Replace cert copier image (#2116)

* fix pre-commit * fix hardcoded imagePullPolicy * fix naming * add app labels * add version tag in daemonset * fix pre-commit
astronomer · Feb 7, 2024 · 193da85 · 193da85
1 parent c2e0cb6
commit 193da85
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 6 deletions.
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -47,3 +47,21 @@ nginx.ingress.kubernetes.io/auth-url: https://houston.{{ .Values.global.baseDoma
 {{ .Values.global.loggingSidecar.image }}
 {{- end }}
 {{- end }}
+
+{{ define "certCopier.image" -}}
+{{- if .Values.global.privateRegistry.enabled -}}
+{{ .Values.global.privateRegistry.repository }}/ap-base:{{ .Values.global.privateCaCertsAddToHost.certCopier.tag }}
+{{- else -}}
+{{ .Values.global.privateCaCertsAddToHost.certCopier.repository }}:{{ .Values.global.privateCaCertsAddToHost.certCopier.tag }}
+{{- end }}
+{{- end }}
+
+{{/*
+Return the proper Docker Image Registry Secret Names
+*/}}
+{{- define "certCopier.imagePullSecrets" -}}
+{{- if and .Values.global.privateRegistry.enabled .Values.global.privateRegistry.secretName }}
+imagePullSecrets:
+  - name: {{ .Values.global.privateRegistry.secretName }}
+{{- end -}}
+{{- end -}}
diff --git a/templates/trust-private-ca-on-all-nodes/containerd-daemonset.yaml b/templates/trust-private-ca-on-all-nodes/containerd-daemonset.yaml
@@ -28,25 +28,28 @@ spec:
   template:
     metadata:
       labels:
+        app: containerd-private-ca
         tier: platform
         component: containerd-private-ca
         release: {{ .Release.Name }}
+        version: {{ .Chart.Version }}
       annotations:
         checksum/configmap: {{ include (print $.Template.BasePath "/trust-private-ca-on-all-nodes/containerd-ca-update-script.yaml") . | sha256sum }}
     spec:
 {{- if .Values.global.privateCaCertsAddToHost.containerdnodeAffinitys }}
       affinity:
 {{ toYaml .Values.global.privateCaCertsAddToHost.containerdnodeAffinitys  | indent 8 }}
 {{ end }}
+{{- include "certCopier.imagePullSecrets" . | indent 6 }}
       containers:
       - name: cert-copy-and-toml-update
-        image: {{ .Values.global.privateCaCertsAddToHost.certCopier.repository }}:{{ .Values.global.privateCaCertsAddToHost.certCopier.tag }}
+        image: {{ include "certCopier.image" . }}
         command:
           - "sh"
           - "-c"
         args:
           - sh /cert-copy-and-toml-update.sh
-        imagePullPolicy: IfNotPresent
+        imagePullPolicy: {{ .Values.global.privateCaCertsAddToHost.certCopier.pullPolicy }}
         securityContext:
           runAsUser: 0
           privileged: true

diff --git a/templates/trust-private-ca-on-all-nodes/daemonset.yaml b/templates/trust-private-ca-on-all-nodes/daemonset.yaml
@@ -28,20 +28,23 @@ spec:
   template:
     metadata:
       labels:
+        app: private-ca
         tier: platform
         component: private-ca
         release: {{ .Release.Name }}
+        version: {{ .Chart.Version }}
     spec:
       serviceAccountName: {{ .Release.Name }}-private-ca
+{{- include "certCopier.imagePullSecrets" . | indent 6 }}
       containers:
       - name: cert-copy
-        image: {{ .Values.global.privateCaCertsAddToHost.certCopier.repository }}:{{ .Values.global.privateCaCertsAddToHost.certCopier.tag }}
+        image: {{ include "certCopier.image" . }}
         command:
           - "sh"
           - "-c"
         args:
           - "while true; do date; cp -v /private-ca-certs/* /host-trust-store/; sleep 10; done"
-        imagePullPolicy: IfNotPresent
+        imagePullPolicy: {{ .Values.global.privateCaCertsAddToHost.certCopier.pullPolicy }}
         volumeMounts:
         - name: hostcerts
           mountPath: /host-trust-store

diff --git a/tests/enable_all_features.yaml b/tests/enable_all_features.yaml
@@ -15,6 +15,9 @@ global:
   pspEnabled: true
   taskUsageMetricsEnabled: True
   veleroEnabled: true
+  privateCaCertsAddToHost:
+    enabled: true
+    addToContainerd: true
 prometheus-node-exporter:
   rbac:
     create: true

diff --git a/values.yaml b/values.yaml
@@ -25,8 +25,8 @@ global:
     containerdConfigToml: ~
     containerdnodeAffinitys: []
     certCopier:
-      repository: alpine
-      tag: 3.18
+      repository: quay.io/astronomer/ap-base
+      tag: 3.18.5
       pullPolicy: IfNotPresent
   # Global flag to enable to user to enable/disable Astronomer platform
   # level Network Policy