[installer]: add image pull secrets to third-party container images

Simon Emms · Simon Emms · commit 6dd9593ff8ff · 2021-12-01T11:18:59.000Z
diff --git a/installer/pkg/common/common.go b/installer/pkg/common/common.go
@@ -264,10 +264,10 @@ func MessageBusWaiterContainer(ctx *RenderContext) *corev1.Container {
 	}
 }
 
-func KubeRBACProxyContainer() *corev1.Container {
+func KubeRBACProxyContainer(ctx *RenderContext) *corev1.Container {
 	return &corev1.Container{
 		Name:  "kube-rbac-proxy",
-		Image: "quay.io/brancz/kube-rbac-proxy:v0.11.0",
+		Image: ImageName(ThirdPartyContainerRepo(ctx.Config.Repository, KubeRBACProxyRepo), KubeRBACProxyImage, KubeRBACProxyTag),
 		Args: []string{
 			"--v=5",
 			"--logtostderr",
diff --git a/installer/pkg/common/constants.go b/installer/pkg/common/constants.go
@@ -15,10 +15,15 @@ const (
 	AppName                     = "gitpod"
 	BlobServeServicePort        = 4000
 	CertManagerCAIssuer         = "ca-issuer"
+	DockerRegistryURL           = "docker.io"
 	DockerRegistryName          = "registry"
+	GitpodContainerRegistry     = "eu.gcr.io/gitpod-core-dev/build"
 	InClusterDbSecret           = "mysql"
 	InClusterMessageQueueName   = "rabbitmq"
 	InClusterMessageQueueTLS    = "messagebus-certificates-secret-core"
+	KubeRBACProxyRepo           = "quay.io/brancz"
+	KubeRBACProxyImage          = "kube-rbac-proxy"
+	KubeRBACProxyTag            = "v0.11.0"
 	MinioServiceAPIPort         = 9000
 	MonitoringChart             = "monitoring"
 	ProxyComponent              = "proxy"
diff --git a/installer/pkg/components/agent-smith/daemonset.go b/installer/pkg/components/agent-smith/daemonset.go
@@ -78,7 +78,7 @@ func daemonset(ctx *common.RenderContext) ([]runtime.Object, error) {
 							Privileged: pointer.Bool(true),
 							ProcMount:  func() *corev1.ProcMountType { r := corev1.DefaultProcMount; return &r }(),
 						},
-					}, *common.KubeRBACProxyContainer()},
+					}, *common.KubeRBACProxyContainer(ctx)},
 					Volumes: []corev1.Volume{{
 						Name: "config",
 						VolumeSource: corev1.VolumeSource{ConfigMap: &corev1.ConfigMapVolumeSource{
diff --git a/installer/pkg/components/blobserve/deployment.go b/installer/pkg/components/blobserve/deployment.go
@@ -125,7 +125,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 								MountPath: "/mnt/pull-secret.json",
 								SubPath:   ".dockerconfigjson",
 							}},
-						}, *common.KubeRBACProxyContainer()},
+						}, *common.KubeRBACProxyContainer(ctx)},
 					},
 				},
 			},
diff --git a/installer/pkg/components/database/init/job.go b/installer/pkg/components/database/init/job.go
@@ -47,7 +47,7 @@ func job(ctx *common.RenderContext) ([]runtime.Object, error) {
 					InitContainers: []corev1.Container{*common.DatabaseWaiterContainer(ctx)},
 					Containers: []corev1.Container{{
 						Name:            fmt.Sprintf("%s-session", Component),
-						Image:           fmt.Sprintf("%s:%s", dbSessionsImage, dbSessionsTag),
+						Image:           common.ImageName(common.ThirdPartyContainerRepo(ctx.Config.Repository, ""), dbSessionsImage, dbSessionsTag),
 						ImagePullPolicy: corev1.PullIfNotPresent,
 						Env: common.MergeEnv(
 							common.DatabaseEnv(&ctx.Config),
diff --git a/installer/pkg/components/image-builder-mk3/deployment.go b/installer/pkg/components/image-builder-mk3/deployment.go
@@ -162,7 +162,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 							*common.InternalCAVolumeMount(),
 						},
 					},
-						*common.KubeRBACProxyContainer(),
+						*common.KubeRBACProxyContainer(ctx),
 					},
 				},
 			},
diff --git a/installer/pkg/components/proxy/constants.go b/installer/pkg/components/proxy/constants.go
@@ -13,8 +13,11 @@ const (
 	ContainerHTTPSPort    = common.ProxyContainerHTTPSPort
 	ContainerHTTPSName    = common.ProxyContainerHTTPSName
 	PrometheusPort        = 9500
-	InitContainerImage    = "alpine:3.15"
-	KubeRBACProxyImage    = "quay.io/brancz/kube-rbac-proxy:v0.11.0"
+	InitContainerImage    = "alpine"
+	InitContainerTag      = "3.15"
+	KubeRBACProxyRepo     = common.KubeRBACProxyRepo
+	KubeRBACProxyImage    = common.KubeRBACProxyImage
+	KubeRBACProxyTag      = common.KubeRBACProxyTag
 	MetricsContainerName  = "metrics"
 	ReadinessPort         = 8003
 	RegistryAuthSecret    = common.RegistryAuthSecret
diff --git a/installer/pkg/components/proxy/deployment.go b/installer/pkg/components/proxy/deployment.go
@@ -129,7 +129,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 						Volumes: volumes,
 						InitContainers: []corev1.Container{{
 							Name:            "sysctl",
-							Image:           InitContainerImage,
+							Image:           common.ImageName(common.ThirdPartyContainerRepo(ctx.Config.Repository, common.DockerRegistryURL), InitContainerImage, InitContainerTag),
 							ImagePullPolicy: corev1.PullIfNotPresent,
 							SecurityContext: &corev1.SecurityContext{
 								Privileged: pointer.Bool(true),
@@ -142,7 +142,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 						}},
 						Containers: []corev1.Container{{
 							Name:            "kube-rbac-proxy",
-							Image:           KubeRBACProxyImage,
+							Image:           common.ImageName(common.ThirdPartyContainerRepo(ctx.Config.Repository, KubeRBACProxyRepo), KubeRBACProxyImage, KubeRBACProxyTag),
 							ImagePullPolicy: corev1.PullIfNotPresent,
 							Args: []string{
 								"--v=10",
diff --git a/installer/pkg/components/registry-facade/daemonset.go b/installer/pkg/components/registry-facade/daemonset.go
@@ -176,7 +176,7 @@ func daemonset(ctx *common.RenderContext) ([]runtime.Object, error) {
 						}, volumeMounts...),
 					},
 
-						*common.KubeRBACProxyContainer(),
+						*common.KubeRBACProxyContainer(ctx),
 					},
 					Volumes: append([]corev1.Volume{{
 						Name:         "cache",
diff --git a/installer/pkg/components/server/deployment.go b/installer/pkg/components/server/deployment.go
@@ -149,7 +149,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 								MountPath: "/ws-manager-client-tls-certs",
 								ReadOnly:  true,
 							}},
-						}, *common.KubeRBACProxyContainer()},
+						}, *common.KubeRBACProxyContainer(ctx)},
 					},
 				},
 			},
diff --git a/installer/pkg/components/ws-daemon/daemonset.go b/installer/pkg/components/ws-daemon/daemonset.go
@@ -32,7 +32,7 @@ func daemonset(ctx *common.RenderContext) ([]runtime.Object, error) {
 	initContainers := []corev1.Container{
 		{
 			Name:  "disable-kube-health-monitor",
-			Image: "ubuntu:20.04",
+			Image: common.ImageName(common.ThirdPartyContainerRepo(ctx.Config.Repository, common.DockerRegistryURL), "ubuntu", "20.04"),
 			Command: []string{
 				"/usr/bin/nsenter",
 				"-t",
@@ -281,7 +281,7 @@ fi
 					Privileged: pointer.Bool(true),
 				},
 			},
-			*common.KubeRBACProxyContainer(),
+			*common.KubeRBACProxyContainer(ctx),
 		},
 		RestartPolicy:                 "Always",
 		TerminationGracePeriodSeconds: pointer.Int64(30),
diff --git a/installer/pkg/components/ws-manager-bridge/deployment.go b/installer/pkg/components/ws-manager-bridge/deployment.go
@@ -121,7 +121,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 								MountPath: "/ws-manager-client-tls-certs",
 								ReadOnly:  true,
 							}},
-						}, *common.KubeRBACProxyContainer()},
+						}, *common.KubeRBACProxyContainer(ctx)},
 					},
 				},
 			},
diff --git a/installer/pkg/components/ws-scheduler/deployment.go b/installer/pkg/components/ws-scheduler/deployment.go
@@ -96,7 +96,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 							MountPath: "/ws-manager-client-tls-certs",
 							ReadOnly:  true,
 						}},
-					}, *common.KubeRBACProxyContainer()},
+					}, *common.KubeRBACProxyContainer(ctx)},
 				},
 			},
 		},

Original file line number	Diff line number	Diff line change
`@@ -264,10 +264,10 @@ func MessageBusWaiterContainer(ctx RenderContext) corev1.Container {`
`264`	`264`	`}`
`265`	`265`	`}`
`266`	`266`
`267`		`-func KubeRBACProxyContainer() *corev1.Container {`
	`267`	`+func KubeRBACProxyContainer(ctx RenderContext) corev1.Container {`
`268`	`268`	`return &corev1.Container{`
`269`	`269`	`Name: "kube-rbac-proxy",`
`270`		`- Image: "quay.io/brancz/kube-rbac-proxy:v0.11.0",`
	`270`	`+ Image: ImageName(ThirdPartyContainerRepo(ctx.Config.Repository, KubeRBACProxyRepo), KubeRBACProxyImage, KubeRBACProxyTag),`
`271`	`271`	`Args: []string{`
`272`	`272`	`"--v=5",`
`273`	`273`	`"--logtostderr",`