diff --git a/install/kots/manifests/gitpod-installer-job.yaml b/install/kots/manifests/gitpod-installer-job.yaml index 43219a6d7678db..b76de980f967f3 100644 --- a/install/kots/manifests/gitpod-installer-job.yaml +++ b/install/kots/manifests/gitpod-installer-job.yaml @@ -146,18 +146,36 @@ spec: then echo "Gitpod: configuring mirrored container registry" - yq e -i ".containerRegistry.inCluster = false" "${CONFIG_FILE}" - yq e -i ".containerRegistry.external.url = \"{{repl LocalRegistryAddress }}\"" "${CONFIG_FILE}" - yq e -i ".containerRegistry.external.certificate.kind = \"secret\"" "${CONFIG_FILE}" - yq e -i ".containerRegistry.external.certificate.name = \"{{repl ImagePullSecretName }}\"" "${CONFIG_FILE}" yq e -i ".repository = \"{{repl LocalRegistryAddress }}\"" "${CONFIG_FILE}" yq e -i ".imagePullSecrets[0].kind = \"secret\"" "${CONFIG_FILE}" yq e -i ".imagePullSecrets[0].name = \"{{repl ImagePullSecretName }}\"" "${CONFIG_FILE}" yq e -i '.dropImageRepo = true' "${CONFIG_FILE}" - elif [ '{{repl ConfigOptionEquals "reg_incluster" "0" }}' = "true" ]; + fi + + # Output the local registry secret - this is proxy.replicated.com if user hasn't set their own + echo "{{repl LocalRegistryImagePullSecret }}" | base64 -d > /tmp/kotsregistry.json + + # Add the registries to the server allowlist + yq e -i ".experimental.webApp.server.defaultBaseImageRegistryWhitelist += $(cat /tmp/kotsregistry.json | jq '.auths' | jq -rc 'keys')" "${CONFIG_FILE}" + + if [ '{{repl ConfigOptionEquals "reg_incluster" "0" }}' = "true" ]; then echo "Gitpod: configuring external container registry" + # Create a container-registry secret merging the external registry and KOTS registry keys + echo '{{repl printf "{\"auths\": {\"%s\": {\"username\": \"%s\", \"password\": %s, \"auth\": \"%s\"}}}" (ConfigOption "reg_server" | default (ConfigOption "reg_url")) (ConfigOption "reg_username") (ConfigOption "reg_password" | toJson) (printf "%s:%s" (ConfigOption "reg_username") (ConfigOption "reg_password") | Base64Encode) }}' \ + | yq -o=json '.' - \ + > /tmp/gitpodregistry.json + + cat /tmp/kotsregistry.json /tmp/gitpodregistry.json | jq -s '.[0] * .[1]' - - > /tmp/container-registry-secret + + echo "Gitpod: create the container-registry secret" + kubectl create secret docker-registry container-registry \ + --namespace "{{repl Namespace }}" \ + --from-file=.dockerconfigjson=/tmp/container-registry-secret \ + -o yaml --dry-run=client | \ + kubectl replace --namespace "{{repl Namespace }}" --force -f - + yq e -i ".containerRegistry.inCluster = false" "${CONFIG_FILE}" yq e -i ".containerRegistry.external.url = \"{{repl ConfigOption "reg_url" }}\"" "${CONFIG_FILE}" yq e -i ".containerRegistry.external.certificate.kind = \"secret\"" "${CONFIG_FILE}" @@ -273,6 +291,23 @@ spec: 'del(select(.kind == "StatefulSet" and .metadata.name == "openvsx-proxy").status)' \ "${GITPOD_OBJECTS}/templates/gitpod.yaml" + if [ '{{repl ConfigOptionEquals "reg_incluster" "1" }}' = "true" ]; + then + echo "Gitpod: Add the local registry secret to the in-cluster registry secret" + + # Get the in-cluster registry secret + yq eval-all '(select(.kind == "Secret" and .metadata.name == "builtin-registry-auth") | .data.".dockerconfigjson")' \ + "${GITPOD_OBJECTS}/templates/gitpod.yaml" \ + | base64 -d \ + > /tmp/gitpodregistry.json + + export REGISTRY_SECRET=$(cat /tmp/kotsregistry.json /tmp/gitpodregistry.json | jq -s '.[0] * .[1]' - - | base64 -w 0) + + echo "Gitpod: update the in-cluster registry secret" + yq eval-all --inplace '(select(.kind == "Secret" and .metadata.name == "builtin-registry-auth") | .data.".dockerconfigjson") |= env(REGISTRY_SECRET)' \ + "${GITPOD_OBJECTS}/templates/gitpod.yaml" + fi + echo "Gitpod: Escape any Golang template values" sed -i -r 's/(.*\{\{.*)/{{`\1`}}/' "${GITPOD_OBJECTS}/templates/gitpod.yaml" diff --git a/install/kots/manifests/gitpod-registry-secret.yaml b/install/kots/manifests/gitpod-registry-secret.yaml deleted file mode 100644 index 121f940ce6be5a..00000000000000 --- a/install/kots/manifests/gitpod-registry-secret.yaml +++ /dev/null @@ -1,12 +0,0 @@ -# Copyright (c) 2022 Gitpod GmbH. All rights reserved. -# Licensed under the MIT License. See License-MIT.txt in the project root for license information. - -apiVersion: v1 -kind: Secret -metadata: - name: container-registry - annotations: - kots.io/when: '{{repl and (eq HasLocalRegistry false) (ConfigOptionEquals "reg_incluster" "0") }}' -type: kubernetes.io/dockerconfigjson -data: - .dockerconfigjson: '{{repl printf "{\"auths\": {\"%s\": {\"username\": \"%s\", \"password\": %s, \"auth\": \"%s\"}}}" (ConfigOption "reg_server" | default (ConfigOption "reg_url")) (ConfigOption "reg_username") (ConfigOption "reg_password" | toJson) (printf "%s:%s" (ConfigOption "reg_username") (ConfigOption "reg_password") | Base64Encode) | Base64Encode }}' diff --git a/install/kots/manifests/kots-config.yaml b/install/kots/manifests/kots-config.yaml index 9e0116115af863..1d69bd529d3cd9 100644 --- a/install/kots/manifests/kots-config.yaml +++ b/install/kots/manifests/kots-config.yaml @@ -28,7 +28,6 @@ spec: - name: reg_incluster title: Use in-cluster container registry type: bool - when: '{{repl eq HasLocalRegistry false }}' default: "1" help_text: You may either use an in-cluster container registry or configure your own external container registry for better performance. This container registry must be accessible from your Kubernetes cluster. recommended: false @@ -85,27 +84,27 @@ spec: - name: reg_url title: Container registry URL type: text - when: '{{repl and (eq HasLocalRegistry false) (ConfigOptionEquals "reg_incluster" "0") }}' + when: '{{repl ConfigOptionEquals "reg_incluster" "0" }}' required: true help_text: The container registry URL. This will usually be the fully qualified domain of your registry. - name: reg_server title: Container registry server type: text - when: '{{repl and (eq HasLocalRegistry false) (ConfigOptionEquals "reg_incluster" "0") }}' + when: '{{repl ConfigOptionEquals "reg_incluster" "0" }}' help_text: The container registry server. This is used when [generating your credentials](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line). Depending upon your provider, this may or may not be the same as the registry URL. If not specified, the URL will be used. - name: reg_username title: Container registry username type: text - when: '{{repl and (eq HasLocalRegistry false) (ConfigOptionEquals "reg_incluster" "0") }}' + when: '{{repl ConfigOptionEquals "reg_incluster" "0" }}' required: true help_text: The username for your container registry. - name: reg_password title: Container registry password type: password - when: '{{repl and (eq HasLocalRegistry false) (ConfigOptionEquals "reg_incluster" "0") }}' + when: '{{repl ConfigOptionEquals "reg_incluster" "0" }}' required: true help_text: The password for your container registry.