From 0c85a33c4e312593afebbd12753f725000a97bca Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Fri, 5 Nov 2021 15:03:10 -0700 Subject: [PATCH] Add authentication to utility registry (#144) Signed-off-by: Jeff McCoy --- assets/manifests/registry/registry.yaml | 2 + assets/misc/registries.yaml | 6 ++ cli/internal/k3s/install.go | 7 +++ cli/internal/packager/deploy.go | 11 +++- cli/internal/utils/auth.go | 36 +++++++++++ cli/internal/utils/htpasswd.go | 15 +++++ examples/Makefile | 10 +-- examples/Vagrantfile | 2 +- examples/appliance/README.md | 7 --- examples/appliance/manifests/podinfo.yaml | 26 -------- examples/appliance/zarf.yaml | 17 ------ .../big-bang/manifests/other_manifests.yaml | 28 +++++++++ .../big-bang/template/bigbang/values.yaml | 5 ++ .../manifests/data-injection.yaml | 2 + .../manifests/image-pull-secret.yaml | 27 ++++++++ examples/game/manifests/game.yaml | 5 ++ .../game/manifests/image-pull-secret.yaml | 27 ++++++++ .../{namespaces.yaml => 000-namespaces.yaml} | 0 .../manifests/image-pull-secret.yaml | 61 +++++++++++++++++++ .../manifests/minio-operator.yaml | 22 ++++--- .../postgres-operator/manifests/pgadmin.yaml | 2 + .../manifests/postgres-cluster.yaml | 28 --------- .../manifests/postgres-operator-ui.yaml | 2 + .../manifests/postgres-operator.yaml | 2 + .../manifests/image-pull-secret.yaml | 27 ++++++++ .../manifests/twistlock.yaml | 3 + .../manifests/image-pull-secret.yaml | 55 +++++++++++++++++ examples/tiny-kafka/manifests/operator.yaml | 2 + go.mod | 2 + test/e2e/e2e_example_game_test.go | 2 +- 30 files changed, 345 insertions(+), 96 deletions(-) create mode 100644 cli/internal/utils/auth.go create mode 100644 cli/internal/utils/htpasswd.go delete mode 100644 examples/appliance/README.md delete mode 100644 examples/appliance/manifests/podinfo.yaml delete mode 100644 examples/appliance/zarf.yaml create mode 100644 examples/data-injection/manifests/image-pull-secret.yaml create mode 100644 examples/game/manifests/image-pull-secret.yaml rename examples/postgres-operator/manifests/{namespaces.yaml => 000-namespaces.yaml} (100%) create mode 100644 examples/postgres-operator/manifests/image-pull-secret.yaml delete mode 100644 examples/postgres-operator/manifests/postgres-cluster.yaml create mode 100644 examples/single-big-bang-package/manifests/image-pull-secret.yaml create mode 100644 examples/tiny-kafka/manifests/image-pull-secret.yaml diff --git a/assets/manifests/registry/registry.yaml b/assets/manifests/registry/registry.yaml index f4bd5896ee..f76c5ed748 100644 --- a/assets/manifests/registry/registry.yaml +++ b/assets/manifests/registry/registry.yaml @@ -38,6 +38,8 @@ spec: image: repository: registry1.dso.mil/ironbank/opensource/docker/registry-v2 pullPolicy: Never + secrets: + htpasswd: ###ZARF_HTPASSWD### resources: requests: cpu: "100m" diff --git a/assets/misc/registries.yaml b/assets/misc/registries.yaml index 319470cfc4..ee68ff688f 100644 --- a/assets/misc/registries.yaml +++ b/assets/misc/registries.yaml @@ -11,3 +11,9 @@ mirrors: registry-1.docker.io: endpoint: - "https://127.0.0.1" + ghcr.io: + endpoint: + - "https://127.0.0.1" + registry.opensource.zalan.do: + endpoint: + - "https://127.0.0.1" diff --git a/cli/internal/k3s/install.go b/cli/internal/k3s/install.go index e8af1a1f9a..a45ca37411 100644 --- a/cli/internal/k3s/install.go +++ b/cli/internal/k3s/install.go @@ -37,6 +37,13 @@ func Install(options InstallOptions) { gitSecret := git.GetOrCreateZarfSecret() + // Now that we have what the password will be, we should add the login entry to the system's registry config + err := utils.Login(config.ZarfLocalIP, config.ZarfGitUser, gitSecret) + if err != nil { + logrus.Debug(err) + logrus.Fatal("Unable to add login credentials for the utility registry") + } + logrus.Info("Installation complete. You can run \"/usr/local/bin/k9s\" to monitor the status of the deployment.") logrus.WithFields(logrus.Fields{ "Gitea Username (if installed)": config.ZarfGitUser, diff --git a/cli/internal/packager/deploy.go b/cli/internal/packager/deploy.go index 5128691379..f57d436a2c 100644 --- a/cli/internal/packager/deploy.go +++ b/cli/internal/packager/deploy.go @@ -2,7 +2,9 @@ package packager import ( "crypto/sha256" + "encoding/base64" "encoding/hex" + "fmt" "io" "net/http" "net/url" @@ -168,10 +170,17 @@ func deployComponents(tempPath componentPaths, assets config.ZarfComponent) { // Get a list of all the k3s manifest files manifests := utils.RecursiveFileList(tempPath.manifests) - // Iterate through all the manifests and replace any ZARF_SECRET values + // Iterate through all the manifests and replace any ZARF_SECRET, ZARF_HTPASSWD, or ZARF_DOCKERAUTH values for _, manifest := range manifests { logrus.WithField("path", manifest).Info("Processing manifest file") utils.ReplaceText(manifest, "###ZARF_SECRET###", gitSecret) + htpasswd, err := utils.GetHtpasswdString(config.ZarfGitUser, gitSecret) + if err != nil { + logrus.Debug(err) + logrus.Fatal("Unable to define `htpasswd` string for the Zarf user") + } + utils.ReplaceText(manifest, "###ZARF_HTPASSWD###", htpasswd) + utils.ReplaceText(manifest, "###ZARF_DOCKERAUTH###", base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", config.ZarfGitUser, gitSecret)))) } utils.CreatePathAndCopy(tempPath.manifests, config.K3sManifestPath) diff --git a/cli/internal/utils/auth.go b/cli/internal/utils/auth.go new file mode 100644 index 0000000000..e85db38bb4 --- /dev/null +++ b/cli/internal/utils/auth.go @@ -0,0 +1,36 @@ +package utils + +import ( + "github.com/docker/cli/cli/config" + "github.com/docker/cli/cli/config/types" + "github.com/google/go-containerregistry/pkg/authn" + "github.com/google/go-containerregistry/pkg/name" + "log" + "os" +) +// Login adds the given creds to the user's Docker config, usually located at $HOME/.docker/config.yaml. It does not try +// to connect to the given registry, it just simply adds another entry to the config file. +// This function was mostly adapted from https://github.com/google/go-containerregistry/blob/5c9c442d5d68cd96787559ebf6e984c7eb084913/cmd/crane/cmd/auth.go +func Login(serverAddress string, user string, password string) error { + cf, err := config.Load(os.Getenv("DOCKER_CONFIG")) + if err != nil { + return err + } + creds := cf.GetCredentialsStore(serverAddress) + if serverAddress == name.DefaultRegistry { + serverAddress = authn.DefaultAuthKey + } + if err := creds.Store(types.AuthConfig{ + ServerAddress: serverAddress, + Username: user, + Password: password, + }); err != nil { + return err + } + + if err := cf.Save(); err != nil { + return err + } + log.Printf("logged in via %s", cf.Filename) + return nil +} diff --git a/cli/internal/utils/htpasswd.go b/cli/internal/utils/htpasswd.go new file mode 100644 index 0000000000..367b520767 --- /dev/null +++ b/cli/internal/utils/htpasswd.go @@ -0,0 +1,15 @@ +package utils + +import ( + "fmt" + "golang.org/x/crypto/bcrypt" +) + +// GetHtpasswdString converts a username and password to a properly formatted and hashed format for `htpasswd` +func GetHtpasswdString(username string, password string) (string, error) { + hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) + if err != nil { + return "", err + } + return fmt.Sprintf("%s:%s", username, hash), nil +} diff --git a/examples/Makefile b/examples/Makefile index bcbae194cc..a931433d0c 100755 --- a/examples/Makefile +++ b/examples/Makefile @@ -54,16 +54,12 @@ vm-destroy: ## Cleanup plz @vagrant destroy -f .PHONY: package-examples -package-examples: package-example-big-bang package-example-appliance package-example-data-injection package-example-game package-example-single-big-bang-package package-example-tiny-kafka package-example-postgres-operator ## Create zarf packages from all examples +package-examples: package-example-big-bang package-example-data-injection package-example-game package-example-gitops-data package-example-single-big-bang-package package-example-tiny-kafka package-example-postgres-operator ## Create zarf packages from all examples .PHONY: package-example-big-bang package-example-big-bang: ## Create the Big Bang Core example cd big-bang && kustomize build template/bigbang > manifests/bigbang_generated.yaml && kustomize build template/flux > manifests/flux_generated.yaml && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/ -.PHONY: package-example-appliance -package-example-appliance: ## Create the Podinfo example - cd appliance && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/ - .PHONY: package-example-data-injection package-example-data-injection: ## Create the Data Injection example cd data-injection && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/ @@ -72,6 +68,10 @@ package-example-data-injection: ## Create the Data Injection example package-example-game: ## Create the Doom example cd game && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/ +.PHONY: package-example-gitops-data +package-example-gitops-data: ## Create the gitops-data example + cd gitops-data && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/ + .PHONY: package-example-single-big-bang-package package-example-single-big-bang-package: ## Create the Single Big Bang Package example cd single-big-bang-package && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/ diff --git a/examples/Vagrantfile b/examples/Vagrantfile index 2dfa5de0fb..9c104b0d62 100755 --- a/examples/Vagrantfile +++ b/examples/Vagrantfile @@ -30,6 +30,6 @@ Vagrant.configure("2") do |config| sysctl -w vm.max_map_count=262144 # Airgap images please - echo "0.0.0.0 registry.hub.docker.com hub.docker.com charts.helm.sh repo1.dso.mil github.com registry.dso.mil registry1.dso.mil docker.io index.docker.io auth.docker.io registry-1.docker.io dseasb33srnrn.cloudfront.net production.cloudflare.docker.com" >> /etc/hosts + echo "0.0.0.0 registry.opensource.zalan.do ghcr.io registry.hub.docker.com hub.docker.com charts.helm.sh repo1.dso.mil github.com registry.dso.mil registry1.dso.mil docker.io index.docker.io auth.docker.io registry-1.docker.io dseasb33srnrn.cloudfront.net production.cloudflare.docker.com" >> /etc/hosts SHELL end diff --git a/examples/appliance/README.md b/examples/appliance/README.md deleted file mode 100644 index f1bcc9e41f..0000000000 --- a/examples/appliance/README.md +++ /dev/null @@ -1,7 +0,0 @@ -## Zarf Appliance Mode Example - -This example demonstrates using Zarf in a very low-resources/singlue-use environment. In this mode there is no gitops service and Zarf is simple a standard means of wrapping airgap concerns for K3s. This example deploys a basic K3s cluster using Traefik 2 and configures TLS / airgap concerns to deploy [Podinfo](https://github.com/stefanprodan/podinfo). - -### Steps to use: -1. Create a Zarf cluster as outlined in the main [README](../../README.md#2-create-the-zarf-cluster) -2. Follow [step 3](../../README.md#3-add-resources-to-the-zarf-cluster) using this config in this folder diff --git a/examples/appliance/manifests/podinfo.yaml b/examples/appliance/manifests/podinfo.yaml deleted file mode 100644 index 3e9e70f724..0000000000 --- a/examples/appliance/manifests/podinfo.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: helm.cattle.io/v1 -kind: HelmChart -metadata: - name: podinfo -spec: - chart: https://%{KUBERNETES_API}%/static/charts/podinfo-6.0.0.tgz ---- -# See https://github.com/stefanprodan/podinfo for docs on this example demployment -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: demo-ingress - annotations: - kubernetes.io/ingress.class: "traefik" - traefik.ingress.kubernetes.io/router.middlewares: kube-system-ssl-redirect@kubernetescrd -spec: - rules: - - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: podinfo - port: - number: 9898 diff --git a/examples/appliance/zarf.yaml b/examples/appliance/zarf.yaml deleted file mode 100644 index 5fd409c822..0000000000 --- a/examples/appliance/zarf.yaml +++ /dev/null @@ -1,17 +0,0 @@ -kind: ZarfPackageConfig -metadata: - name: appliance-demo-pod-info - description: "Demo Zarf appliance mode with pod info" - -components: - - name: baseline - required: true - manifests: manifests - - charts: - - name: podinfo - url: https://stefanprodan.github.io/podinfo - version: 6.0.0 - - images: - - ghcr.io/stefanprodan/podinfo:6.0.0 diff --git a/examples/big-bang/manifests/other_manifests.yaml b/examples/big-bang/manifests/other_manifests.yaml index 0ea7bd4879..f81d5cddc9 100644 --- a/examples/big-bang/manifests/other_manifests.yaml +++ b/examples/big-bang/manifests/other_manifests.yaml @@ -7,3 +7,31 @@ metadata: stringData: username: "zarf-git-user" password: "###ZARF_SECRET###" +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: private-registry + namespace: flux-system +stringData: + .dockerconfigjson: | + { + "auths": { + "registry.dso.mil": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "registry1.dso.mil": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "docker.io": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "registry-1.docker.io": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "ghcr.io": { + "auth":"###ZARF_DOCKERAUTH###" + } + } + } diff --git a/examples/big-bang/template/bigbang/values.yaml b/examples/big-bang/template/bigbang/values.yaml index 722fbee2aa..c2ee39c8c1 100644 --- a/examples/big-bang/template/bigbang/values.yaml +++ b/examples/big-bang/template/bigbang/values.yaml @@ -1,5 +1,10 @@ domain: bigbang.dev +registryCredentials: + registry: "registry1.dso.mil" + username: "zarf-git-user" + password: "###ZARF_SECRET###" + git: existingSecret: "zarf-git-secret" diff --git a/examples/data-injection/manifests/data-injection.yaml b/examples/data-injection/manifests/data-injection.yaml index fb4a5e5bf1..acad2fcf15 100644 --- a/examples/data-injection/manifests/data-injection.yaml +++ b/examples/data-injection/manifests/data-injection.yaml @@ -16,3 +16,5 @@ spec: - name: data-injection image: registry1.dso.mil/ironbank/redhat/ubi/ubi8:8.4 command: ["/bin/sh", "-ec", "mkdir -p /test && while :; do ls -lah /test; sleep 5 ; done"] + imagePullSecrets: + - name: private-registry diff --git a/examples/data-injection/manifests/image-pull-secret.yaml b/examples/data-injection/manifests/image-pull-secret.yaml new file mode 100644 index 0000000000..89c000de16 --- /dev/null +++ b/examples/data-injection/manifests/image-pull-secret.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: private-registry + namespace: demo +stringData: + .dockerconfigjson: | + { + "auths": { + "registry.dso.mil": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "registry1.dso.mil": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "docker.io": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "registry-1.docker.io": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "ghcr.io": { + "auth":"###ZARF_DOCKERAUTH###" + } + } + } diff --git a/examples/game/manifests/game.yaml b/examples/game/manifests/game.yaml index 1f5ccccc3b..431dadb803 100644 --- a/examples/game/manifests/game.yaml +++ b/examples/game/manifests/game.yaml @@ -2,6 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: demo-ingress + namespace: default annotations: kubernetes.io/ingress.class: "traefik" traefik.ingress.kubernetes.io/router.middlewares: kube-system-ssl-redirect@kubernetescrd @@ -21,6 +22,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: game + namespace: default spec: selector: matchLabels: @@ -37,11 +39,14 @@ spec: - name: http containerPort: 8000 protocol: TCP + imagePullSecrets: + - name: private-registry --- apiVersion: v1 kind: Service metadata: name: game + namespace: default spec: type: ClusterIP selector: diff --git a/examples/game/manifests/image-pull-secret.yaml b/examples/game/manifests/image-pull-secret.yaml new file mode 100644 index 0000000000..38ffb35c9c --- /dev/null +++ b/examples/game/manifests/image-pull-secret.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: private-registry + namespace: default +stringData: + .dockerconfigjson: | + { + "auths": { + "registry.dso.mil": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "registry1.dso.mil": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "docker.io": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "registry-1.docker.io": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "ghcr.io": { + "auth":"###ZARF_DOCKERAUTH###" + } + } + } diff --git a/examples/postgres-operator/manifests/namespaces.yaml b/examples/postgres-operator/manifests/000-namespaces.yaml similarity index 100% rename from examples/postgres-operator/manifests/namespaces.yaml rename to examples/postgres-operator/manifests/000-namespaces.yaml diff --git a/examples/postgres-operator/manifests/image-pull-secret.yaml b/examples/postgres-operator/manifests/image-pull-secret.yaml new file mode 100644 index 0000000000..291d51c9d0 --- /dev/null +++ b/examples/postgres-operator/manifests/image-pull-secret.yaml @@ -0,0 +1,61 @@ +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: private-registry + namespace: minio-operator +stringData: + .dockerconfigjson: | + { + "auths": { + "registry.dso.mil": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "registry1.dso.mil": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "docker.io": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "registry-1.docker.io": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "ghcr.io": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "registry.opensource.zalan.do": { + "auth":"###ZARF_DOCKERAUTH###" + } + } + } +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: private-registry + namespace: postgres-operator +stringData: + .dockerconfigjson: | + { + "auths": { + "registry.dso.mil": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "registry1.dso.mil": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "docker.io": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "registry-1.docker.io": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "ghcr.io": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "registry.opensource.zalan.do": { + "auth":"###ZARF_DOCKERAUTH###" + } + } + } diff --git a/examples/postgres-operator/manifests/minio-operator.yaml b/examples/postgres-operator/manifests/minio-operator.yaml index 2958091083..8736dbe7fa 100644 --- a/examples/postgres-operator/manifests/minio-operator.yaml +++ b/examples/postgres-operator/manifests/minio-operator.yaml @@ -6,17 +6,19 @@ metadata: spec: chart: https://%{KUBERNETES_API}%/static/charts/minio-operator-4.2.3-bb.1.tgz targetNamespace: minio-operator - # https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator/-/blob/2.0.9-bb.3/chart/values.yaml + # https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator/-/blob/4.2.3-bb.1/chart/values.yaml valuesContent: |- + imagePullSecrets: + - name: private-registry operator: image: - repository: registry1.dso.mil/ironbank/opensource/minio/operator - tag: v4.2.3 + repository: registry1.dso.mil/ironbank/opensource/minio/operator + tag: v4.2.3 resources: - requests: - cpu: 200m - memory: 256Mi - ephemeral-storage: 500Mi - limits: - cpu: 200m - memory: 256Mi + requests: + cpu: 200m + memory: 256Mi + ephemeral-storage: 500Mi + limits: + cpu: 200m + memory: 256Mi diff --git a/examples/postgres-operator/manifests/pgadmin.yaml b/examples/postgres-operator/manifests/pgadmin.yaml index ed101fc37a..24d7a29982 100644 --- a/examples/postgres-operator/manifests/pgadmin.yaml +++ b/examples/postgres-operator/manifests/pgadmin.yaml @@ -12,6 +12,8 @@ spec: # registry: registry1.dso.mil # repository: ?? # tag: ?? + imagePullSecrets: + - name: private-registry serviceAccount: create: true persistentVolume: diff --git a/examples/postgres-operator/manifests/postgres-cluster.yaml b/examples/postgres-operator/manifests/postgres-cluster.yaml deleted file mode 100644 index fef361acf6..0000000000 --- a/examples/postgres-operator/manifests/postgres-cluster.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: "acid.zalan.do/v1" -kind: "postgresql" -metadata: - name: "acid-zarf-test" - namespace: "postgres-operator" - labels: - team: acid -spec: - teamId: "acid" - postgresql: - version: "13" - numberOfInstances: 3 - enableConnectionPooler: true - volume: - size: "2Gi" - users: - zarf: [] - databases: - zarf: zarf - enableLogicalBackup: true - logicalBackupSchedule: "*/2 * * * *" - resources: - requests: - cpu: 100m - memory: 100Mi - limits: - cpu: 500m - memory: 500Mi diff --git a/examples/postgres-operator/manifests/postgres-operator-ui.yaml b/examples/postgres-operator/manifests/postgres-operator-ui.yaml index 48406b42f5..c17b220b49 100644 --- a/examples/postgres-operator/manifests/postgres-operator-ui.yaml +++ b/examples/postgres-operator/manifests/postgres-operator-ui.yaml @@ -12,6 +12,8 @@ spec: # registry: registry1.dso.mil # repository: ?? # tag: ?? + imagePullSecrets: + - name: private-registry resources: requests: cpu: "100m" diff --git a/examples/postgres-operator/manifests/postgres-operator.yaml b/examples/postgres-operator/manifests/postgres-operator.yaml index 0926a34ea1..474eb23c0f 100644 --- a/examples/postgres-operator/manifests/postgres-operator.yaml +++ b/examples/postgres-operator/manifests/postgres-operator.yaml @@ -15,6 +15,8 @@ spec: # tag: ?? # configGeneral: # docker_image: registry1.dso.mil/.../spilo-13:2.1-p1 + imagePullSecrets: + - name: private-registry configPostgresPodResources: default_cpu_request: "100m" default_memory_request: "100Mi" diff --git a/examples/single-big-bang-package/manifests/image-pull-secret.yaml b/examples/single-big-bang-package/manifests/image-pull-secret.yaml new file mode 100644 index 0000000000..2b723c3f32 --- /dev/null +++ b/examples/single-big-bang-package/manifests/image-pull-secret.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: private-registry + namespace: twistlock +stringData: + .dockerconfigjson: | + { + "auths": { + "registry.dso.mil": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "registry1.dso.mil": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "docker.io": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "registry-1.docker.io": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "ghcr.io": { + "auth":"###ZARF_DOCKERAUTH###" + } + } + } diff --git a/examples/single-big-bang-package/manifests/twistlock.yaml b/examples/single-big-bang-package/manifests/twistlock.yaml index 63c06ea78e..f75ac7a3c5 100644 --- a/examples/single-big-bang-package/manifests/twistlock.yaml +++ b/examples/single-big-bang-package/manifests/twistlock.yaml @@ -12,6 +12,9 @@ metadata: spec: chart: https://%{KUBERNETES_API}%/static/charts/twistlock-0.0.6-bb.1.tgz targetNamespace: twistlock + valuesContent: |- + imagePullSecrets: + - name: private-registry --- apiVersion: networking.k8s.io/v1 kind: Ingress diff --git a/examples/tiny-kafka/manifests/image-pull-secret.yaml b/examples/tiny-kafka/manifests/image-pull-secret.yaml new file mode 100644 index 0000000000..52685465ee --- /dev/null +++ b/examples/tiny-kafka/manifests/image-pull-secret.yaml @@ -0,0 +1,55 @@ +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: private-registry + namespace: kafka-operator +stringData: + .dockerconfigjson: | + { + "auths": { + "registry.dso.mil": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "registry1.dso.mil": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "docker.io": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "registry-1.docker.io": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "ghcr.io": { + "auth":"###ZARF_DOCKERAUTH###" + } + } + } +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: private-registry + namespace: kafka-demo +stringData: + .dockerconfigjson: | + { + "auths": { + "registry.dso.mil": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "registry1.dso.mil": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "docker.io": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "registry-1.docker.io": { + "auth":"###ZARF_DOCKERAUTH###" + }, + "ghcr.io": { + "auth":"###ZARF_DOCKERAUTH###" + } + } + } diff --git a/examples/tiny-kafka/manifests/operator.yaml b/examples/tiny-kafka/manifests/operator.yaml index 304a331dcd..10fc6f861c 100644 --- a/examples/tiny-kafka/manifests/operator.yaml +++ b/examples/tiny-kafka/manifests/operator.yaml @@ -12,6 +12,8 @@ spec: chart: https://%{KUBERNETES_API}%/static/charts/strimzi-kafka-operator-0.24.0.tgz targetNamespace: kafka-operator valuesContent: |- + image: + imagePullSecrets: private-registry imageRegistryOverride: registry1.dso.mil imageRepositoryOverride: ironbank/opensource/strimzi watchNamespaces: diff --git a/go.mod b/go.mod index 5cd44fc39e..9f98b4103c 100644 --- a/go.mod +++ b/go.mod @@ -5,6 +5,7 @@ go 1.16 require ( github.com/AlecAivazis/survey/v2 v2.3.2 github.com/containerd/containerd v1.5.7 + github.com/docker/cli v20.10.7+incompatible github.com/fatih/color v1.13.0 github.com/go-git/go-git/v5 v5.4.2 github.com/goccy/go-yaml v1.9.3 @@ -17,6 +18,7 @@ require ( github.com/spf13/cobra v1.2.1 github.com/stretchr/testify v1.7.0 github.com/ulikunitz/xz v0.5.8 // indirect; CVE-2020-16845 + golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a helm.sh/helm/v3 v3.7.0 k8s.io/api v0.22.1 k8s.io/apimachinery v0.22.1 diff --git a/test/e2e/e2e_example_game_test.go b/test/e2e/e2e_example_game_test.go index 60fa081550..e34f018101 100644 --- a/test/e2e/e2e_example_game_test.go +++ b/test/e2e/e2e_example_game_test.go @@ -69,7 +69,7 @@ func testGameExample(t *testing.T, terraformOptions *terraform.Options, keyPair require.NoError(t, err, output) // Wait until the Docker registry is ready - output, err = ssh.CheckSshCommandE(t, publicHost, "timeout 300 bash -c 'while [[ \"$(curl -sfSL --retry 15 --retry-connrefused --retry-delay 5 -o /dev/null -w \"%{http_code}\" \"https://localhost/v2/\")\" != \"200\" ]]; do sleep 1; done' || false") + output, err = ssh.CheckSshCommandE(t, publicHost, "timeout 300 bash -c 'while [[ \"$(curl -sfSL --retry 15 --retry-connrefused --retry-delay 5 -o /dev/null -w \"%{http_code}\" \"https://localhost/v2/\")\" != \"401\" ]]; do sleep 1; done' || false") require.NoError(t, err, output) // Deploy the game