Add image pull secrets

jvalkeal · jvalkeal · commit 1d5ae33bfb01 · 2021-11-22T08:52:05.000Z
- Add missing pull secrets to monitoring container as its done everywhere else. - Fixes #4769
diff --git a/src/carvel/config/monitoring/_ytt_lib/grafana/grafana-deployment.yml b/src/carvel/config/monitoring/_ytt_lib/grafana/grafana-deployment.yml
@@ -1,5 +1,7 @@
 #@ load("grafana.lib.yml", "name")
 #@ load("grafana.lib.yml", "grafana_image")
+#@ load("grafana.star", "has_image_pull_secrets")
+#@ load("grafana.star", "image_pull_secrets")
 
 apiVersion: apps/v1
 kind: Deployment
@@ -43,6 +45,11 @@ spec:
             - name: config
               mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml"
               subPath: datasources.yaml
+      #@ if has_image_pull_secrets():
+      imagePullSecrets: #@ image_pull_secrets()
+      #@ else:
+      imagePullSecrets: [{name: reg-creds}]
+      #@ end
       volumes:
         - name: config
           configMap:
diff --git a/src/carvel/config/monitoring/_ytt_lib/grafana/grafana.star b/src/carvel/config/monitoring/_ytt_lib/grafana/grafana.star
@@ -0,0 +1,17 @@
+load("@ytt:data", "data")
+
+def non_empty_string(value):
+  return type(value) == "string" and len(value) > 0
+end
+
+def has_image_pull_secrets():
+  return non_empty_string(data.values.registrySecretRef)
+end
+
+def registry_secret_ref():
+  return data.values.registrySecretRef
+end
+
+def image_pull_secrets():
+  return [{"name": registry_secret_ref()}]
+end
diff --git a/src/carvel/config/monitoring/_ytt_lib/grafana/values.yml b/src/carvel/config/monitoring/_ytt_lib/grafana/values.yml
@@ -8,3 +8,4 @@ image:
 service:
   spec:
     type: NodePort
+registrySecretRef: ""
diff --git a/src/carvel/config/monitoring/_ytt_lib/prometheus-rsocket-proxy/prometheus-rsocket-proxy-deployment.yml b/src/carvel/config/monitoring/_ytt_lib/prometheus-rsocket-proxy/prometheus-rsocket-proxy-deployment.yml
@@ -1,5 +1,7 @@
 #@ load("prometheus-rsocket-proxy.lib.yml", "name")
 #@ load("prometheus-rsocket-proxy.lib.yml", "prometheus_rsocket_proxy_image")
+#@ load("prometheus-rsocket-proxy.star", "has_image_pull_secrets")
+#@ load("prometheus-rsocket-proxy.star", "image_pull_secrets")
 
 apiVersion: apps/v1
 kind: Deployment
@@ -32,6 +34,11 @@ spec:
             requests:
               cpu: 0.5
               memory: 1024Mi
+      #@ if has_image_pull_secrets():
+      imagePullSecrets: #@ image_pull_secrets()
+      #@ else:
+      imagePullSecrets: [{name: reg-creds}]
+      #@ end
       securityContext:
         fsGroup: 2000
         runAsNonRoot: true
diff --git a/src/carvel/config/monitoring/_ytt_lib/prometheus-rsocket-proxy/prometheus-rsocket-proxy.star b/src/carvel/config/monitoring/_ytt_lib/prometheus-rsocket-proxy/prometheus-rsocket-proxy.star
@@ -0,0 +1,17 @@
+load("@ytt:data", "data")
+
+def non_empty_string(value):
+  return type(value) == "string" and len(value) > 0
+end
+
+def has_image_pull_secrets():
+  return non_empty_string(data.values.registrySecretRef)
+end
+
+def registry_secret_ref():
+  return data.values.registrySecretRef
+end
+
+def image_pull_secrets():
+  return [{"name": registry_secret_ref()}]
+end
diff --git a/src/carvel/config/monitoring/_ytt_lib/prometheus-rsocket-proxy/values.yml b/src/carvel/config/monitoring/_ytt_lib/prometheus-rsocket-proxy/values.yml
@@ -5,3 +5,4 @@ image:
   repository: micrometermetrics/prometheus-rsocket-proxy
   tag: 1.0.0
   digest: ""
+registrySecretRef: ""
diff --git a/src/carvel/config/monitoring/_ytt_lib/prometheus/prometheus-deployment.yml b/src/carvel/config/monitoring/_ytt_lib/prometheus/prometheus-deployment.yml
@@ -1,5 +1,7 @@
 #@ load("prometheus.lib.yml", "name")
 #@ load("prometheus.lib.yml", "prometheus_image")
+#@ load("prometheus.star", "has_image_pull_secrets")
+#@ load("prometheus.star", "image_pull_secrets")
 
 apiVersion: apps/v1
 kind: Deployment
@@ -32,6 +34,11 @@ spec:
               mountPath: /etc/prometheus/
             - name: prometheus-storage-volume
               mountPath: /prometheus/
+      #@ if has_image_pull_secrets():
+      imagePullSecrets: #@ image_pull_secrets()
+      #@ else:
+      imagePullSecrets: [{name: reg-creds}]
+      #@ end
       volumes:
         - name: prometheus-config-volume
           configMap:
diff --git a/src/carvel/config/monitoring/_ytt_lib/prometheus/prometheus.star b/src/carvel/config/monitoring/_ytt_lib/prometheus/prometheus.star
@@ -0,0 +1,17 @@
+load("@ytt:data", "data")
+
+def non_empty_string(value):
+  return type(value) == "string" and len(value) > 0
+end
+
+def has_image_pull_secrets():
+  return non_empty_string(data.values.registrySecretRef)
+end
+
+def registry_secret_ref():
+  return data.values.registrySecretRef
+end
+
+def image_pull_secrets():
+  return [{"name": registry_secret_ref()}]
+end
diff --git a/src/carvel/config/monitoring/_ytt_lib/prometheus/values.yml b/src/carvel/config/monitoring/_ytt_lib/prometheus/values.yml
@@ -5,3 +5,4 @@ image:
   repository: springcloud/spring-cloud-dataflow-prometheus-local
   tag: ""
   digest: ""
+registrySecretRef: ""
diff --git a/src/carvel/config/monitoring/monitoring.lib.yml b/src/carvel/config/monitoring/monitoring.lib.yml
@@ -12,16 +12,19 @@ image: #@ data.values.scdf.feature.monitoring.grafana.image
 service:
   spec:
     type: #@ data.values.scdf.feature.monitoring.grafana.service.type
+registrySecretRef: #@ data.values.scdf.registry.secret.ref
 #@ end
 
 #@ def prometheus_values():
 name: prometheus
 image: #@ data.values.scdf.feature.monitoring.prometheus.image
+registrySecretRef: #@ data.values.scdf.registry.secret.ref
 #@ end
 
 #@ def prometheus_rsocket_proxy_values():
 name: prometheus-rsocket-proxy
 image: #@ data.values.scdf.feature.monitoring.prometheusRsocketProxy.image
+registrySecretRef: #@ data.values.scdf.registry.secret.ref
 #@ end
 
 #@ def monitoring_config():
diff --git a/src/carvel/test/secrets.test.ts b/src/carvel/test/secrets.test.ts
@@ -58,6 +58,32 @@ describe('secrets', () => {
     expect(secret).toBeTruthy();
   });
 
+  it('should add carvel secretgen on default 3', async () => {
+    // see above test for as this is just same with different setup
+    const result = await execYtt({
+      files: ['config'],
+      dataValueYamls: [
+        ...DEFAULT_REQUIRED_DATA_VALUES,
+        'scdf.feature.monitoring.prometheus.enabled=true',
+        'scdf.feature.monitoring.grafana.enabled=true',
+        'scdf.feature.monitoring.prometheusRsocketProxy.enabled=true'
+      ]
+    });
+    expect(result.success, result.stderr).toBeTruthy();
+    const yaml = result.stdout;
+
+    const pods = findPodSpecsWithImagePullSecrets(yaml);
+    expect(pods).toHaveLength(8);
+
+    // all default pull secrets need to ref to reg-creds
+    const refs = pods.flatMap(p => p.imagePullSecrets?.[0].name);
+    expect(refs).toHaveLength(8);
+    expect(refs.every(r => r === 'reg-creds')).toBeTrue();
+
+    const secret = findSecret(yaml, 'reg-creds');
+    expect(secret).toBeTruthy();
+  });
+
   it('should add manual image pull secret if defined 1', async () => {
     const result = await execYtt({
       files: ['config'],
@@ -105,4 +131,28 @@ describe('secrets', () => {
     const secret = findSecret(yaml, 'reg-creds');
     expect(secret).toBeFalsy();
   });
+
+  it('should add manual image pull secret if defined 3', async () => {
+    const result = await execYtt({
+      files: ['config'],
+      dataValueYamls: [
+        ...DEFAULT_REQUIRED_DATA_VALUES,
+        'scdf.feature.monitoring.prometheus.enabled=true',
+        'scdf.feature.monitoring.grafana.enabled=true',
+        'scdf.feature.monitoring.prometheusRsocketProxy.enabled=true',
+        'scdf.registry.secret.ref=fakeref'
+      ]
+    });
+    expect(result.success, result.stderr).toBeTruthy();
+    const yaml = result.stdout;
+    const pods = findPodSpecsWithImagePullSecrets(yaml);
+    expect(pods).toHaveLength(8);
+
+    const refs = pods.flatMap(p => p.imagePullSecrets?.[0].name);
+    expect(refs).toHaveLength(8);
+    expect(refs.every(r => r === 'fakeref')).toBeTrue();
+
+    const secret = findSecret(yaml, 'reg-creds');
+    expect(secret).toBeFalsy();
+  });
 });
