From 4a3b8ff6548142841d51441ae343b6421be00496 Mon Sep 17 00:00:00 2001 From: Angie Wang Date: Mon, 11 Feb 2019 11:34:48 -0500 Subject: [PATCH] Add imagePullSecrets in service account template The functionality of local docker registry authentication will be enabled in commit https://review.openstack.org/#/c/626355/. However, the OSH doesn't support a way to pass credentials to kubernetes to pull images from a registry with authentication turned on. This commit adds a "imagePullSecrets" field in service account template resource and references the well-known secret "default-registry-key" which created in sysinv during application apply. With this change, kubernetes will pull images from local registry using this secret. Note: - This is short-term solution. The long-term solution is to implement the BP https://blueprints.launchpad.net/openstack-helm/+spec/support -docker-registry-with-authentication-turned-on which creates the secret in chart and pass the secret in service account conditionally. - It works with an unauthed registry and non-existent or existent secret "default-registry-key" as well. Change-Id: Icdff8b385cee7f8b0311086ae892b3b1edacea37 Story: 2002840 Task: 28945 Signed-off-by: Angie Wang --- .../centos/build_srpm.data | 2 +- .../centos/openstack-helm-infra.spec | 2 ++ ...-imagePullSecrets-in-service-account.patch | 25 +++++++++++++++++++ 3 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 openstack/openstack-helm-infra/files/Add-imagePullSecrets-in-service-account.patch diff --git a/openstack/openstack-helm-infra/centos/build_srpm.data b/openstack/openstack-helm-infra/centos/build_srpm.data index 0fbc4ee3..22d2fa85 100644 --- a/openstack/openstack-helm-infra/centos/build_srpm.data +++ b/openstack/openstack-helm-infra/centos/build_srpm.data @@ -5,4 +5,4 @@ TAR="$TAR_NAME-$SHA.tar.gz" COPY_LIST="${CGCS_BASE}/downloads/$TAR $PKG_BASE/files/*" -TIS_PATCH_VER=6 +TIS_PATCH_VER=7 diff --git a/openstack/openstack-helm-infra/centos/openstack-helm-infra.spec b/openstack/openstack-helm-infra/centos/openstack-helm-infra.spec index 66e2aab0..4f9ca215 100644 --- a/openstack/openstack-helm-infra/centos/openstack-helm-infra.spec +++ b/openstack/openstack-helm-infra/centos/openstack-helm-infra.spec @@ -20,6 +20,7 @@ Patch02: Mariadb-Support-adoption-of-running-single-node-mari.patch Patch03: Mariadb-Share-container-PID-namespaces-under-docker.patch Patch04: 0004-Allow-multiple-containers-per-daemonset-pod.patch Patch05: fix-type-error-to-streamline-single-replica-mariadb-.patch +Patch06: Add-imagePullSecrets-in-service-account.patch BuildRequires: helm @@ -33,6 +34,7 @@ Openstack Helm Infra charts %patch03 -p1 %patch04 -p1 %patch05 -p1 +%patch06 -p1 %build # initialize helm and build the toolkit diff --git a/openstack/openstack-helm-infra/files/Add-imagePullSecrets-in-service-account.patch b/openstack/openstack-helm-infra/files/Add-imagePullSecrets-in-service-account.patch new file mode 100644 index 00000000..15e566d5 --- /dev/null +++ b/openstack/openstack-helm-infra/files/Add-imagePullSecrets-in-service-account.patch @@ -0,0 +1,25 @@ +From c432facb61964b1f5f3a0522083ef9e830697f4c Mon Sep 17 00:00:00 2001 +From: Angie Wang +Date: Mon, 11 Feb 2019 11:29:03 -0500 +Subject: [PATCH] Add imagePullSecrets in service account + +--- + helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl +index b4cf1a6..2f4113b 100644 +--- a/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl ++++ b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl +@@ -44,6 +44,8 @@ kind: ServiceAccount + metadata: + name: {{ $saName }} + namespace: {{ $saNamespace }} ++imagePullSecrets: ++ - name: default-registry-key + {{- range $k, $v := $deps -}} + {{- if eq $k "services" }} + {{- range $serv := $v }} +-- +1.8.3.1 +