local-user-authenticator can be deployed from a private registry image

- Also add more comment to the values.yaml files to make the options
  more clear

deploy-local-user-authenticator/deployment.yaml

@@ -17,6 +17,19 @@ metadata:
   name: local-user-authenticator-service-account
   namespace: local-user-authenticator
 ---
+#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
+apiVersion: v1
+kind: Secret
+metadata:
+  name: image-pull-secret
+  namespace: local-user-authenticator
+  labels:
+    app: local-user-authenticator
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: #@ data.values.image_pull_dockerconfigjson
+#@ end
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -35,6 +48,10 @@ spec:
         app: local-user-authenticator
     spec:
       serviceAccountName: local-user-authenticator-service-account
+      #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
+      imagePullSecrets:
+        - name: image-pull-secret
+      #@ end
       containers:
         - name: local-user-authenticator
           #@ if data.values.image_digest:

deploy-local-user-authenticator/values.yaml

@@ -8,3 +8,9 @@
 image_repo: docker.io/getpinniped/pinniped-server
 image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
 image_tag: latest
+
+#! Specifies a secret to be used when pulling the above container image.
+#! Can be used when the above image_repo is a private registry.
+#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
+#! Optional.
+image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}

deploy/values.yaml

@@ -15,14 +15,21 @@ image_repo: docker.io/getpinniped/pinniped-server
 image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
 image_tag: latest
 
-webhook_url: #! e.g., https://example.com
+#! Specifies a secret to be used when pulling the above container image.
-webhook_ca_bundle: #! e.g., LS0tLS1CRUdJTiBDRVJUSUZJQ0F...
+#! Can be used when the above image_repo is a private registry.
-
+#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
-discovery_url: #! e.g., https://example.com
+#! Optional.
-
-#! e.g. the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
 image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
 
+#! Configure a webhook identity provider.
+webhook_url: #! e.g., https://example.com
+webhook_ca_bundle: #! Must be a base64 encoded PEM certificate. e.g., LS0tLS1CRUdJTiBDRVJUSUZJQ0F...
+
+#! Pinniped will try to guess the right K8s API URL for sharing that information with potential clients.
+#! This settings allows the guess to be overridden.
+#! Optional.
+discovery_url: #! e.g., https://example.com
+
 #! Specify the duration and renewal interval for the API serving certificate.
 #! The defaults are set to expire the cert about every 30 days, and to rotate it
 #! about every 25 days.