feat: add support to pass image pull credentials (#448) <br> - Added support for passing image pull credentials when deploying Kibana from a private registry

---------

Co-authored-by: Aatreyee Mukherjee <[email protected]>
Co-authored-by: Akash Kumar <[email protected]>
Co-authored-by: Aatreyee Mukherjee <[email protected]>
Co-authored-by: aatreyee257 <[email protected]>
Co-authored-by: whoffler <[email protected]>
Co-authored-by: shemau <[email protected]>
Co-authored-by: Akash Kumar <[email protected]>

Author: 7 people

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-07-24T21:11:38Z",
+  "generated_at": "2025-07-31T19:33:02Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -110,7 +110,7 @@
         "hashed_secret": "8c7c51db5075ebd0369c51e9f14737d9b4c1c21d",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 380,
+        "line_number": 379,
         "type": "Base64 High Entropy String",
         "verified_result": null
       }

ibm_catalog.json

@@ -433,6 +433,9 @@
             {
               "key": "existing_code_engine_project_id"
             },
+            {
+              "key": "use_existing_registry_secret"
+            },
             {
               "key": "kibana_registry_namespace_image"
             },
@@ -442,6 +445,21 @@
             {
               "key": "kibana_image_port"
             },
+            {
+              "key": "kibana_image_secret"
+            },
+            {
+              "key": "kibana_registry_personal_access_token"
+            },
+            {
+              "key": "kibana_registry_server"
+            },
+            {
+              "key": "kibana_registry_username"
+            },
+            {
+              "key": "use_private_registry"
+            },
             {
               "key": "kibana_visibility",
               "options": [

solutions/fully-configurable/main.tf

@@ -432,19 +432,32 @@ module "code_engine_kibana" {
   resource_group_id   = module.resource_group.resource_group_id
   project_name        = local.code_engine_project_name
   existing_project_id = local.code_engine_project_id
-  secrets = {
-    "es-secret" = {
-      format = "generic"
-      data = {
-        "ELASTICSEARCH_PASSWORD" = local.admin_pass
+  secrets = merge(
+    {
+      "es-secret" = {
+        format = "generic"
+        data = {
+          "ELASTICSEARCH_PASSWORD" = local.admin_pass
+        }
       }
-    }
-  }
+    },
+    var.use_private_registry && !var.use_existing_registry_secret ? {
+      "registry-secret" = {
+        format = "registry"
+        data = {
+          username = var.kibana_registry_username
+          password = var.kibana_registry_personal_access_token
+          server   = var.kibana_registry_server
+        }
+      }
+    } : {}
+  )
 
   apps = {
     (local.code_engine_app_name) = {
       image_reference = var.kibana_image_digest != null ? "${var.kibana_registry_namespace_image}@${var.kibana_image_digest}" : "${var.kibana_registry_namespace_image}:${local.kibana_version}"
       image_port      = var.kibana_image_port
+      image_secret    = var.use_private_registry ? (var.use_existing_registry_secret ? var.kibana_image_secret : "registry-secret") : null
       run_env_variables = [{
         type  = "literal"
         name  = "ELASTICSEARCH_HOSTS"

solutions/fully-configurable/variables.tf

@@ -443,6 +443,12 @@ variable "admin_pass_secrets_manager_secret_name" {
   }
 }
 
+variable "use_existing_registry_secret" {
+  description = "Set to true to use an existing image registry secret instead of creating a new one."
+  type        = bool
+  default     = false
+}
+
 ##############################################################
 # Kibana Configuration
 ##############################################################
@@ -471,12 +477,31 @@ variable "enable_kibana_dashboard" {
   default     = false
 }
 
+variable "use_private_registry" {
+  description = "Set to true if the Kibana image is being pulled from a private registry."
+  type        = bool
+  default     = false
+}
+
 variable "kibana_registry_namespace_image" {
   type        = string
   description = "The Kibana image reference in the format of `[registry-url]/[namespace]/[image]`. This value is used only when `enable_kibana_dashboard` is set to true."
   default     = "docker.elastic.co/kibana/kibana"
 }
 
+variable "kibana_registry_server" {
+  type        = string
+  description = "The server URL of the container registry used to pull the Kibana image."
+  default     = "https://index.docker.io/v1/"
+  validation {
+    condition = (
+      !(var.use_private_registry && !var.use_existing_registry_secret)
+      || (var.kibana_registry_server != null && var.kibana_registry_server != "")
+    )
+    error_message = "The `kibana_registry_server` must not be null or empty when `use_private_registry` is true and `use_existing_registry_secret` is false."
+  }
+}
+
 variable "kibana_image_digest" {
   type        = string
   description = "When `enable_kibana_dashboard` is set to true, Kibana is deployed using an image tag compatible with the Elasticsearch version. Alternatively, an image digest in the format `sha256:xxxxx...` can also be specified but it must correspond to a version compatible with the Elasticsearch instance."
@@ -485,15 +510,20 @@ variable "kibana_image_digest" {
     condition     = var.kibana_image_digest == null || can(regex("^sha256:", var.kibana_image_digest))
     error_message = "If provided, the value of kibana_image_digest must start with 'sha256:'."
   }
-
-
 }
+
 variable "kibana_image_port" {
   description = "Specify the port number used to connect to the Kibana service exposed by the container image. Default port is 5601 and it is only applicable if `enable_kibana_dashboard` is true"
   type        = number
   default     = 5601
 }
 
+variable "kibana_image_secret" {
+  description = "The name of the image registry access secret."
+  type        = string
+  default     = null
+}
+
 variable "kibana_visibility" {
   description = "Specify the visibility of Kibana application in order to define which endpoint is available for receiving the requests. Valid values are 'local_public', 'local_private' and 'local' and it is only applicable if `enable_kibana_dashboard` is true. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-elasticsearch/blob/main/solutions/fully-configurable/DA-types.md#options-for-kibana_visibility)."
   type        = string
@@ -504,6 +534,33 @@ variable "kibana_visibility" {
   }
 }
 
+variable "kibana_registry_username" {
+  description = "Username for the for the container registry."
+  type        = string
+  default     = null
+  validation {
+    condition = (
+      !(var.use_private_registry && !var.use_existing_registry_secret)
+      || (var.kibana_registry_username != null && var.kibana_registry_username != "")
+    )
+    error_message = "The `kibana_registry_username` must not be null or empty when `use_private_registry` is true and `use_existing_registry_secret` is false."
+  }
+}
+
+variable "kibana_registry_personal_access_token" {
+  description = "Pesonal access token for the container registry."
+  type        = string
+  default     = null
+  sensitive   = true
+  validation {
+    condition = (
+      !(var.use_private_registry && !var.use_existing_registry_secret)
+      || (var.kibana_registry_personal_access_token != null && var.kibana_registry_personal_access_token != "")
+    )
+    error_message = "The `kibana_registry_personal_access_token` must not be null or empty when `use_private_registry` is true and `use_existing_registry_secret` is false."
+  }
+}
+
 ##############################################################
 # Context-based restriction (CBR)
 ##############################################################

tests/pr_test.go

@@ -93,7 +93,6 @@ func TestRunFullyConfigurableSolutionSchematics(t *testing.T) {
 			},
 		},
 	}
-
 	options.TerraformVars = []testschematic.TestSchematicTerraformVar{
 		{Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
 		{Name: "access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"},