto-provisioned with credentials for your private registries or if you configure individual helm images to be pulled from the proxy-registry that requires authentication."
+        },
         "helm" : {
           "$ref" : "#/$defs/HelmConfig"
         },
@@ -533,19 +537,27 @@
         },
         "proxyPassword" : {
           "type" : "string",
-          "description" : "Use with registry-proxy-url, added to Jenkins as credentials."
+          "description" : "Use with registry-proxy-url, added to Jenkins as credentials and created as pull secrets, when create-image-pull-secrets is set."
         },
         "proxyUrl" : {
           "type" : "string",
-          "description" : "The url of your proxy-registry. Used in pipelines to authorize pull base images. Use in conjunction with petclinic base image."
+          "description" : "The url of your proxy-registry. Used in pipelines to authorize pull base images. Use in conjunction with petclinic base image. Used in helm charts when create-image-pull-secrets is set. Use in conjunction with helm.*image fields."
         },
         "proxyUsername" : {
           "type" : "string",
-          "description" : "Use with registry-proxy-url, added to Jenkins as credentials."
+          "description" : "Use with registry-proxy-url, added to Jenkins as credentials and created as pull secrets, when create-image-pull-secrets is set."
+        },
+        "readOnlyPassword" : {
+          "type" : "string",
+          "description" : "Optional alternative password for registry-url with read-only permissions that is used when create-image-pull-secrets is set."
+        },
+        "readOnlyUsername" : {
+          "type" : "string",
+          "description" : "Optional alternative username for registry-url with read-only permissions that is used when create-image-pull-secrets is set."
         },
         "url" : {
           "type" : "string",
-          "description" : "The url of your external registry"
+          "description" : "The url of your external registry, used for pushing images"
         },
         "username" : {
           "type" : "string",

docs/developers.md

@@ -465,6 +465,9 @@ for operation in "${operations[@]}"; do
 done
 
 skopeo copy docker://eclipse-temurin:11-jre-alpine --dest-creds Proxy:Proxy12345 --dest-tls-verify=false  docker://localhost:30000/proxy/eclipse-temurin:11-jre-alpine
+skopeo copy docker://ghcr.io/cloudogu/mailhog:v1.0.1 --dest-creds Proxy:Proxy12345 --dest-tls-verify=false  docker://localhost:30000/proxy/mailhog
+skopeo copy docker://ghcr.io/external-secrets/external-secrets:v0.9.16 --dest-creds Proxy:Proxy12345 --dest-tls-verify=false  docker://localhost:30000/proxy/eso
+skopeo copy docker://hashicorp/vault:1.14.0  --dest-creds Proxy:Proxy12345 --dest-tls-verify=false  docker://localhost:30000/proxy/vault
 ```
 
 * Deploy playground:
@@ -475,33 +478,25 @@ docker run --rm -t -u $(id -u)  \
     --net=host  \
     gitops-playground:dev \
     --yes --argocd --ingress-nginx --base-url=http://localhost \
+    --vault=dev --monitoring --mailhog \
+    --create-image-pull-secrets \
     --registry-url=localhost:30000 \
     --registry-path=registry \
     --registry-username=Registry  \
     --registry-password=Registry12345 \
     --registry-proxy-url=localhost:30000 \
     --registry-proxy-username=Proxy \
     --registry-proxy-password=Proxy12345 \
-    --petclinic-image=localhost:30000/proxy/eclipse-temurin:11-jre-alpine 
+    --petclinic-image=localhost:30000/proxy/eclipse-temurin:11-jre-alpine \
+    --mailhog-image=localhost:30000/proxy/mailhog:latest \
+    --vault-image=localhost:30000/proxy/vault:latest \
+    --external-secrets-image=localhost:30000/proxy/eso:latest \
+    --external-secrets-certcontroller-image=localhost:30000/proxy/eso:latest \
+    --external-secrets-webhook-image=localhost:30000/proxy/eso:latest
 
 # Or with config file --config-file=/config/gitops-playground.yaml 
 ```
 
-To make the registry credentials know to kubernetes, apply the following:
-
-```bash
-namespaces=("example-apps-production" "example-apps-staging")
-
-for namespace in "${namespaces[@]}"; do
-  kubectl create secret docker-registry regcred \
-  -n $namespace \
-  --docker-server=localhost:30000 \
-  --docker-username=Registry\
-  --docker-password=Registry12345
-  kubectl patch serviceaccount default -n $namespace -p '{"imagePullSecrets": [{"name": "regcred"}]}'
-done
-```
-
 The same using a config file looks like so:
 
 ```yaml
@@ -513,6 +508,7 @@ registry:
   registryUsername: Registry
   registryPassword: Registry12345
   registryPath: Registry
+  createImagePullSecrets: true
 images: 
   petclinic: localhost:30000/proxy/eclipse-temurin:11-jre-alpine
 ```

src/main/groovy/com/cloudogu/gitops/cli/GitopsPlaygroundCli.groovy

@@ -45,15 +45,19 @@ class GitopsPlaygroundCli  implements Runnable {
     private String registryUsername
     @Option(names = ['--registry-password'], description = REGISTRY_PASSWORD_DESCRIPTION)
     private String registryPassword
-    @Option(names = ['--registry-proxy-url'], description = 'The url of your external proxy-registry. Make sure to always use this with --registry-proxy-url')
+    @Option(names = ['--registry-proxy-url'], description = REGISTRY_PROXY_URL_DESCRIPTION)
     private String registryProxyUrl
-    @Option(names = ['--registry-proxy-path'], description = 'Optional when --registry-proxy-url is set')
-    private String registryProxyPath
-    @Option(names = ['--registry-proxy-username'], description = 'Optional when --registry-proxy-url is set')
+    @Option(names = ['--registry-proxy-username'], description = REGISTRY_PROXY_USERNAME_DESCRIPTION)
     private String registryProxyUsername
-    @Option(names = ['--registry-proxy-password'], description = 'Optional when --registry-proxy-url is set')
+    @Option(names = ['--registry-proxy-password'], description = REGISTRY_PROXY_PASSWORD_DESCRIPTION)
     private String registryProxyPassword
-
+    @Option(names = ['--registry-username-read-only'], description = REGISTRY_USERNAME_RO_DESCRIPTION)
+    private String registryUsernameReadOnly
+    @Option(names = ['--registry-password-read-only'], description = REGISTRY_PASSWORD_RO_DESCRIPTION)
+    private String registryPasswordReadOnly
+    @Option(names = ['--create-image-pull-secrets'], description = REGISTRY_CREATE_IMAGE_PULL_SECRETS_DESCRIPTION)
+    private Boolean createImagePullSecrets
+    
     // args group jenkins
     @Option(names = ['--jenkins-url'], description = JENKINS_URL_DESCRIPTION)
     private String jenkinsUrl
@@ -159,6 +163,8 @@ class GitopsPlaygroundCli  implements Runnable {
     private String mailhogUrl
     @Option(names = ['--mailhog', '--mail'], description = MAILHOG_ENABLE_DESCRIPTION, scope = CommandLine.ScopeType.INHERIT)
     private Boolean mailhog
+    @Option(names = ['--mailhog-image'], description = HELM_CONFIG_IMAGE_DESCRIPTION)
+    private String mailhogImage
 
     // condition check dependent parameters of external Mailserver
     @Option(names = ['--smtp-address'], description = SMTP_ADDRESS_DESCRIPTION)
@@ -388,9 +394,11 @@ class GitopsPlaygroundCli  implements Runnable {
                         username    : registryUsername,
                         password    : registryPassword,
                         proxyUrl         : registryProxyUrl,
-                        proxyPath        : registryProxyPath,
                         proxyUsername    : registryProxyUsername,
                         proxyPassword    : registryProxyPassword,
+                        readOnlyUsername    : registryUsernameReadOnly,
+                        readOnlyPassword    : registryPasswordReadOnly,
+                        createImagePullSecrets: createImagePullSecrets
                 ],
                 jenkins    : [
                         url     : jenkinsUrl,
@@ -451,7 +459,10 @@ class GitopsPlaygroundCli  implements Runnable {
                                 smtpAddress : smtpAddress,
                                 smtpPort : smtpPort,
                                 smtpUser : smtpUser,
-                                smtpPassword : smtpPassword
+                                smtpPassword : smtpPassword,
+                                helm      : [
+                                        image: mailhogImage
+                                        ]
                         ],
                         exampleApps: [
                                 petclinic: [

src/main/groovy/com/cloudogu/gitops/config/ApplicationConfigurator.groovy

@@ -43,6 +43,9 @@ class ApplicationConfigurator {
                     proxyUrl         : '',
                     proxyUsername    : '',
                     proxyPassword    : '',
+                    readOnlyUsername : '',
+                    readOnlyPassword : '',
+                    createImagePullSecrets: false,
                     helm  : [
                             chart  : 'docker-registry',
                             repoURL: 'https://helm.twun.io',
@@ -317,6 +320,14 @@ class ApplicationConfigurator {
                k3d clusters. */
             newConfig.registry['url'] = "localhost:${newConfig.registry['internalPort']}"
         }
+        
+        if (newConfig.registry['createImagePullSecrets']) {
+            String username = newConfig.registry['readOnlyUsername'] ?: newConfig.registry['username']
+            String password = newConfig.registry['readOnlyPassword'] ?: newConfig.registry['password']
+            if (!username || !password) {
+                throw new RuntimeException("createImagePullSecrets needs to be used with either registry username and password or the readOnly variants")
+            }
+        }
     }
 
     Map setConfig(File configFile, boolean skipInternalConfig = false) {

src/main/groovy/com/cloudogu/gitops/config/ConfigConstants.groovy

@@ -9,14 +9,18 @@ interface ConfigConstants {
     // group registry
     String REGISTRY_DESCRIPTION = 'Config parameters for Registry'
     String REGISTRY_INTERNAL_PORT_DESCRIPTION = 'Port of registry registry. Ignored when a registry*url params are set'
-    String REGISTRY_URL_DESCRIPTION = 'The url of your external registry'
+    String REGISTRY_URL_DESCRIPTION = 'The url of your external registry, used for pushing images'
     String REGISTRY_PATH_DESCRIPTION = 'Optional when registry-url is set'
     String REGISTRY_USERNAME_DESCRIPTION = 'Optional when registry-url is set'
     String REGISTRY_PASSWORD_DESCRIPTION = 'Optional when registry-url is set'
 
-    String REGISTRY_PROXY_URL_DESCRIPTION = 'The url of your proxy-registry. Used in pipelines to authorize pull base images. Use in conjunction with petclinic base image.'
-    String REGISTRY_PROXY_USERNAME_DESCRIPTION = 'Use with registry-proxy-url, added to Jenkins as credentials.'
-    String REGISTRY_PROXY_PASSWORD_DESCRIPTION = 'Use with registry-proxy-url, added to Jenkins as credentials.'
+    String REGISTRY_PROXY_URL_DESCRIPTION = 'The url of your proxy-registry. Used in pipelines to authorize pull base images. Use in conjunction with petclinic base image. Used in helm charts when create-image-pull-secrets is set. Use in conjunction with helm.*image fields.'
+    String REGISTRY_PROXY_USERNAME_DESCRIPTION = 'Use with registry-proxy-url, added to Jenkins as credentials and created as pull secrets, when create-image-pull-secrets is set.'
+    String REGISTRY_PROXY_PASSWORD_DESCRIPTION = 'Use with registry-proxy-url, added to Jenkins as credentials and created as pull secrets, when create-image-pull-secrets is set.'
+    
+    String REGISTRY_USERNAME_RO_DESCRIPTION = 'Optional alternative username for registry-url with read-only permissions that is used when create-image-pull-secrets is set.'
+    String REGISTRY_PASSWORD_RO_DESCRIPTION = 'Optional alternative password for registry-url with read-only permissions that is used when create-image-pull-secrets is set.'
+    String REGISTRY_CREATE_IMAGE_PULL_SECRETS_DESCRIPTION = 'Create image pull secrets for registry and proxy-registry for all GOP namespaces and helm charts. Uses proxy-username, read-only-username or registry-username (in this order).  Use this if your cluster is not auto-provisioned with credentials for your private registries or if you configure individual helm images to be pulled from the proxy-registry that requires authentication.'
 
     String FEATURES_DESCRIPTION = 'Config parameters for features or tools'
 
@@ -92,7 +96,7 @@ interface ConfigConstants {
     String VAULT_ENABLE_DESCRIPTION = "Installs Hashicorp vault and the external secrets operator. Possible values: dev, prod."
     String VAULT_URL_DESCRIPTION = 'Sets url for vault ui'
 
-    String MAILHOG_DESCRIPTION = 'Config parameters for the internal Mail Server'
+    String MAIL_DESCRIPTION = 'Config parameters for mail servers'
     String MAILHOG_URL_DESCRIPTION = 'Sets url for MailHog'
     String MAILHOG_ENABLE_DESCRIPTION = 'Installs MailHog as Mail server.'
 

src/main/groovy/com/cloudogu/gitops/config/schema/Schema.groovy

@@ -1,11 +1,10 @@
 //file:noinspection unused
-package com.cloudogu.gitops.config.schema 
+package com.cloudogu.gitops.config.schema
 
 import com.fasterxml.jackson.annotation.JsonClassDescription
 import com.fasterxml.jackson.annotation.JsonPropertyDescription
 
-import static com.cloudogu.gitops.config.ConfigConstants.*
-
+import static com.cloudogu.gitops.config.ConfigConstants.* 
 /**
  * The schema for the configuration file.
  * It is used to validate the passed yaml file.
@@ -70,6 +69,13 @@ class Schema {
         String proxyUsername = ""
         @JsonPropertyDescription(REGISTRY_PROXY_PASSWORD_DESCRIPTION)
         String proxyPassword = ""
+        // Alternative set of credentials for url, used only for image pull secrets
+        @JsonPropertyDescription(REGISTRY_USERNAME_RO_DESCRIPTION)
+        String readOnlyUsername
+        @JsonPropertyDescription(REGISTRY_PASSWORD_RO_DESCRIPTION)
+        String readOnlyPassword
+        @JsonPropertyDescription(REGISTRY_CREATE_IMAGE_PULL_SECRETS_DESCRIPTION)
+        Boolean createImagePullSecrets
 
         HelmConfig helm
     }
@@ -218,7 +224,7 @@ class Schema {
     static class FeaturesSchema {
         @JsonPropertyDescription(ARGOCD_DESCRIPTION)
         ArgoCDSchema argocd
-        @JsonPropertyDescription(MAILHOG_DESCRIPTION)
+        @JsonPropertyDescription(MAIL_DESCRIPTION)
         MailSchema mail
         @JsonPropertyDescription(MONITORING_DESCRIPTION)
         MonitoringSchema monitoring