From eabe51c446a4a4ac14c6bb19c911f22e230abf02 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Thu, 17 Sep 2020 16:07:31 -0700 Subject: [PATCH] local-user-authenticator can be deployed from a private registry image - Also add more comment to the values.yaml files to make the options more clear --- .../deployment.yaml | 17 +++++++++++++++++ deploy-local-user-authenticator/values.yaml | 6 ++++++ deploy/values.yaml | 19 +++++++++++++------ 3 files changed, 36 insertions(+), 6 deletions(-) diff --git a/deploy-local-user-authenticator/deployment.yaml b/deploy-local-user-authenticator/deployment.yaml index ec98499f..abc2409f 100644 --- a/deploy-local-user-authenticator/deployment.yaml +++ b/deploy-local-user-authenticator/deployment.yaml @@ -17,6 +17,19 @@ metadata: name: local-user-authenticator-service-account namespace: local-user-authenticator --- +#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": +apiVersion: v1 +kind: Secret +metadata: + name: image-pull-secret + namespace: local-user-authenticator + labels: + app: local-user-authenticator +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: #@ data.values.image_pull_dockerconfigjson +#@ end +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -35,6 +48,10 @@ spec: app: local-user-authenticator spec: serviceAccountName: local-user-authenticator-service-account + #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": + imagePullSecrets: + - name: image-pull-secret + #@ end containers: - name: local-user-authenticator #@ if data.values.image_digest: diff --git a/deploy-local-user-authenticator/values.yaml b/deploy-local-user-authenticator/values.yaml index 7fb9f3c9..9d4b96ed 100644 --- a/deploy-local-user-authenticator/values.yaml +++ b/deploy-local-user-authenticator/values.yaml @@ -8,3 +8,9 @@ image_repo: docker.io/getpinniped/pinniped-server image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8 image_tag: latest + +#! Specifies a secret to be used when pulling the above container image. +#! Can be used when the above image_repo is a private registry. +#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]' +#! Optional. +image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}} diff --git a/deploy/values.yaml b/deploy/values.yaml index e8c7b6df..bae0dabd 100644 --- a/deploy/values.yaml +++ b/deploy/values.yaml @@ -15,14 +15,21 @@ image_repo: docker.io/getpinniped/pinniped-server image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8 image_tag: latest -webhook_url: #! e.g., https://example.com -webhook_ca_bundle: #! e.g., LS0tLS1CRUdJTiBDRVJUSUZJQ0F... - -discovery_url: #! e.g., https://example.com - -#! e.g. the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]' +#! Specifies a secret to be used when pulling the above container image. +#! Can be used when the above image_repo is a private registry. +#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]' +#! Optional. image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}} +#! Configure a webhook identity provider. +webhook_url: #! e.g., https://example.com +webhook_ca_bundle: #! Must be a base64 encoded PEM certificate. e.g., LS0tLS1CRUdJTiBDRVJUSUZJQ0F... + +#! Pinniped will try to guess the right K8s API URL for sharing that information with potential clients. +#! This settings allows the guess to be overridden. +#! Optional. +discovery_url: #! e.g., https://example.com + #! Specify the duration and renewal interval for the API serving certificate. #! The defaults are set to expire the cert about every 30 days, and to rotate it #! about every 25 days.