feat: global pull secret

Dockerfile

@@ -14,7 +14,7 @@ RUN if [ "$SKIP_TESTS" = 'false' ]; then \
   npm install cspell && npm run spellcheck; fi
 
 #-----------------------------
-FROM otomi/tools:v1.4.16 as test
+FROM otomi/tools:v1.4.17 as test
 
 ENV APP_HOME=/home/app/stack
 RUN mkdir -p $APP_HOME
@@ -28,7 +28,7 @@ COPY --chown=app . .
 RUN if [ "$SKIP_TESTS" = 'false' ]; then bin/ci-tests.sh; fi
 
 #-----------------------------
-FROM otomi/tools:v1.4.16 as prod
+FROM otomi/tools:v1.4.17 as prod
 
 ENV APP_HOME=/home/app/stack
 RUN mkdir -p $APP_HOME

bin/gen-drone.sh

@@ -8,42 +8,40 @@ readonly enabled=$(yqr charts.drone.enabled || echo false)
 
 crypt
 
-readonly raw_receiver=$(yqr alerts.drone)
-readonly receiver=${raw_receiver:-'slack'}
+readonly template_path=$PWD/tpl/.drone.yml.gotmpl
+readonly target_path=$ENV_DIR/.drone.yml
 readonly branch=$(yqr charts.otomi-api.git.branch || echo 'main')
-readonly template_path=$PWD/tpl/.drone.tpl.$receiver.yml
-readonly customer_name=$(customer_name)
-
-if [ "$receiver" = 'slack' ]; then
-  key="url"
-  channel=$(yqr alerts.$receiver.channel | echo dev-mon)
-else
-  key="lowPrio"
+readonly cluster="$(yqr cluster.name)"
+readonly customer=$(customer_name)
+readonly global_pull_secret=$(yqr otomi.globalPullSecret)
+readonly image_tag="$(otomi_image_tag)"
+readonly provider=$(yqr alerts.drone)
+
+pull_policy="always"
+[ "${image_tag:0:1}" = "v" ] && pull_policy='if-not-exists'
+target=$target_path
+[ -n "$DRY_RUN" ] && target="/dev/stdout"
+
+if [ "$provider" != '' ]; then
+  if [ "$provider" = 'slack' ]; then
+    key="url"
+    channel=$(yqr alerts.$provider.channel | echo dev-mon)
+  else
+    key="lowPrio"
+  fi
+  readonly webhook=$(yqr alerts.$provider.$key)
 fi
 
-readonly webhook=$(yqr alerts.$receiver.$key)
-
-function template_drone_config() {
-  local target_path="$ENV_DIR/.drone.yml"
-  local image_tag="$(otomi_image_tag)"
-  local cluster="$(yqr cluster.name)"
-  local pullPolicy="always"
-  [ "${image_tag:0:1}" = "v" ] && pullPolicy='if-not-exists'
-
-  printf "${COLOR_LIGHT_PURPLE}Creating $target_path ${COLOR_NC}\n"
-
-  local target=$target_path
-  [ "${DRY_RUN-'false'}" = 'false' ] && target="/dev/stdout"
-
-  cat $template_path | sed \
-    -e "s/__CLUSTER/$cluster/g" \
-    -e "s/__IMAGE_TAG/$image_tag/g" \
-    -e "s|__WEBHOOK|$webhook|g" \
-    -e "s/__CUSTOMER/$customer_name/g" \
-    -e "s/__BRANCH/$branch/g" \
-    -e "s/__CHANNEL/$channel/g" \
-    -e "s/__PULL_POLICY/$pullPolicy/g" \
-    >$target
-}
-
-template_drone_config
+printf "${COLOR_LIGHT_PURPLE}Creating $target_path ${COLOR_NC}\n"
+
+cat $template_path | gucci \
+  -s imageTag="$image_tag" \
+  -s branch="$branch" \
+  -s cluster="$cluster" \
+  -s channel="$channel" \
+  -s customer="$customer" \
+  -s globalPullSecret="$global_pull_secret" \
+  -s provider="$provider" \
+  -s webhook="$webhook" \
+  -s pullPolicy="$pull_policy" \
+  >$target

bin/gen-sops.sh

@@ -2,32 +2,28 @@
 . bin/common.sh
 . bin/colors.sh
 
-readonly target_path="$ENV_DIR/.sops.yaml"
-
 declare -A map=(["aws"]="kms" ["azure"]="azure_keyvault" ["google"]="gcp_kms" ["vault"]="hc_vault_transit_uri")
 
 settings_file=$ENV_DIR/env/settings.yaml
 [ -f $settings_file ] && provider=$(cat $settings_file | yq r - kms.sops.provider)
 [ "$provider" = '' ] && echo "No sops information given. Assuming no sops enc/decryption needed." && exit
 
-readonly template_path="$PWD/tpl/.sops.yaml"
-readonly kmsProvider="${map[$provider]}"
-readonly kmsKeys=$(cat $settings_file | yq r - kms.sops.$provider.keys)
+readonly template_path="$PWD/tpl/.sops.yaml.gotmpl"
+readonly target_path="$ENV_DIR/.sops.yaml"
+readonly sops_provider="${map[$provider]}"
+readonly keys=$(cat $settings_file | yq r - kms.sops.$provider.keys)
+
+target=$target_path
+[ -n "$DRY_RUN" ] && target="/dev/stdout"
 
-echo "Creating sops file for provider $provider"
-function create_from_template() {
-  printf "${COLOR_LIGHT_PURPLE}Creating $target_path ${COLOR_NC}\n"
-  local target=$target_path
-  [ "${DRY_RUN-'false'}" = 'false' ] && target="/dev/stdout"
-  cat "$template_path" | sed \
-    -e "s@__PROVIDER@${kmsProvider}@g" \
-    -e "s@__KEYS@${kmsKeys}@g" \
-    >$target
-}
-create_from_template
+printf "${COLOR_LIGHT_PURPLE}Creating sops file for provider $provider${COLOR_NC}\n"
+cat "$template_path" | gucci \
+  -s provider="$sops_provider" \
+  -s keys="$keys" \
+  >$target
 
 if [ -z "$CI" ]; then
-  # we know we are in dev/ops mode and need to read the credentials for SOPS. We provide a location to
+  # we know we are in dev/ops mode and need to read the credentials for SOPS. We know the location to
   # provide those to this context: $ENV_DIR/.secrets (gitignored)
   [ ! -f $ENV_DIR/.secrets ] && err "Expecting $ENV_DIR/.secrets to exist and hold credentials for SOPS." && exit 1
   . $ENV_DIR/.secrets

bin/otomi

@@ -195,6 +195,7 @@ function drun() {
       -e DEBUG="$DEBUG" \
       -e KEEP_DEBUGGING="$KEEP_DEBUGGING" \
       -e TRACE="$TRACE" \
+      -e DRY_RUN="$DRY_RUN" \
       -e CI="$CI" \
       -w $stack_dir \
       $cmd_image \

chart/otomi/localtest.sh

@@ -1,6 +1,7 @@
 # Usage:
 # ENV_OUT=$PWD/../ENV_OUT VALUES_DIR=$PWD/../ chart/otomi/localtest.sh
 # With VALUES_DIR holding a file named values.yaml holding the initial chart values
+set -e
 
 function run_core() {
   image=$1

chart/otomi/scripts/bootstrap-values.sh

@@ -66,7 +66,8 @@ popd
 
 bin/bootstrap.sh
 
-crypt dec
+# decrypt before merging if we can
+[ -f $ENV_DIR/.sops.yaml ] && crypt dec
 
 # lastly copy the schema file
 cp values-schema.yaml $ENV_DIR/

charts/aws-alb-ingress-controller/templates/deployment.yaml

@@ -26,6 +26,12 @@ spec:
 {{ toYaml .Values.podAnnotations | indent 8}}
     {{- end }}
     spec:
+      {{- with .Values.image.pullSecrets }}
+      imagePullSecrets:
+        {{- range . }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
       {{- if .Values.priorityClassName }}
       priorityClassName: "{{ .Values.priorityClassName }}"
       {{- end }}

charts/cluster-overprovisioner/templates/deployments.yaml

@@ -11,7 +11,6 @@
 {{- $repository := .Values.image.repository }}
 {{- $imageTag := .Values.image.tag }}
 {{- $pullPolicy := .Values.image.pullPolicy }}
-{{- $imagePullSecrets := .Values.image.pullSecrets }}
 
 {{ range .Values.deployments }}
 apiVersion: apps/v1
@@ -51,9 +50,9 @@ spec:
           imagePullPolicy: {{ $pullPolicy }}
           resources:
             {{- toYaml .resources | nindent 12 }}
-    {{- if $imagePullSecrets }}
+    {{- with $.Values.image.pullSecrets }}
       imagePullSecrets:
-      {{- range $imagePullSecrets }}
+      {{- range . }}
         - name: {{ . }}
       {{- end }}
     {{- end }}

charts/demo-tlspass/templates/deployment.yaml

@@ -20,8 +20,13 @@ spec:
     spec:
       automountServiceAccountToken: true
       serviceAccountName: {{ include "demo-tlspass.serviceAccountName" . }}
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- with .Values.image.pullSecrets }}
+      imagePullSecrets:
+        {{- range . }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:

charts/drone-admit-members/templates/deployment.yaml

@@ -18,6 +18,12 @@ spec:
       labels:
         {{- include "drone-admit-members.selectorLabels" . | nindent 8 }}
     spec:
+      {{- with .Values.image.pullSecrets }}
+      imagePullSecrets:
+        {{- range . }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
       serviceAccountName: {{ include "drone-admit-members.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}

charts/drone/templates/deployment-agent.yaml

@@ -28,6 +28,9 @@ spec:
         release: "{{ .Release.Name }}"
         component: agent
     spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets: {{- toYaml . | nindent 8 }}
+      {{- end }}
 {{- if .Values.kubernetes.securityContext }}
       securityContext: 
         {{- toYaml .Values.kubernetes.securityContext | nindent 8 }}

charts/drone/templates/deployment-server.yaml

@@ -34,6 +34,9 @@ spec:
         release: "{{ .Release.Name }}"
         component: server
     spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets: {{- toYaml . | nindent 8 }}
+      {{- end }}
 {{- if .Values.server.securityContext }}
       securityContext: 
         {{- toYaml .Values.server.securityContext | nindent 8 }}

charts/drone/values.yaml

@@ -403,4 +403,5 @@ serviceAccount:
   ## imagePullSecrets:
   ## - dockerconfig
 
-extraRootCA: ''
+extraRootCA: ''
+imagePullSecrets: []

charts/ingress-azure/templates/deployment.yaml

@@ -31,6 +31,10 @@ spec:
         {{ $key }}: {{ $value | quote }}
         {{- end }}
     spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- with .Values.kubernetes.securityContext }}
       securityContext: 
         {{- toYaml . | nindent 8 }}

charts/ingress-merge/templates/02_deployment.yaml

@@ -21,6 +21,10 @@ spec:
         app: {{ include "ingress-merge.name" . }}
         release: {{ .Release.Name }}
     spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       serviceAccountName: {{ if .Values.rbac.create }}{{ include "ingress-merge.fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }}
       containers:
         - name: {{ .Chart.Name }}

charts/kube-descheduler/templates/cronjob.yaml

@@ -24,6 +24,10 @@ spec:
             {{- .Values.podLabels | toYaml | nindent 12 }}
             {{- end }}
         spec:
+          {{- with .Values.imagePullSecrets }}
+          imagePullSecrets:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           {{- if .Values.priorityClassName }}
           priorityClassName: {{ .Values.priorityClassName }}
           {{- end }}

charts/otomi-api/templates/deployment.yaml

@@ -23,6 +23,10 @@ spec:
         {{ $key }}: {{ $value | quote }}
         {{- end }}
     spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       serviceAccountName: {{ template "otomi-api.serviceAccountName" . }}
       securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:

charts/otomi-console/templates/deployment.yaml

@@ -22,6 +22,10 @@ spec:
         {{- end }}
       {{- end }}
     spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       serviceAccountName: {{ template "otomi-console.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}

charts/prometheus-msteams/templates/deployment.yaml

@@ -23,6 +23,10 @@ spec:
     {{ toYaml .Values.podAnnotations | indent 8 }}
     {{- end }}
     spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       volumes:
         - name: config-volume
           configMap: