pull secrets (#847)

Author: james-otten

.github/workflows/deploy-to-k8s.yaml

@@ -84,6 +84,9 @@ jobs:
         --set meshweb.environment="${{ inputs.environment }}" \
         --set ingress.hosts[0].host="${{ vars.INGRESS_HOST }}",ingress.hosts[0].paths[0].path=/,ingress.hosts[0].paths[0].pathType=Prefix \
         --set ingress.hosts[1].host="${{ vars.INGRESS_HOST_LEGACY }}",ingress.hosts[1].paths[0].path=/,ingress.hosts[1].paths[0].pathType=Prefix \
+        --set imageCredentials.username="${{ secrets.PULL_SECRET_USERNAME }}" \
+        --set imageCredentials.password="${{ secrets.PULL_SECRET_PASSWORD }}" \
+        --set imageCredentials.email="${{ secrets.PULL_SECRET_EMAIL }}" \
         --set meshweb.image.tag="${{ inputs.useTag }}"
 
         # Rolling restart

infra/helm/meshdb/charts/celery/values.yaml

@@ -2,7 +2,7 @@
 replicaCount: 1
 
 image:
-  repository: willnilges/meshdb
+  repository: docker.io/willnilges/meshdb
   pullPolicy: Always
   tag: "main"
 

infra/helm/meshdb/templates/_helpers.tpl

@@ -60,3 +60,9 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{- define "imagePullSecret" }}
+{{- with .Values.imageCredentials }}
+{{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" .registry .username .password .email (printf "%s:%s" .username .password | b64enc) | b64enc }}
+{{- end }}
+{{- end }}

infra/helm/meshdb/templates/meshweb.yaml

@@ -7,6 +7,10 @@ metadata:
     {{- include "meshdb.labels" . | nindent 4 }}
 spec:
   replicas: 3
+  {{- if .Values.imageCredentials }}
+  imagePullSecrets:
+    - name: pull-secret
+  {{- end }}
   selector:
     matchLabels:
       {{- include "meshdb.selectorLabels" . | nindent 6 }}

infra/helm/meshdb/templates/nginx.yaml

@@ -32,7 +32,7 @@ spec:
         - name: {{ .Chart.Name }}-nginx
           securityContext:
             {{- toYaml .Values.nginx.securityContext | nindent 12 }}
-          image: "nginx:latest"
+          image: "docker.io/nginx:latest"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: nginx

infra/helm/meshdb/templates/pelias.yaml

@@ -31,7 +31,7 @@ spec:
         - name: {{ .Chart.Name }}-pelias
           securityContext:
             {{- toYaml .Values.pelias.securityContext | nindent 12 }}
-          image: "pelias/parser"
+          image: "docker.io/pelias/parser"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: pelias

infra/helm/meshdb/templates/postgres.yaml

@@ -33,7 +33,7 @@ spec:
         - name: {{ .Chart.Name }}-postgres
           securityContext:
             {{- toYaml .Values.pg.securityContext | nindent 12 }}
-          image: postgres:15-bookworm
+          image: docker.io/postgres:15-bookworm
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: postgres

infra/helm/meshdb/templates/pull_secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pull-secret
+  namespace: {{ .Values.meshdb_app_namespace }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}

infra/helm/meshdb/templates/redis.yaml

@@ -44,7 +44,7 @@ spec:
         - name: {{ .Chart.Name }}-redis
           securityContext:
             {{- toYaml .Values.redis.securityContext | nindent 12 }}
-          image: "redis:latest"
+          image: "docker.io/redis:latest"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: redis

infra/helm/meshdb/values.yaml

@@ -41,7 +41,7 @@ meshweb:
   readiness_probe: "true"
   startup_probe: "true"
   image:
-    repository: willnilges/meshdb
+    repository: docker.io/willnilges/meshdb
     tag: main
   podSecurityContext: {}
   securityContext: {}
@@ -122,6 +122,9 @@ pelias:
 image:
   pullPolicy: Always
 
+imageCredentials:
+  registry: docker.io
+
 nameOverride: ""
 fullnameOverride: "meshdb"