diff --git a/.secrets.baseline b/.secrets.baseline index 45220eba..815f2904 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2025-07-24T21:11:38Z", + "generated_at": "2025-07-31T19:33:02Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -110,7 +110,7 @@ "hashed_secret": "8c7c51db5075ebd0369c51e9f14737d9b4c1c21d", "is_secret": false, "is_verified": false, - "line_number": 380, + "line_number": 379, "type": "Base64 High Entropy String", "verified_result": null } diff --git a/ibm_catalog.json b/ibm_catalog.json index ea54f530..e83f2901 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -433,6 +433,9 @@ { "key": "existing_code_engine_project_id" }, + { + "key": "use_existing_registry_secret" + }, { "key": "kibana_registry_namespace_image" }, @@ -442,6 +445,21 @@ { "key": "kibana_image_port" }, + { + "key": "kibana_image_secret" + }, + { + "key": "kibana_registry_personal_access_token" + }, + { + "key": "kibana_registry_server" + }, + { + "key": "kibana_registry_username" + }, + { + "key": "use_private_registry" + }, { "key": "kibana_visibility", "options": [ diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index f7ac58b2..bbb1daeb 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -432,19 +432,32 @@ module "code_engine_kibana" { resource_group_id = module.resource_group.resource_group_id project_name = local.code_engine_project_name existing_project_id = local.code_engine_project_id - secrets = { - "es-secret" = { - format = "generic" - data = { - "ELASTICSEARCH_PASSWORD" = local.admin_pass + secrets = merge( + { + "es-secret" = { + format = "generic" + data = { + "ELASTICSEARCH_PASSWORD" = local.admin_pass + } } - } - } + }, + var.use_private_registry && !var.use_existing_registry_secret ? { + "registry-secret" = { + format = "registry" + data = { + username = var.kibana_registry_username + password = var.kibana_registry_personal_access_token + server = var.kibana_registry_server + } + } + } : {} + ) apps = { (local.code_engine_app_name) = { image_reference = var.kibana_image_digest != null ? "${var.kibana_registry_namespace_image}@${var.kibana_image_digest}" : "${var.kibana_registry_namespace_image}:${local.kibana_version}" image_port = var.kibana_image_port + image_secret = var.use_private_registry ? (var.use_existing_registry_secret ? var.kibana_image_secret : "registry-secret") : null run_env_variables = [{ type = "literal" name = "ELASTICSEARCH_HOSTS" diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index cc8ee563..a9ffaccc 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -443,6 +443,12 @@ variable "admin_pass_secrets_manager_secret_name" { } } +variable "use_existing_registry_secret" { + description = "Set to true to use an existing image registry secret instead of creating a new one." + type = bool + default = false +} + ############################################################## # Kibana Configuration ############################################################## @@ -471,12 +477,31 @@ variable "enable_kibana_dashboard" { default = false } +variable "use_private_registry" { + description = "Set to true if the Kibana image is being pulled from a private registry." + type = bool + default = false +} + variable "kibana_registry_namespace_image" { type = string description = "The Kibana image reference in the format of `[registry-url]/[namespace]/[image]`. This value is used only when `enable_kibana_dashboard` is set to true." default = "docker.elastic.co/kibana/kibana" } +variable "kibana_registry_server" { + type = string + description = "The server URL of the container registry used to pull the Kibana image." + default = "https://index.docker.io/v1/" + validation { + condition = ( + !(var.use_private_registry && !var.use_existing_registry_secret) + || (var.kibana_registry_server != null && var.kibana_registry_server != "") + ) + error_message = "The `kibana_registry_server` must not be null or empty when `use_private_registry` is true and `use_existing_registry_secret` is false." + } +} + variable "kibana_image_digest" { type = string description = "When `enable_kibana_dashboard` is set to true, Kibana is deployed using an image tag compatible with the Elasticsearch version. Alternatively, an image digest in the format `sha256:xxxxx...` can also be specified but it must correspond to a version compatible with the Elasticsearch instance." @@ -485,15 +510,20 @@ variable "kibana_image_digest" { condition = var.kibana_image_digest == null || can(regex("^sha256:", var.kibana_image_digest)) error_message = "If provided, the value of kibana_image_digest must start with 'sha256:'." } - - } + variable "kibana_image_port" { description = "Specify the port number used to connect to the Kibana service exposed by the container image. Default port is 5601 and it is only applicable if `enable_kibana_dashboard` is true" type = number default = 5601 } +variable "kibana_image_secret" { + description = "The name of the image registry access secret." + type = string + default = null +} + variable "kibana_visibility" { description = "Specify the visibility of Kibana application in order to define which endpoint is available for receiving the requests. Valid values are 'local_public', 'local_private' and 'local' and it is only applicable if `enable_kibana_dashboard` is true. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-elasticsearch/blob/main/solutions/fully-configurable/DA-types.md#options-for-kibana_visibility)." type = string @@ -504,6 +534,33 @@ variable "kibana_visibility" { } } +variable "kibana_registry_username" { + description = "Username for the for the container registry." + type = string + default = null + validation { + condition = ( + !(var.use_private_registry && !var.use_existing_registry_secret) + || (var.kibana_registry_username != null && var.kibana_registry_username != "") + ) + error_message = "The `kibana_registry_username` must not be null or empty when `use_private_registry` is true and `use_existing_registry_secret` is false." + } +} + +variable "kibana_registry_personal_access_token" { + description = "Pesonal access token for the container registry." + type = string + default = null + sensitive = true + validation { + condition = ( + !(var.use_private_registry && !var.use_existing_registry_secret) + || (var.kibana_registry_personal_access_token != null && var.kibana_registry_personal_access_token != "") + ) + error_message = "The `kibana_registry_personal_access_token` must not be null or empty when `use_private_registry` is true and `use_existing_registry_secret` is false." + } +} + ############################################################## # Context-based restriction (CBR) ############################################################## diff --git a/tests/pr_test.go b/tests/pr_test.go index 1a6da48e..04d68318 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -93,7 +93,6 @@ func TestRunFullyConfigurableSolutionSchematics(t *testing.T) { }, }, } - options.TerraformVars = []testschematic.TestSchematicTerraformVar{ {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, {Name: "access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"},