Merge pull request #18 from paulczar/repo-creds

Allow user to specify registry credentials in values or via a premade secret.
viglesiasce · Jul 21, 2018 · c43836b · c43836b
2 parents 1f30a21 + 40c50ac
commit c43836b
Show file tree

Hide file tree

Showing 5 changed files with 67 additions and 3 deletions.
diff --git a/stable/spinnaker/README.md b/stable/spinnaker/README.md
@@ -60,6 +60,32 @@ for Spinnaker. If you want to add arbitrary clusters need to do the following:
       deploymentContext: my-context
     ```
 
+## Specifying Docker Registries and Valid Images (Repositories)
+
+Spinnaker will only give you access to Docker images that have been whitelisted, if you're using a private registry or a private repository you also need to provide credentials.  Update the following values of the chart to do so:
+
+    ```yaml
+    dockerRegistries:
+    - name: dockerhub
+      address: index.docker.io
+      repositories:
+        - library/alpine
+        - library/ubuntu
+        - library/centos
+        - library/nginx
+    # - name: gcr
+    #   address: https://gcr.io
+    #   username: _json_key
+    #   password: '<INSERT YOUR SERVICE ACCOUNT JSON HERE>'
+    #   email: [email protected]
+    ```
+
+You can provide passwords as a Helm value, or you can use a pre-created secret containing your registry passwords.  The secret should have an item per Registry in the format: `<registry name>: <password>`. In which case you'll specify the secret to use in `dockerRegistryAccountSecret` like so:
+
+    ```yaml
+    dockerRegistryAccountSecret: myregistry-secrets
+    ```
+
 ## Customizing your installation
 
 ### Manual

diff --git a/stable/spinnaker/templates/configmap/halyard-config.yaml b/stable/spinnaker/templates/configmap/halyard-config.yaml
@@ -6,6 +6,8 @@ metadata:
 {{ include "spinnaker.standard-labels" . | indent 4 }}
 data:
   install.sh: |
+    #!/bin/bash
+
     # Wait for the Hal daemon to be ready
     export DAEMON_ENDPOINT=http://{{ template "spinnaker.fullname" . }}-halyard:8064
     export HAL_COMMAND="hal --daemon-endpoint $DAEMON_ENDPOINT"
@@ -63,8 +65,17 @@ data:
       PROVIDER_COMMAND='add'
     fi
 
+    CREDS=""
+    {{ if $registry.username -}}
+    CREDS+="--username {{ $registry.username }} --password-file /opt/registry/passwords/{{ $registry.name }}"
+    {{ if $registry.email -}}
+    CREDS+=" --email {{ $registry.email }}"
+    {{- end -}}
+    {{- end }}
+
     $HAL_COMMAND config provider docker-registry account $PROVIDER_COMMAND {{ $registry.name }} --address {{ $registry.address }} \
-        --repositories {{ range $index, $repository := $registry.repositories }}{{- $repository }},{{- end }}
+        ${CREDS} --repositories {{ range $index, $repository := $registry.repositories }}{{if $index}},{{end}}{{- $repository }}{{- end }}
+
     {{- end }}
 
     $HAL_COMMAND config provider kubernetes enable

diff --git a/stable/spinnaker/templates/secrets/registry.yaml b/stable/spinnaker/templates/secrets/registry.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.dockerRegistryAccountSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,6 +8,7 @@ metadata:
     component: clouddriver
 type: Opaque
 data:
-  {{- range $index, $account := .Values.accounts }}
-  password-{{ $account.name }}: {{ default "" $account.password | b64enc | quote }}
+  {{- range $index, $account := .Values.dockerRegistries }}
+  {{ $account.name }}: {{ default "" $account.password | b64enc | quote }}
   {{- end }}
+{{- end }}
diff --git a/stable/spinnaker/templates/statefulsets/halyard.yaml b/stable/spinnaker/templates/statefulsets/halyard.yaml
@@ -52,6 +52,13 @@ spec:
         secret:
           secretName: {{ template "spinnaker.fullname" . }}-gcs
       {{- end }}
+      - name: reg-secrets
+        secret:
+          {{- if .Values.dockerRegistryAccountSecret }}
+          secretName: {{ .Values.dockerRegistryAccountSecret }}
+          {{- else }}
+          secretName: {{ template "spinnaker.fullname" .}}-registry
+          {{- end }}
       {{- if and .Values.s3.enabled .Values.s3.accessKey .Values.s3.secretKey }}
       - name: s3-secrets
         secret:
@@ -82,6 +89,8 @@ spec:
           mountPath: /home/spinnaker
         - name: halyard-config
           mountPath: /opt/halyard/config
+        - name: reg-secrets
+          mountPath: /opt/registry/passwords
   volumeClaimTemplates:
   - metadata:
       name: halyard-home

diff --git a/stable/spinnaker/values.yaml b/stable/spinnaker/values.yaml
@@ -31,6 +31,15 @@ dockerRegistries:
 #   password: '<INSERT YOUR SERVICE ACCOUNT JSON HERE>'
 #   email: [email protected]
 
+# If you don't want to put your passwords into a values file
+# you can use a pre-created secret instead of putting passwords
+# (specify secret name in below `dockerRegistryAccountSecret`)
+# per account above with data in the format:
+# <name>: <password>
+
+# dockerRegistryAccountSecret: myregistry-secrets
+
+
 kubeConfig:
   # Use this when you want to register arbitrary clusters with Spinnaker
   # Upload your ~/kube/.config to a secret
@@ -78,6 +87,10 @@ redis:
   nodeSelector: {}
   cluster:
     enabled: false
+# Uncomment if you don't want to create a PVC for redis
+#  master:
+#    persistence:
+#      enabled: false
 
 # Minio access/secret keys for the in-cluster S3 usage
 # Minio is not exposed publically
@@ -89,6 +102,9 @@ minio:
   secretKey: spinnakeradmin
   bucket: "spinnaker"
   nodeSelector: {}
+# Uncomment if you don't want to create a PVC for minio
+#  persistence:
+#    enabled: false
 
 gcs:
   enabled: false