NODE-5583 add docker registry secret to kubernetes test environment

wallarm · Aug 7, 2024 · 1b2ab24 · 1b2ab24
1 parent 20ea64c
commit 1b2ab24
Show file tree

Hide file tree

Showing 5 changed files with 76 additions and 6 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -174,6 +174,8 @@ jobs:
  env:
  SKIP_CLUSTER_CREATION: true
  SKIP_IMAGE_CREATION: true
+ DOCKERHUB_USER: ${{ steps.secrets.outputs.user }}
+ DOCKERHUB_PASSWORD: ${{ steps.secrets.outputs.password }}
  WALLARM_API_TOKEN: ${{ steps.secrets.outputs.api_token }}
  WALLARM_API_HOST: ${{ steps.secrets.outputs.api_host }}
  WALLARM_API_PRESET: ${{ steps.secrets.outputs.api_preset }}
@@ -216,7 +218,10 @@ jobs:
  role: ${{ secrets.VAULT_ROLE }}
  method: kubernetes
  path: kubernetes-ci
- secrets: kv-gitlab-ci/data/github/ingress api_token
+ secrets: |
+ kv-gitlab-ci/data/github/ingress api_token ;
+ kv-gitlab-ci/data/github/shared/dockerhub-creds user ;
+ kv-gitlab-ci/data/github/shared/dockerhub-creds password ;
 
  - name: Checkout
  uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
@@ -231,6 +236,9 @@ jobs:
  - name: Load images
  run: docker load -i controller-${{ env.ARCH }}.tar
 
+ - name: Login to DockerHub
+ run: echo ${{ steps.secrets.outputs.password }} | docker login -u ${{ steps.secrets.outputs.user }} --password-stdin
+
  - name: Create cluster
  run: kind create cluster --image=kindest/node:v1.25.8 --config test/e2e/kind.yaml
 
@@ -267,6 +275,22 @@ jobs:
  - name: Load controller images
  run: docker load -i controller-${{ env.ARCH }}.tar
 
+ - name: Import secrets
+ uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
+ id: secrets
+ with:
+ exportEnv: false
+ url: ${{ secrets.VAULT_URL }}
+ role: ${{ secrets.VAULT_ROLE }}
+ method: kubernetes
+ path: kubernetes-ci
+ secrets: |
+ kv-gitlab-ci/data/github/shared/dockerhub-creds user ;
+ kv-gitlab-ci/data/github/shared/dockerhub-creds password ;
+
+ - name: Login to DockerHub
+ run: echo ${{ steps.secrets.outputs.password }} | docker login -u ${{ steps.secrets.outputs.user }} --password-stdin
+
  - name: Create cluster
  run: kind create cluster --image=kindest/node:v1.25.8 --config test/e2e/kind.yaml
 
@@ -309,6 +333,8 @@ jobs:
  secrets: |
  kv-gitlab-ci/data/github/ingress api_token ;
  kv-gitlab-ci/data/github/ingress api_host ;
+ kv-gitlab-ci/data/github/shared/dockerhub-creds user ;
+ kv-gitlab-ci/data/github/shared/dockerhub-creds password ;
 
  - name: Checkout
  uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
@@ -321,6 +347,9 @@ jobs:
  - name: Load controller images
  run: docker load -i controller-${{ env.ARCH }}.tar
 
+ - name: Login to DockerHub
+ run: echo ${{ steps.secrets.outputs.password }} | docker login -u ${{ steps.secrets.outputs.user }} --password-stdin
+
  - name: Create cluster ${{ matrix.k8s }}
  run: kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml
 
@@ -357,6 +386,22 @@ jobs:
  - name: Load controller images
  run: docker load -i controller-${{ env.ARCH }}.tar
 
+ - name: Import secrets
+ uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
+ id: secrets
+ with:
+ exportEnv: false
+ url: ${{ secrets.VAULT_URL }}
+ role: ${{ secrets.VAULT_ROLE }}
+ method: kubernetes
+ path: kubernetes-ci
+ secrets: |
+ kv-gitlab-ci/data/github/shared/dockerhub-creds user ;
+ kv-gitlab-ci/data/github/shared/dockerhub-creds password ;
+ 
+ - name: Login to DockerHub
+ run: echo ${{ steps.secrets.outputs.password }} | docker login -u ${{ steps.secrets.outputs.user }} --password-stdin
+
  - name: Scan controller image
  uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a
  with:

diff --git a/charts/ingress-nginx/templates/tarantool-daemonset.yaml b/charts/ingress-nginx/templates/tarantool-daemonset.yaml
@@ -38,8 +38,8 @@ spec:
  {{- toYaml . | nindent 8 }}
  {{- end }}
  spec:
- {{- if .Values.controller.wallarm.imagePullSecrets }}
- imagePullSecrets: {{ toYaml .Values.controller.wallarm.imagePullSecrets | nindent 8 }}
+ {{- if .Values.imagePullSecrets }}
+ imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
  {{- end }}
  terminationGracePeriodSeconds: {{ .Values.controller.wallarm.tarantool.terminationGracePeriodSeconds }}
  initContainers:

diff --git a/charts/ingress-nginx/templates/tarantool-deployment.yaml b/charts/ingress-nginx/templates/tarantool-deployment.yaml
@@ -39,8 +39,8 @@ spec:
  {{- toYaml . | nindent 8 }}
  {{- end }}
  spec:
- {{- if .Values.controller.wallarm.imagePullSecrets }}
- imagePullSecrets: {{ toYaml .Values.controller.wallarm.imagePullSecrets | nindent 8 }}
+ {{- if .Values.imagePullSecrets }}
+ imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
  {{- end }}
  terminationGracePeriodSeconds: {{ .Values.controller.wallarm.tarantool.terminationGracePeriodSeconds }}
  initContainers:
@@ -145,4 +145,4 @@ spec:
  name: {{ template "ingress-nginx.wallarmTarantoolCronConfig" . }}
  {{- include "ingress-nginx.wallarmTokenVolume" . | nindent 8 }}
 {{- end }}
-{{- end }}
+{{- end }}
diff --git a/test/smoke/run.sh b/test/smoke/run.sh
@@ -41,6 +41,18 @@ export SMOKE_IMAGE_TAG="${SMOKE_IMAGE_TAG:-latest}"
 
 K8S_VERSION=${K8S_VERSION:-v1.25.8}
 
+
+DOCKERHUB_REGISTRY_SERVER="https://index.docker.io/v1/"
+
+# This will prevent the secret for index.docker.io from being used if the DOCKERHUB_USER is not set.
+if [ "${DOCKERHUB_USER:-false}" = "false" ]; then
+ DOCKERHUB_REGISTRY_SERVER="fake_docker_registry_server"
+fi
+
+DOCKERHUB_SECRET_NAME="dockerhub-secret"
+DOCKERHUB_USER="${DOCKERHUB_USER:-fake_user}"
+DOCKERHUB_PASSWORD="${DOCKERHUB_PASSWORD:-fake_password}"
+
 set -o errexit
 set -o nounset
 set -o pipefail
@@ -97,6 +109,15 @@ EOF
  fi
 fi
 
+# create docker-registry secret
+echo "[test-env] creating secret docker-registry ..."
+kubectl create secret docker-registry ${DOCKERHUB_SECRET_NAME} \
+ --docker-server=${DOCKERHUB_REGISTRY_SERVER} \
+ --docker-username="${DOCKERHUB_USER}" \
+ --docker-password="${DOCKERHUB_PASSWORD}" \
+ --docker-email=docker-pull@unexists.unexists
+
+
 if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then
  echo "[test-env] building controller image..."
  make -C "${DIR}"/../../ clean-image build image
@@ -129,6 +150,8 @@ trap describe_pods_on_exit EXIT
 echo "[test-env] installing Helm chart using TAG=${TAG} ..."
 cat << EOF | helm upgrade --install ingress-nginx "${DIR}/../../charts/ingress-nginx" --wait --values -
 fullnameOverride: wallarm-ingress
+imagePullSecrets:
+ - name: ${DOCKERHUB_SECRET_NAME}
 controller:
  wallarm:
  enabled: true

diff --git a/test/smoke/workload.yaml b/test/smoke/workload.yaml
@@ -70,6 +70,8 @@ spec:
  labels:
  app: workload
  spec:
+ imagePullSecrets:
+ - name: dockerhub-secret
  containers:
  - name: nginx
  image: nginx:stable-alpine