Implement remaining image pull secrets

Ignore Jenkins, SCMM, Registry, ArgoCD because we don't have params to
set their images.

We have different options for using them in airGapped envs: Cloudogu
Ecosystem and Argo CD Operator (WIP)

Added setting nginx-image in helm-umbrella example app

Add --ingress-nginx-image and upgrade chart to avoid conflict with
isControllerTagValid.

Author: schnatterer

applications/argocd/nginx/helm-jenkins/k8s/values-shared.ftl.yaml

@@ -4,6 +4,12 @@ image:
   repository: ${nginxImage.repository}
   tag: ${nginxImage.tag}
 </#if>
+<#if config.registry.createImagePullSecrets?has_content && config.registry.twoRegistries?has_content>
+
+global:
+  imagePullSecrets:
+    - proxy-registry
+</#if>
 service:
   ports:
     http: 80

applications/argocd/nginx/helm-umbrella/values.ftl.yaml

@@ -1,4 +1,16 @@
 nginx:
+<#if nginxImage??>
+  image:
+    registry: ${nginxImage.registry}
+    repository: ${nginxImage.repository}
+    tag: ${nginxImage.tag}
+</#if>
+  <#if config.registry.createImagePullSecrets == true>
+
+  global:
+    imagePullSecrets:
+    - proxy-registry
+  </#if>
   service:
     ports:
       http: 80

applications/cluster-resources/ingress-nginx-helm-values.ftl.yaml

@@ -1,4 +1,19 @@
+<#assign DockerImageParser=statics['com.cloudogu.gitops.utils.DockerImageParser']>
+<#if config.registry.createImagePullSecrets?has_content && config.registry.twoRegistries?has_content>
+imagePullSecrets:
+  - name: proxy-registry
+
+</#if>
 controller:
+<#if config.features.ingressNginx.helm.image?has_content>
+  <#assign imageObject = DockerImageParser.parse(config.features.ingressNginx.helm.image)>
+  image:
+    repository: ${imageObject.registryAndRepositoryAsString}
+    tag: ${imageObject.tag}
+    # Changing the image will change digest, so don't use the default.
+    # A digest can also be appended to the tag
+    digest: null 
+</#if>
   annotations:
     ingressclass.kubernetes.io/is-default-class: "true"
   watchIngressWithoutClass: true
@@ -14,7 +29,8 @@ controller:
     # https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
     externalTrafficPolicy: Local
   replicaCount: 2
-<#if podResources == true>
+<#if config.application.podResources == true>
+
   resources:
     # Be generous to our Single Point of failure
     limits:
@@ -42,10 +58,10 @@ controller:
     # customize access log format to include requested hostname ($host)
     # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.2.1/docs/user-guide/nginx-configuration/log-format.md
     log-format-upstream: '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$host" $request_length $request_time [$proxy_upstream_name] [$proxy_alternative_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status $req_id'
-<#if monitoring.active == true>
+<#if config.features.monitoring.active == true>
   metrics:
     enabled: true
     serviceMonitor:
       enabled: true
-      namespace: ${namePrefix}monitoring
+      namespace: ${config.application.namePrefix}monitoring
 </#if>

applications/cluster-resources/mailhog-helm-values.ftl.yaml

@@ -5,12 +5,11 @@ image:
   repository: ${imageObject.registryAndRepositoryAsString}
 <#if imageObject.tag?has_content>  tag: ${imageObject.tag}</#if>
 </#if>
-
 <#if config.registry.createImagePullSecrets?has_content && config.registry.twoRegistries?has_content>
+
 imagePullSecrets: 
  - name: proxy-registry
 </#if>
-
 service:
   type: <#if isRemote>LoadBalancer<#else>NodePort</#if>
   port:

applications/cluster-resources/monitoring/prometheus-stack-helm-values.ftl.yaml

@@ -4,15 +4,22 @@ crds:
   enabled: false
 </#if>
 
-<#if namespaceIsolation == true>
+<#if namespaceIsolation == true || config.registry.createImagePullSecrets == true>
 global:
+  <#if config.registry.createImagePullSecrets == true>
+  imagePullSecrets:
+    - name: proxy-registry
+  </#if>
+<#if namespaceIsolation == true>
+
   rbac:
     # Avoids creation of ClusterRole, which do not need here
     create: false
 kubeApiServer:
   # Don't scrape ApiServer to avoid 403 in prometheus targets due to lacking RBAC in isolated mode
   enabled: false
 </#if>
+</#if>
 
 # Note that many things are disabled here, because we want to start small, especially in airgapped envs where each image
 # has to be replicated individually

docs/configuration.schema.json

@@ -198,6 +198,10 @@
                   "type" : "string",
                   "description" : "Name of the Helm chart"
                 },
+                "image" : {
+                  "type" : "string",
+                  "description" : "The image of the Helm chart to be installed"
+                },
                 "repoURL" : {
                   "type" : "string",
                   "description" : "Repository url from which the Helm chart should be obtained"
@@ -211,8 +215,8 @@
                   "description" : "The version of the Helm chart to be installed"
                 }
               },
-              "description" : "Common Config parameters for the Helm package manager: Name of Chart (chart), URl of Helm-Repository (repoURL) and Chart Version (version). Note: These config is intended to obtain the chart from a different source (e.g. in air-gapped envs), not to use a different version of a helm chart. Using a different helm chart or version to the one used in the GOP version will likely cause errors.",
-              "additionalProperties" : false
+              "additionalProperties" : false,
+              "description" : "Common Config parameters for the Helm package manager: Name of Chart (chart), URl of Helm-Repository (repoURL) and Chart Version (version). Note: These config is intended to obtain the chart from a different source (e.g. in air-gapped envs), not to use a different version of a helm chart. Using a different helm chart or version to the one used in the GOP version will likely cause errors."
             }
           },
           "additionalProperties" : false,
@@ -518,7 +522,7 @@
       "properties" : {
         "createImagePullSecrets" : {
           "type" : "boolean",
-          "description" : "Create image pull secrets for registry and proxy-registry for all GOP namespaces and helm charts. Use this if your cluster is not auto-provisioned with credentials for your private registries or if you configure individual helm images to be pulled from the proxy-registry that requires authentication."
+          "description" : "Create image pull secrets for registry and proxy-registry for all GOP namespaces and helm charts. Uses proxy-username, read-only-username or registry-username (in this order).  Use this if your cluster is not auto-provisioned with credentials for your private registries or if you configure individual helm images to be pulled from the proxy-registry that requires authentication."
         },
         "helm" : {
           "$ref" : "#/$defs/HelmConfig"

docs/developers.md

@@ -464,10 +464,21 @@ for operation in "${operations[@]}"; do
     curl  --fail "http://localhost:30000/api/v2.0/projects/${projectId}/members" -X POST -u admin:Harbor12345    -H 'Content-Type: application/json' --data-raw "{\"role_id\":4,\"member_user\":{\"username\":\"$operation\"}}"
 done
 
+# When updating the container image versions note that all images of a chart are listed at artifact hub on the right hand side under "Containers Images"
 skopeo copy docker://eclipse-temurin:11-jre-alpine --dest-creds Proxy:Proxy12345 --dest-tls-verify=false  docker://localhost:30000/proxy/eclipse-temurin:11-jre-alpine
 skopeo copy docker://ghcr.io/cloudogu/mailhog:v1.0.1 --dest-creds Proxy:Proxy12345 --dest-tls-verify=false  docker://localhost:30000/proxy/mailhog
-skopeo copy docker://ghcr.io/external-secrets/external-secrets:v0.9.16 --dest-creds Proxy:Proxy12345 --dest-tls-verify=false  docker://localhost:30000/proxy/eso
-skopeo copy docker://hashicorp/vault:1.14.0  --dest-creds Proxy:Proxy12345 --dest-tls-verify=false  docker://localhost:30000/proxy/vault
+skopeo copy docker://ghcr.io/external-secrets/external-secrets:v0.9.16 --dest-creds Proxy:Proxy12345 --dest-tls-verify=false  docker://localhost:30000/proxy/external-secrets
+skopeo copy docker://hashicorp/vault:1.14.0 --dest-creds Proxy:Proxy12345 --dest-tls-verify=false  docker://localhost:30000/proxy/vault
+skopeo copy docker://bitnami/nginx:1.23.3-debian-11-r8 --dest-creds Proxy:Proxy12345 --dest-tls-verify=false  docker://localhost:30000/proxy/nginx
+skopeo copy docker://registry.k8s.io/ingress-nginx/controller:v1.9.6 --dest-creds Proxy:Proxy12345 --dest-tls-verify=false docker://localhost:30000/proxy/ingress-nginx
+skopeo copy docker://quay.io/prometheus-operator/prometheus-operator:v0.73.2 --dest-creds Proxy:Proxy12345 --dest-tls-verify=false docker://localhost:30000/proxy/prometheus-operator
+# Using latest will lead to failure with
+# k describe prometheus -n monitoring
+#  Message:               initializing PrometheusRules failed: failed to parse version: Invalid character(s) found in major number "0latest"
+skopeo copy docker://quay.io/prometheus/prometheus:v2.51.2 --dest-creds Proxy:Proxy12345 --dest-tls-verify=false docker://localhost:30000/proxy/prometheus:v2.51.2
+skopeo copy docker://quay.io/prometheus-operator/prometheus-config-reloader:v0.73.2 --dest-creds Proxy:Proxy12345 --dest-tls-verify=false docker://localhost:30000/proxy/prometheus-config-reloader
+skopeo copy docker://grafana/grafana:10.4.1 --dest-creds Proxy:Proxy12345 --dest-tls-verify=false docker://localhost:30000/proxy/grafana
+skopeo copy docker://quay.io/kiwigrid/k8s-sidecar:1.27.4 --dest-creds Proxy:Proxy12345 --dest-tls-verify=false docker://localhost:30000/proxy/k8s-sidecar
 ```
 
 * Deploy playground:
@@ -490,28 +501,19 @@ docker run --rm -t -u $(id -u)  \
     --petclinic-image=localhost:30000/proxy/eclipse-temurin:11-jre-alpine \
     --mailhog-image=localhost:30000/proxy/mailhog:latest \
     --vault-image=localhost:30000/proxy/vault:latest \
-    --external-secrets-image=localhost:30000/proxy/eso:latest \
-    --external-secrets-certcontroller-image=localhost:30000/proxy/eso:latest \
-    --external-secrets-webhook-image=localhost:30000/proxy/eso:latest
-
+    --external-secrets-image=localhost:30000/proxy/external-secrets:latest \
+    --external-secrets-certcontroller-image=localhost:30000/proxy/external-secrets:latest \
+    --external-secrets-webhook-image=localhost:30000/proxy/external-secrets:latest \
+    --nginx-image=localhost:30000/proxy/nginx:latest \
+    --ingress-nginx-image=localhost:30000/proxy/ingress-nginx:latest \
+    --prometheus-image=localhost:30000/proxy/prometheus:v2.51.2 \
+    --prometheus-operator-image=localhost:30000/proxy/prometheus-operator:latest \
+    --prometheus-config-reloader-image=localhost:30000/proxy/prometheus-config-reloader:latest \
+    --grafana-image=localhost:30000/proxy/grafana:latest \
+    --grafana-sidecar-image=localhost:30000/proxy/k8s-sidecar:latest 
 # Or with config file --config-file=/config/gitops-playground.yaml 
 ```
 
-The same using a config file looks like so:
-
-```yaml
-registry: 
-  proxyUrl: localhost:30000
-  proxyUsername: Proxy
-  proxyPassword: Proxy12345
-  registryUrl: localhost:30000
-  registryUsername: Registry
-  registryPassword: Registry12345
-  registryPath: Registry
-  createImagePullSecrets: true
-images: 
-  petclinic: localhost:30000/proxy/eclipse-temurin:11-jre-alpine
-```
 ## Testing Network Policies locally
 
 The first increment of our `--netpols` feature is intended to be used on openshift and with an external Cloudogu Ecosystem.

exercises/broken-application/broken-application.ftl.yaml

@@ -7,6 +7,10 @@ spec:
   selector:
     matchLabels:
       app: broken-application
+<#if config.registry.createImagePullSecrets?has_content && config.registry.twoRegistries?has_content>
+  imagePullSecrets:
+    - name: proxy-registry
+</#if>
   template:
     metadata:
       labels:

exercises/nginx-validation/k8s/values-shared.ftl.yaml

@@ -4,6 +4,11 @@ image:
   repository: ${nginxImage.repository}
   tag: ${nginxImage.tag}
 </#if>
+<#if config.registry.createImagePullSecrets?has_content && config.registry.twoRegistries?has_content>
+global:
+  imagePullSecrets:
+    - proxy-registry
+</#if>
 service:
   ports:
     http: 80

src/main/groovy/com/cloudogu/gitops/cli/GitopsPlaygroundCli.groovy

@@ -228,7 +228,8 @@ class GitopsPlaygroundCli  implements Runnable {
     // args Ingress-Class
     @Option(names = ['--ingress-nginx'], description = INGRESS_NGINX_ENABLE_DESCRIPTION)
     private Boolean ingressNginx
-
+    @Option(names = ['--ingress-nginx-image'], description = HELM_CONFIG_IMAGE_DESCRIPTION)
+    private String ingressNginxImage
 
     @Override
     void run() {
@@ -503,6 +504,9 @@ class GitopsPlaygroundCli  implements Runnable {
                         ],
                         ingressNginx: [
                                active: ingressNginx,
+                               helm      : [
+                                       image: ingressNginxImage
+                               ]
                         ],
 
                 ]