From 4bb84de665c38c57e5acfd2e8490864a4c6cd439 Mon Sep 17 00:00:00 2001 From: Gabriel Saratura Date: Tue, 8 Feb 2022 16:53:53 +0100 Subject: [PATCH 1/6] Add global cluster pull secret support --- class/defaults.yml | 4 +++- component/main.jsonnet | 10 +++++++++ .../ROOT/pages/references/parameters.adoc | 21 ++++++++++++------- tests/defaults.yml | 9 +++++--- .../openshift4-config/01_dockercfg.yaml | 11 ++++++++++ 5 files changed, 44 insertions(+), 11 deletions(-) create mode 100644 tests/golden/defaults/openshift4-config/openshift4-config/01_dockercfg.yaml diff --git a/class/defaults.yml b/class/defaults.yml index b0b15c2..ccb6f23 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -1,4 +1,6 @@ parameters: openshift4_config: =_metadata: {} - namespace: syn-openshift4-config + namespace: openshift4-config + dockerCredentials: + secretName: pull-secret diff --git a/component/main.jsonnet b/component/main.jsonnet index ce38053..8878321 100644 --- a/component/main.jsonnet +++ b/component/main.jsonnet @@ -5,6 +5,16 @@ local inv = kap.inventory(); // The hiera parameters for the component local params = inv.parameters.openshift4_config; +local dockercfg = kube.Secret(params.dockerCredentials.secretName) { + metadata+: { + namespace: params.namespace, + }, + data+: { + '.dockerconfigjson': params.dockerCredentials.dockerconfigjson, + }, +}; + // Define outputs below { + '01_dockercfg': dockercfg, } diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index 14284ef..803072b 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -6,14 +6,21 @@ The parent key for all of the following parameters is `openshift4_config`. [horizontal] type:: string -default:: `syn-openshift4-config` +default:: `openshift4-config` -The namespace in which to deploy this component. +The namespace in which the OpenShift configuration takes place +== `dockerCredentials.secretName` -== Example +[horizontal] +type:: string +default:: `pull-secret` + +The default name for the global cluster pull secret in OpenShift. + +== `dockerCredentials.dockerconfigjson` + +[horizontal] +type:: string -[source,yaml] ----- -namespace: example-namespace ----- +A vault reference pointing to the Vault secret containing the docker configuration file in json format. If the key isn’t provided as a vault reference, the secret key must be provided in its base64 encoded form. It can be generated using the command echo -n ' | base64. diff --git a/tests/defaults.yml b/tests/defaults.yml index a4da5b7..a1e13ba 100644 --- a/tests/defaults.yml +++ b/tests/defaults.yml @@ -1,3 +1,6 @@ -# Overwrite parameters here - -# parameters: {...} +parameters: + openshift4_config: + namespace: openshift4-config + dockerCredentials: + secretName: pull-secret + dockerconfigjson: ?{vaultkv:${customer:name}/${cluster:name}/openshift4-config/dockercfg} diff --git a/tests/golden/defaults/openshift4-config/openshift4-config/01_dockercfg.yaml b/tests/golden/defaults/openshift4-config/openshift4-config/01_dockercfg.yaml new file mode 100644 index 0000000..1ab7a29 --- /dev/null +++ b/tests/golden/defaults/openshift4-config/openshift4-config/01_dockercfg.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + .dockerconfigjson: t-silent-test-1234/c-green-test-1234/openshift4-config/dockercfg +kind: Secret +metadata: + annotations: {} + labels: + name: pull-secret + name: pull-secret + namespace: openshift4-config +type: Opaque From 8a8238c980003bf94b1f46859929e68fe0d684e7 Mon Sep 17 00:00:00 2001 From: Gabriel Saratura Date: Fri, 11 Feb 2022 11:43:45 +0100 Subject: [PATCH 2/6] Fixed namespace --- class/defaults.yml | 2 +- component/main.jsonnet | 2 +- docs/modules/ROOT/pages/index.adoc | 2 +- tests/defaults.yml | 2 +- .../openshift4-config/openshift4-config/01_dockercfg.yaml | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/class/defaults.yml b/class/defaults.yml index ccb6f23..d893246 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -1,6 +1,6 @@ parameters: openshift4_config: =_metadata: {} - namespace: openshift4-config + namespace: openshift-config dockerCredentials: secretName: pull-secret diff --git a/component/main.jsonnet b/component/main.jsonnet index 8878321..ef08914 100644 --- a/component/main.jsonnet +++ b/component/main.jsonnet @@ -9,7 +9,7 @@ local dockercfg = kube.Secret(params.dockerCredentials.secretName) { metadata+: { namespace: params.namespace, }, - data+: { + stringData+: { '.dockerconfigjson': params.dockerCredentials.dockerconfigjson, }, }; diff --git a/docs/modules/ROOT/pages/index.adoc b/docs/modules/ROOT/pages/index.adoc index 9dfbdf0..401ba04 100644 --- a/docs/modules/ROOT/pages/index.adoc +++ b/docs/modules/ROOT/pages/index.adoc @@ -1,5 +1,5 @@ = openshift4-config -openshift4-config is a Commodore component to manage openshift4-config. +openshift4-config is a Commodore component to manage openshift4-config. This component updates global cluster pull secrets as described in the openshift https://docs.openshift.com/container-platform/latest/openshift_images/managing_images/using-image-pull-secrets.html#images-update-global-pull-secret_using-image-pull-secrets[docs] See the xref:references/parameters.adoc[parameters] reference for further details. diff --git a/tests/defaults.yml b/tests/defaults.yml index a1e13ba..bceba9a 100644 --- a/tests/defaults.yml +++ b/tests/defaults.yml @@ -1,6 +1,6 @@ parameters: openshift4_config: - namespace: openshift4-config + namespace: openshift-config dockerCredentials: secretName: pull-secret dockerconfigjson: ?{vaultkv:${customer:name}/${cluster:name}/openshift4-config/dockercfg} diff --git a/tests/golden/defaults/openshift4-config/openshift4-config/01_dockercfg.yaml b/tests/golden/defaults/openshift4-config/openshift4-config/01_dockercfg.yaml index 1ab7a29..98288eb 100644 --- a/tests/golden/defaults/openshift4-config/openshift4-config/01_dockercfg.yaml +++ b/tests/golden/defaults/openshift4-config/openshift4-config/01_dockercfg.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -data: +stringData: .dockerconfigjson: t-silent-test-1234/c-green-test-1234/openshift4-config/dockercfg kind: Secret metadata: @@ -7,5 +7,5 @@ metadata: labels: name: pull-secret name: pull-secret - namespace: openshift4-config + namespace: openshift-config type: Opaque From 0357edaabf831f23d69e62510679cc59086617e5 Mon Sep 17 00:00:00 2001 From: Gabriel Saratura Date: Fri, 11 Feb 2022 16:50:36 +0100 Subject: [PATCH 3/6] Hard coded namespace and secret --- class/defaults.yml | 4 +--- component/main.jsonnet | 8 ++++---- tests/defaults.yml | 5 +---- .../openshift4-config/openshift4-config/01_dockercfg.yaml | 5 +++-- 4 files changed, 9 insertions(+), 13 deletions(-) diff --git a/class/defaults.yml b/class/defaults.yml index d893246..ed29587 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -1,6 +1,4 @@ parameters: openshift4_config: =_metadata: {} - namespace: openshift-config - dockerCredentials: - secretName: pull-secret + globalPullSecret: null diff --git a/component/main.jsonnet b/component/main.jsonnet index ef08914..7b13b65 100644 --- a/component/main.jsonnet +++ b/component/main.jsonnet @@ -5,16 +5,16 @@ local inv = kap.inventory(); // The hiera parameters for the component local params = inv.parameters.openshift4_config; -local dockercfg = kube.Secret(params.dockerCredentials.secretName) { +local dockercfg = kube.Secret('pull-secret') { metadata+: { - namespace: params.namespace, + namespace: 'openshift-config', }, stringData+: { - '.dockerconfigjson': params.dockerCredentials.dockerconfigjson, + '.dockerconfigjson': params.globalPullSecret, }, }; // Define outputs below { - '01_dockercfg': dockercfg, + [if params.globalPullSecret != null then '01_dockercfg']: dockercfg, } diff --git a/tests/defaults.yml b/tests/defaults.yml index bceba9a..4390f59 100644 --- a/tests/defaults.yml +++ b/tests/defaults.yml @@ -1,6 +1,3 @@ parameters: openshift4_config: - namespace: openshift-config - dockerCredentials: - secretName: pull-secret - dockerconfigjson: ?{vaultkv:${customer:name}/${cluster:name}/openshift4-config/dockercfg} + globalPullSecret: ?{vaultkv:${customer:name}/${cluster:name}/openshift4-config/dockercfg} diff --git a/tests/golden/defaults/openshift4-config/openshift4-config/01_dockercfg.yaml b/tests/golden/defaults/openshift4-config/openshift4-config/01_dockercfg.yaml index 98288eb..14cb440 100644 --- a/tests/golden/defaults/openshift4-config/openshift4-config/01_dockercfg.yaml +++ b/tests/golden/defaults/openshift4-config/openshift4-config/01_dockercfg.yaml @@ -1,6 +1,5 @@ apiVersion: v1 -stringData: - .dockerconfigjson: t-silent-test-1234/c-green-test-1234/openshift4-config/dockercfg +data: {} kind: Secret metadata: annotations: {} @@ -8,4 +7,6 @@ metadata: name: pull-secret name: pull-secret namespace: openshift-config +stringData: + .dockerconfigjson: t-silent-test-1234/c-green-test-1234/openshift4-config/dockercfg type: Opaque From 0af21309d3bb450beb42fe269f3038654ae41407 Mon Sep 17 00:00:00 2001 From: Gabriel Saratura Date: Fri, 11 Feb 2022 16:58:56 +0100 Subject: [PATCH 4/6] Adjusted documentation --- .../ROOT/pages/references/parameters.adoc | 23 ++++--------------- 1 file changed, 4 insertions(+), 19 deletions(-) diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index 803072b..6d87763 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -1,26 +1,11 @@ = Parameters -The parent key for all of the following parameters is `openshift4_config`. +The parent key for all the following parameters is `openshift4_config`. -== `namespace` +== `globalPullSecret` [horizontal] type:: string -default:: `openshift4-config` +default:: null -The namespace in which the OpenShift configuration takes place - -== `dockerCredentials.secretName` - -[horizontal] -type:: string -default:: `pull-secret` - -The default name for the global cluster pull secret in OpenShift. - -== `dockerCredentials.dockerconfigjson` - -[horizontal] -type:: string - -A vault reference pointing to the Vault secret containing the docker configuration file in json format. If the key isn’t provided as a vault reference, the secret key must be provided in its base64 encoded form. It can be generated using the command echo -n ' | base64. +A vault reference pointing to the Vault secret containing docker global pull secret configuration file in json format. If the key is null the manifest isn't created. If the key isn’t provided as a vault reference, the secret key must be provided in its base64 encoded form. It can be generated using the command echo -n ' | base64. From f98a67efbf2dc028d4151a26665f55dbb3012b74 Mon Sep 17 00:00:00 2001 From: Gabriel Saratura <58511627+ZuGao@users.noreply.github.com> Date: Mon, 14 Feb 2022 10:37:55 +0200 Subject: [PATCH 5/6] Update docs/modules/ROOT/pages/index.adoc Updated documentation Co-authored-by: Simon Gerber --- docs/modules/ROOT/pages/index.adoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/modules/ROOT/pages/index.adoc b/docs/modules/ROOT/pages/index.adoc index 401ba04..ac8a41d 100644 --- a/docs/modules/ROOT/pages/index.adoc +++ b/docs/modules/ROOT/pages/index.adoc @@ -1,5 +1,7 @@ = openshift4-config -openshift4-config is a Commodore component to manage openshift4-config. This component updates global cluster pull secrets as described in the openshift https://docs.openshift.com/container-platform/latest/openshift_images/managing_images/using-image-pull-secrets.html#images-update-global-pull-secret_using-image-pull-secrets[docs] +openshift4-config is a Commodore component to manage openshift4-config. + +Currently, this component can manage the global cluster pull secret as described in the https://docs.openshift.com/container-platform/latest/openshift_images/managing_images/using-image-pull-secrets.html#images-update-global-pull-secret_using-image-pull-secret[OpenShift documentation]. See the xref:references/parameters.adoc[parameters] reference for further details. From 6dcc83e138cbdd1487ae27cacc3aaab8317f0bbc Mon Sep 17 00:00:00 2001 From: Gabriel Saratura <58511627+ZuGao@users.noreply.github.com> Date: Mon, 14 Feb 2022 10:38:14 +0200 Subject: [PATCH 6/6] Update docs/modules/ROOT/pages/references/parameters.adoc Update documentation Co-authored-by: Simon Gerber --- docs/modules/ROOT/pages/references/parameters.adoc | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index 6d87763..04c99d6 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -8,4 +8,15 @@ The parent key for all the following parameters is `openshift4_config`. type:: string default:: null -A vault reference pointing to the Vault secret containing docker global pull secret configuration file in json format. If the key is null the manifest isn't created. If the key isn’t provided as a vault reference, the secret key must be provided in its base64 encoded form. It can be generated using the command echo -n ' | base64. +A Vault reference pointing to the Vault secret containing the docker configuration file in JSON format. +If the parameter is null, the component doesn't manage the cluster's global pull secret. + +The component writes the value of this parameter into the field `.dockerconfigjson` of the secret `pull-secret` in namespace `openshift-config`. + +See the OpenShift documentation for more details on https://docs.openshift.com/container-platform/latest/openshift_images/managing_images/using-image-pull-secrets.html#images-update-global-pull-secret_using-image-pull-secret[managing the cluster's global pull secret]. + +[IMPORTANT] +==== +You need to make sure that the existing pull secrets present on a cluster (deployed by the OpenShift installer) are included in the configuration deployed by this component. +Otherwise, OpenShift cluster services may stop working because their respective container images can't be downloaded anymore. +====