[installer]: configure helm dependencies to use custom container registry

Simon Emms · Simon Emms · commit 053264960822 · 2021-12-01T09:35:58.000Z
diff --git a/installer/pkg/common/common.go b/installer/pkg/common/common.go
@@ -509,3 +509,17 @@ func RandomString(length int) (string, error) {
 	}
 	return string(b), nil
 }
+
+// ThirdPartyContainerRepo returns the container registry to use for third-party containers.
+// If config registry is set to the Gitpod registry, the third-party registry is returned. If
+// config registry is different, that repository is returned and deployment expected to mirror
+// the images to their registry
+func ThirdPartyContainerRepo(configRegistry string, thirdPartyRegistry string) string {
+	configRegistry = strings.TrimSuffix(configRegistry, "/")
+
+	if configRegistry == GitpodContainerRegistry {
+		return thirdPartyRegistry
+	}
+
+	return configRegistry
+}
diff --git a/installer/pkg/components/database/incluster/helm.go b/installer/pkg/components/database/incluster/helm.go
@@ -33,6 +33,12 @@ var Helm = common.CompositeHelmFunc(
 					helm.KeyValue("mysql.auth.username", Username),
 					helm.KeyValue("mysql.initdbScriptsConfigMap", SQLInitScripts),
 					helm.KeyValue("mysql.serviceAccount.name", Component),
+					helm.ImagePullSecrets("mysql.image.pullSecrets", cfg),
+					helm.KeyValue("mysql.image.registry", common.ThirdPartyContainerRepo(cfg.Config.Repository, "docker.io")),
+					helm.ImagePullSecrets("mysql.metrics.image.pullSecrets", cfg),
+					helm.KeyValue("mysql.metrics.image.registry", common.ThirdPartyContainerRepo(cfg.Config.Repository, "docker.io")),
+					helm.ImagePullSecrets("mysql.volumePermissions.image.pullSecrets", cfg),
+					helm.KeyValue("mysql.volumePermissions.image.registry", common.ThirdPartyContainerRepo(cfg.Config.Repository, "docker.io")),
 				},
 				// This is too complex to be sent as a string
 				FileValues: []string{
diff --git a/installer/pkg/components/docker-registry/helm.go b/installer/pkg/components/docker-registry/helm.go
@@ -23,11 +23,21 @@ var Helm = common.CompositeHelmFunc(
 			return nil, err
 		}
 
+		repository := fmt.Sprintf("%s/registry", common.ThirdPartyContainerRepo(cfg.Config.Repository, "docker.io"))
+
 		registryValues := []string{
 			helm.KeyValue(fmt.Sprintf("docker-registry.podAnnotations.%s", strings.Replace(common.AnnotationConfigChecksum, ".", "\\.", -1)), secretHash),
 			helm.KeyValue("docker-registry.fullnameOverride", RegistryName),
 			helm.KeyValue("docker-registry.service.port", strconv.Itoa(common.ProxyContainerHTTPSPort)),
 			helm.KeyValue("docker-registry.tlsSecretName", BuiltInRegistryCerts),
+			helm.KeyValue("docker-registry.image.repository", repository),
+		}
+
+		if len(cfg.Config.ImagePullSecrets) > 0 {
+			// This chart doesn't add in the "name/value" pair format
+			for k, v := range cfg.Config.ImagePullSecrets {
+				registryValues = append(registryValues, helm.KeyValue(fmt.Sprintf("docker-registry.imagePullSecrets[%d].name", k), v.Name))
+			}
 		}
 
 		inCluster := pointer.BoolDeref(cfg.Config.ContainerRegistry.InCluster, false)
diff --git a/installer/pkg/components/jaeger-operator/helm.go b/installer/pkg/components/jaeger-operator/helm.go
@@ -5,6 +5,7 @@
 package jaegeroperator
 
 import (
+	"fmt"
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
 	"github.com/gitpod-io/gitpod/installer/pkg/helm"
 	"github.com/gitpod-io/gitpod/installer/third_party/charts"
@@ -14,12 +15,17 @@ import (
 
 var Helm = common.CompositeHelmFunc(
 	helm.ImportTemplate(charts.JaegerOperator(), helm.TemplateConfig{}, func(cfg *common.RenderContext) (*common.HelmConfig, error) {
+		repository := common.ThirdPartyContainerRepo(cfg.Config.Repository, "docker.io")
+		image := "jaegertracing/jaeger-operator"
+
 		return &common.HelmConfig{
 			Enabled: pointer.BoolDeref(cfg.Config.Jaeger.InCluster, false),
 			Values: &values.Options{
 				Values: []string{
 					helm.KeyValue("jaeger-operator.crd.install", "true"),
 					helm.KeyValue("jaeger-operator.rbac.clusterRole", "true"),
+					helm.ImagePullSecrets("jaeger-operator.image.imagePullSecrets", cfg),
+					helm.KeyValue("jaeger-operator.image.repository", fmt.Sprintf("%s/%s", repository, image)),
 				},
 			},
 		}, nil
diff --git a/installer/pkg/components/minio/azure/minio.go b/installer/pkg/components/minio/azure/minio.go
@@ -12,26 +12,29 @@ import (
 	"helm.sh/helm/v3/pkg/cli/values"
 )
 
-var Helm = func(apiPort int32, consolePort int32) common.HelmFunc {
+var Helm = func(apiPort int32, consolePort int32, commonHelmValues []string) common.HelmFunc {
 	return common.CompositeHelmFunc(
 		helm.ImportTemplate(charts.Minio(), helm.TemplateConfig{}, func(cfg *common.RenderContext) (*common.HelmConfig, error) {
 			return &common.HelmConfig{
 				Enabled: true,
 				Values: &values.Options{
-					Values: []string{
-						helm.KeyValue("minio.gateway.enabled", "true"),
-						helm.KeyValue("minio.gateway.auth.azure.accessKey", cfg.Values.StorageAccessKey), // Azure value actually taken from secret - used for console/API access
-						helm.KeyValue("minio.gateway.auth.azure.secretKey", cfg.Values.StorageSecretKey), // Ditto
-						helm.KeyValue("minio.gateway.auth.azure.storageAccountNameExistingSecret", cfg.Config.ObjectStorage.Azure.Credentials.Name),
-						helm.KeyValue("minio.gateway.auth.azure.storageAccountNameExistingSecretKey", "accountName"),
-						helm.KeyValue("minio.gateway.auth.azure.storageAccountKeyExistingSecret", cfg.Config.ObjectStorage.Azure.Credentials.Name),
-						helm.KeyValue("minio.gateway.auth.azure.storageAccountKeyExistingSecretKey", "accountKey"),
-						helm.KeyValue("minio.gateway.replicaCount", "2"),
-						helm.KeyValue("minio.gateway.type", "azure"),
-						helm.KeyValue("minio.persistence.enabled", "false"),
-						helm.KeyValue("minio.service.ports.api", fmt.Sprintf("%d", apiPort)),
-						helm.KeyValue("minio.service.ports.console", fmt.Sprintf("%d", consolePort)),
-					},
+					Values: append(
+						[]string{
+							helm.KeyValue("minio.gateway.enabled", "true"),
+							helm.KeyValue("minio.gateway.auth.azure.accessKey", cfg.Values.StorageAccessKey), // Azure value actually taken from secret - used for console/API access
+							helm.KeyValue("minio.gateway.auth.azure.secretKey", cfg.Values.StorageSecretKey), // Ditto
+							helm.KeyValue("minio.gateway.auth.azure.storageAccountNameExistingSecret", cfg.Config.ObjectStorage.Azure.Credentials.Name),
+							helm.KeyValue("minio.gateway.auth.azure.storageAccountNameExistingSecretKey", "accountName"),
+							helm.KeyValue("minio.gateway.auth.azure.storageAccountKeyExistingSecret", cfg.Config.ObjectStorage.Azure.Credentials.Name),
+							helm.KeyValue("minio.gateway.auth.azure.storageAccountKeyExistingSecretKey", "accountKey"),
+							helm.KeyValue("minio.gateway.replicaCount", "2"),
+							helm.KeyValue("minio.gateway.type", "azure"),
+							helm.KeyValue("minio.persistence.enabled", "false"),
+							helm.KeyValue("minio.service.ports.api", fmt.Sprintf("%d", apiPort)),
+							helm.KeyValue("minio.service.ports.console", fmt.Sprintf("%d", consolePort)),
+						},
+						commonHelmValues...,
+					),
 				},
 			}, nil
 		}),
diff --git a/installer/pkg/components/minio/helm.go b/installer/pkg/components/minio/helm.go
@@ -10,16 +10,24 @@ import (
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
 	"github.com/gitpod-io/gitpod/installer/pkg/components/minio/azure"
 	"github.com/gitpod-io/gitpod/installer/pkg/components/minio/incluster"
+	"github.com/gitpod-io/gitpod/installer/pkg/helm"
 	"k8s.io/utils/pointer"
 )
 
 var Helm = common.CompositeHelmFunc(
 	func(cfg *common.RenderContext) ([]string, error) {
+		commonHelmValues := []string{
+			helm.ImagePullSecrets("minio.image.pullSecrets", cfg),
+			helm.KeyValue("minio.image.registry", common.ThirdPartyContainerRepo(cfg.Config.Repository, "docker.io")),
+			helm.ImagePullSecrets("minio.volumePermissions.image.pullSecrets", cfg),
+			helm.KeyValue("minio.volumePermissions.image.registry", common.ThirdPartyContainerRepo(cfg.Config.Repository, "docker.io")),
+		}
+
 		if pointer.BoolDeref(cfg.Config.ObjectStorage.InCluster, false) {
-			return incluster.Helm(ServiceAPIPort, ServiceConsolePort)(cfg)
+			return incluster.Helm(ServiceAPIPort, ServiceConsolePort, commonHelmValues)(cfg)
 		}
 		if cfg.Config.ObjectStorage.Azure != nil {
-			return azure.Helm(ServiceAPIPort, ServiceConsolePort)(cfg)
+			return azure.Helm(ServiceAPIPort, ServiceConsolePort, commonHelmValues)(cfg)
 		}
 
 		return nil, nil
diff --git a/installer/pkg/components/minio/incluster/minio.go b/installer/pkg/components/minio/incluster/minio.go
@@ -13,7 +13,7 @@ import (
 	"helm.sh/helm/v3/pkg/cli/values"
 )
 
-var Helm = func(apiPort int32, consolePort int32) common.HelmFunc {
+var Helm = func(apiPort int32, consolePort int32, commonHelmValues []string) common.HelmFunc {
 	return common.CompositeHelmFunc(
 		helm.ImportTemplate(charts.Minio(), helm.TemplateConfig{}, func(cfg *common.RenderContext) (*common.HelmConfig, error) {
 			affinity, err := helm.AffinityYaml(cluster.AffinityLabelMeta)
@@ -29,12 +29,15 @@ var Helm = func(apiPort int32, consolePort int32) common.HelmFunc {
 			return &common.HelmConfig{
 				Enabled: true,
 				Values: &values.Options{
-					Values: []string{
-						helm.KeyValue("minio.auth.rootUser", cfg.Values.StorageAccessKey),
-						helm.KeyValue("minio.auth.rootPassword", cfg.Values.StorageSecretKey),
-						helm.KeyValue("minio.service.ports.api", fmt.Sprintf("%d", apiPort)),
-						helm.KeyValue("minio.service.ports.console", fmt.Sprintf("%d", consolePort)),
-					},
+					Values: append(
+						[]string{
+							helm.KeyValue("minio.auth.rootUser", cfg.Values.StorageAccessKey),
+							helm.KeyValue("minio.auth.rootPassword", cfg.Values.StorageSecretKey),
+							helm.KeyValue("minio.service.ports.api", fmt.Sprintf("%d", apiPort)),
+							helm.KeyValue("minio.service.ports.console", fmt.Sprintf("%d", consolePort)),
+						},
+						commonHelmValues...,
+					),
 					// This is too complex to be sent as a string
 					FileValues: []string{
 						affinityTemplate,
diff --git a/installer/pkg/components/rabbitmq/helm.go b/installer/pkg/components/rabbitmq/helm.go
@@ -279,6 +279,10 @@ var Helm = common.CompositeHelmFunc(
 					helm.KeyValue("rabbitmq.auth.tls.existingSecret", TLSSecret),
 					helm.KeyValue(fmt.Sprintf("rabbitmq.extraSecrets.%s.username", InClusterDbSecret), username),
 					helm.KeyValue(fmt.Sprintf("rabbitmq.extraSecrets.%s.password", InClusterDbSecret), password),
+					helm.ImagePullSecrets("rabbitmq.image.pullSecrets", cfg),
+					helm.KeyValue("rabbitmq.image.registry", common.ThirdPartyContainerRepo(cfg.Config.Repository, "docker.io")),
+					helm.ImagePullSecrets("volumePermissions.image.pullSecrets", cfg),
+					helm.KeyValue("rabbitmq.volumePermissions.image.registry", common.ThirdPartyContainerRepo(cfg.Config.Repository, "docker.io")),
 				},
 				// This is too complex to be sent as a string
 				FileValues: []string{
diff --git a/installer/pkg/helm/helm.go b/installer/pkg/helm/helm.go
@@ -12,6 +12,7 @@ import (
 	"os/signal"
 	"path/filepath"
 	"sigs.k8s.io/yaml"
+	"strings"
 	"syscall"
 
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
@@ -121,6 +122,21 @@ func AffinityYaml(orLabels ...string) ([]byte, error) {
 	return marshal, nil
 }
 
+func ImagePullSecrets(key string, ctx *common.RenderContext) string {
+	if len(ctx.Config.ImagePullSecrets) > 0 {
+		var pullSecrets []string
+		for _, i := range ctx.Config.ImagePullSecrets {
+			pullSecrets = append(pullSecrets, i.Name)
+		}
+
+		// Helm array nomenclature
+		return KeyValue(key, fmt.Sprintf("{%s}", strings.Join(pullSecrets, ",")))
+	}
+
+	// Nothing to be set
+	return ""
+}
+
 // ImportTemplate allows for Helm charts to be imported into the installer manifest
 func ImportTemplate(chart *charts.Chart, templateCfg TemplateConfig, pkgConfig PkgConfig) common.HelmFunc {
 	return func(cfg *common.RenderContext) (r []string, err error) {
