feat: Support to pass image credentials

README.md

@@ -60,7 +60,7 @@ You need the following permissions to run this module.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
-| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.70.0, <2.0.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.79.1, <2.0.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.1, < 4.0.0 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9.1 |
 

examples/backup-restore/version.tf

@@ -5,7 +5,7 @@ terraform {
     # module's version.tf (basic example), and 1 example that will always use the latest provider version (complete example).
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = ">=1.70.0, <2.0.0"
+      version = ">=1.79.2, <2.0.0"
     }
   }
 }

examples/basic/version.tf

@@ -4,7 +4,7 @@ terraform {
     # Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = "1.70.0"
+      version = "1.79.2"
     }
     # The elasticsearch provider is not actually required by the module itself, just this example, so OK to use ">=" here instead of locking into a version
     elasticsearch = {

examples/complete/version.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = ">=1.70.0, <2.0.0"
+      version = ">=1.79.2, <2.0.0"
     }
   }
 }

examples/fscloud/version.tf

@@ -4,7 +4,7 @@ terraform {
     # Use latest version of provider in non-basic examples to verify latest version works with module
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = ">= 1.70.0"
+      version = ">= 1.79.2"
     }
   }
 }

ibm_catalog.json

@@ -359,6 +359,9 @@
             {
               "key": "existing_code_engine_project_id"
             },
+            {
+              "key": "use_existing_registry_secret"
+            },
             {
               "key": "kibana_registry_namespace_image"
             },
@@ -368,6 +371,18 @@
             {
               "key": "kibana_image_port"
             },
+            {
+              "key": "kibana_image_secret"
+            },
+            {
+              "key": "kibana_registry_personal_access_token"
+            },
+            {
+              "key": "kibana_registry_server"
+            },
+            {
+              "key": "kibana_registry_username"
+            },
             {
               "key": "kibana_visibility",
               "options": [

solutions/standard/main.tf

@@ -424,6 +424,23 @@ data "http" "es_metadata" {
   ca_cert_pem = base64decode(local.elasticsearch_cert)
 }
 
+module "secret" {
+  count   = var.enable_kibana_dashboard && !var.use_existing_registry_secret ? 1 : 0
+  source  = "terraform-ibm-modules/code-engine/ibm//modules/secret"
+  version = "4.2.4"
+
+  name       = var.kibana_image_secret
+  project_id = local.code_engine_project_id
+  format     = "registry"
+
+  data = {
+    username = var.kibana_registry_username
+    password = var.kibana_registry_personal_access_token
+    server   = var.kibana_registry_server
+  }
+}
+
+
 module "code_engine_kibana" {
   count               = var.enable_kibana_dashboard ? 1 : 0
   source              = "terraform-ibm-modules/code-engine/ibm"
@@ -444,6 +461,7 @@ module "code_engine_kibana" {
     (local.code_engine_app_name) = {
       image_reference = var.kibana_image_digest != null ? "${var.kibana_registry_namespace_image}@${var.kibana_image_digest}" : "${var.kibana_registry_namespace_image}:${local.kibana_version}"
       image_port      = var.kibana_image_port
+      image_secret    = var.use_existing_registry_secret ? var.kibana_image_secret : module.secret[0].name
       run_env_variables = [{
         type  = "literal"
         name  = "ELASTICSEARCH_HOSTS"

solutions/standard/variables.tf

@@ -407,6 +407,12 @@ variable "admin_pass_secrets_manager_secret_name" {
   }
 }
 
+variable "use_existing_registry_secret" {
+  description = "Set to true to use an existing image registry secret instead of creating a new one."
+  type        = bool
+  default     = false
+}
+
 ##############################################################
 # Kibana Configuration
 ##############################################################
@@ -441,6 +447,12 @@ variable "kibana_registry_namespace_image" {
   default     = "docker.elastic.co/kibana/kibana"
 }
 
+variable "kibana_registry_server" {
+  type        = string
+  description = "The server URL of the container registry used to pull the Kibana image."
+  default     = "https://index.docker.io/v1/"
+}
+
 variable "kibana_image_digest" {
   type        = string
   description = "When `enable_kibana_dashboard` is set to true, Kibana is deployed using an image tag compatible with the Elasticsearch version. Alternatively, an image digest in the format `sha256:xxxxx...` can also be specified but it must correspond to a version compatible with the Elasticsearch instance."
@@ -452,12 +464,19 @@ variable "kibana_image_digest" {
 
 
 }
+
 variable "kibana_image_port" {
   description = "Specify the port number used to connect to the Kibana service exposed by the container image. Default port is 5601 and it is only applicable if `enable_kibana_dashboard` is true"
   type        = number
   default     = 5601
 }
 
+variable "kibana_image_secret" {
+  description = "The name of the image registry access secret."
+  type        = string
+  default     = null
+}
+
 variable "kibana_visibility" {
   description = "Specify the visibility of Kibana application in order to define which endpoint is available for receiving the requests. Valid values are 'local_public', 'local_private' and 'local' and it is only applicable if `enable_kibana_dashboard` is true. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-elasticsearch/blob/main/solutions/standard/DA-types.md#options-for-kibana_visibility)."
   type        = string
@@ -468,6 +487,19 @@ variable "kibana_visibility" {
   }
 }
 
+variable "kibana_registry_username" {
+  description = "Username for the for the container registry."
+  type        = string
+  default     = null
+}
+
+variable "kibana_registry_personal_access_token" {
+  description = "Pesonal access token for the container registry."
+  type        = string
+  default     = null
+  sensitive   = true
+}
+
 ##############################################################
 # Context-based restriction (CBR)
 ##############################################################

solutions/standard/version.tf

@@ -5,7 +5,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = "1.78.3"
+      version = "1.79.2"
     }
     time = {
       source  = "hashicorp/time"

tests/pr_test.go

@@ -61,6 +61,8 @@ func TestMain(m *testing.M) {
 func TestRunStandardSolutionSchematics(t *testing.T) {
 	t.Parallel()
 
+	enableKibana := false
+
 	options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
 		Testing: t,
 		TarIncludePatterns: []string{
@@ -93,7 +95,6 @@ func TestRunStandardSolutionSchematics(t *testing.T) {
 			},
 		},
 	}
-
 	options.TerraformVars = []testschematic.TestSchematicTerraformVar{
 		{Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
 		{Name: "access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"},
@@ -109,11 +110,44 @@ func TestRunStandardSolutionSchematics(t *testing.T) {
 		{Name: "admin_pass", Value: GetRandomAdminPassword(t), DataType: "string"},
 		{Name: "admin_pass_secrets_manager_secret_group", Value: options.Prefix, DataType: "string"},
 		{Name: "admin_pass_secrets_manager_secret_name", Value: options.Prefix, DataType: "string"},
-		{Name: "enable_kibana_dashboard", Value: true, DataType: "bool"},
+		{Name: "enable_kibana_dashboard", Value: enableKibana, DataType: "bool"},
 		{Name: "provider_visibility", Value: "private", DataType: "string"},
 		{Name: "prefix", Value: options.Prefix, DataType: "string"},
 		{Name: "admin_pass", Value: GetRandomAdminPassword(t), DataType: "string"},
 	}
+
+	if enableKibana {
+		existingProjectID := os.Getenv("EXISTING_CODE_ENGINE_PROJECT_ID")
+		kibanaImageSecret := os.Getenv("KIBANA_IMAGE_SECRET")
+		kibanaRegistryUsername := os.Getenv("KIBANA_REGISTRY_USERNAME")
+		kibanaRegistryToken := os.Getenv("KIBANA_REGISTRY_PERSONAL_ACCESS_TOKEN")
+		kibanaRegistryServer := os.Getenv("KIBANA_REGISTRY_SERVER")
+
+		if existingProjectID == "" {
+			t.Fatal("existing_code_engine_project_id env var must be set when enable_kibana_dashboard is true")
+		}
+		if kibanaImageSecret == "" {
+			t.Fatal("kibana_image_secret env var must be set when enable_kibana_dashboard is true")
+		}
+		if kibanaRegistryUsername == "" {
+			t.Fatal("kibana_registry_username env var must be set when enable_kibana_dashboard is true")
+		}
+		if kibanaRegistryToken == "" {
+			t.Fatal("kibana_personal_access_token env var must be set when enable_kibana_dashboard is true")
+		}
+		if kibanaRegistryServer == "" {
+			t.Fatal("kibana_registry_server env var must be set when enable_kibana_dashboard is true")
+		}
+
+		options.TerraformVars = append(options.TerraformVars,
+			testschematic.TestSchematicTerraformVar{Name: "existing_code_engine_project_id", Value: existingProjectID, DataType: "string"},
+			testschematic.TestSchematicTerraformVar{Name: "kibana_image_secret", Value: kibanaImageSecret, DataType: "string"},
+			testschematic.TestSchematicTerraformVar{Name: "kibana_registry_username", Value: kibanaRegistryUsername, DataType: "string"},
+			testschematic.TestSchematicTerraformVar{Name: "kibana_registry_personal_access_token", Value: kibanaRegistryToken, DataType: "string"},
+			testschematic.TestSchematicTerraformVar{Name: "kibana_registry_server", Value: kibanaRegistryServer, DataType: "string"},
+		)
+	}
+
 	err := options.RunSchematicTest()
 	assert.Nil(t, err, "This should not have errored")
 }
@@ -279,10 +313,38 @@ func TestPlanValidation(t *testing.T) {
 	}
 
 	// Test the DA when using Kibana dashboard and existing KMS instance
-	var standardSolutionWithKibanaDashboardVars = map[string]interface{}{
-		"enable_kibana_dashboard":   true,
-		"existing_kms_instance_crn": permanentResources["hpcs_south_crn"],
-		"plan":                      "enterprise",
+
+	tfVarsMap := map[string]map[string]interface{}{}
+
+	if os.Getenv("ENABLE_KIBANA_DASHBOARD") == "true" {
+		tfVarsMap["standardSolutionWithKibanaDashboardVars"] = map[string]interface{}{
+			"existing_kms_instance_crn":             permanentResources["hpcs_south_crn"],
+			"kibana_image_secret":                   os.Getenv("KIBANA_IMAGE_SECRET"),
+			"kibana_registry_username":              os.Getenv("KIBANA_REGISTRY_USERNAME"),
+			"kibana_registry_personal_access_token": os.Getenv("KIBANA_REGISTRY_PERSONAL_ACCESS_TOKEN"),
+			"kibana_registry_server":                os.Getenv("KIBANA_REGISTRY_SERVER"),
+			"existingProjectID":                     os.Getenv("EXISTING_CODE_ENGINE_PROJECT_ID"),
+			"plan":                                  "enterprise",
+		}
+	}
+
+	for name, tfVars := range tfVarsMap {
+		t.Run(name, func(t *testing.T) {
+			for key, value := range tfVars {
+				options.TerraformOptions.Vars[key] = value
+			}
+
+			_, err := terraform.InitE(t, options.TerraformOptions)
+			require.NoError(t, err)
+
+			output, err := terraform.PlanE(t, options.TerraformOptions)
+			assert.Nil(t, err)
+			assert.NotNil(t, output)
+
+			for key := range tfVars {
+				delete(options.TerraformOptions.Vars, key)
+			}
+		})
 	}
 
 	// Test the DA when using IBM owned encryption key
@@ -291,10 +353,9 @@ func TestPlanValidation(t *testing.T) {
 	}
 
 	// Create a map of the variables
-	tfVarsMap := map[string]map[string]interface{}{
-		"standardSolutionWithElserModelVars":      standardSolutionWithElserModelVars,
-		"standardSolutionWithKibanaDashboardVars": standardSolutionWithKibanaDashboardVars,
-		"standardSolutionWithUseIbmOwnedEncKey":   standardSolutionWithUseIbmOwnedEncKey,
+	tfVarsMap = map[string]map[string]interface{}{
+		"standardSolutionWithElserModelVars":    standardSolutionWithElserModelVars,
+		"standardSolutionWithUseIbmOwnedEncKey": standardSolutionWithUseIbmOwnedEncKey,
 	}
 
 	_, initErr := terraform.InitE(t, options.TerraformOptions)

version.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "ibm-cloud/ibm"
-      version = ">= 1.70.0, <2.0.0"
+      version = ">= 1.79.1, <2.0.0"
     }
     null = {
       source  = "hashicorp/null"