Add support for imagePullSecrets

Since we support custom image prefixes, we should also support imagePullSecrets since they are likely to be in a private registry. This also updates some nearby documentation which was out of date. Change-Id: Id43382284a9adde877e2383644a31bda24030b2b
2021-10-01 15:26:35 -07:00 · 2021-10-01 15:26:35 -07:00 · fe827fbeb0
commit fe827fbeb0
parent d65ebc6bff
6 changed files with 36 additions and 4 deletions
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@ -232,6 +232,13 @@ verbatim):
   apiVersion: zuul-ci.org/v1alpha2
   kind: Zuul
   spec:
+     imagePrefix: docker.io/zuul
+     imagePullSecrets:
+       - name: my-docker-secret
+     zuulImageVersion: latest
+     zuulPreviewImageVersion: latest
+     zuulRegistryImageVersion: latest
+     nodepoolImageVersion: latest
     database:
       secretName: mariadbSecret
     zookeeper:
@ -288,6 +295,17 @@ verbatim):
         (``zuul-executor``, etc).  However, changing the prefix will
         allow you to use custom images or private registries.

+      .. attr:: imagePullSecrets
+         :type: list
+         :default: []
+
+         If supplied, this value is passed through to Kubernetes.  It
+         should be a list of secrets.
+
+         .. attr:: name
+
+            The name of the image pull secret.
+
      .. attr:: zuulImageVersion
         :default: latest

@ -298,6 +316,11 @@ verbatim):

         The image tag to append to the Zuul Preview images.

+      .. attr:: zuulRegistryImageVersion
+         :default: latest
+
+         The image tag to append to the Zuul Registry images.
+
      .. attr:: nodepoolImageVersion
         :default: latest

--- a/zuul_operator/operator.py
+++ b/zuul_operator/operator.py
@ -146,11 +146,11 @@ def update_fn(name, namespace, logger, old, new, memo, **kwargs):
    if new.get('connections') != old.get('connections'):
        logger.info("Connections changed")
        conf_changed = True
-    if new.get('imagePrefix') != old.get('imagePrefix'):
-        logger.info("Image prefix changed")
-        spec_changed = True
    for key in ['executor', 'merger', 'scheduler', 'registry',
-                'launcher', 'connections', 'externalConfig']:
+                'launcher', 'connections', 'externalConfig',
+                'imagePrefix', 'imagePullSecrets', 'zuulImageVersion',
+                'zuulPreviewImageVersion', 'zuulRegistryImageVersion',
+                'nodepoolImageVersion']:
        if new.get(key) != old.get(key):
            logger.info(f"{key} changed")
            spec_changed = True
--- a/zuul_operator/templates/nodepool-launcher.yaml
+++ b/zuul_operator/templates/nodepool-launcher.yaml
@ -27,6 +27,7 @@ spec:
        app.kubernetes.io/component: nodepool-launcher
        operator.zuul-ci.org/nodepool-provider: {{ provider_name }}
    spec:
+      imagePullSecrets: {{ spec.imagePullSecrets }}
      containers:
      - name: launcher
        image: {{ spec.imagePrefix }}/nodepool-launcher:{{ spec.nodepoolImageVersion }}
--- a/zuul_operator/templates/zuul-registry.yaml
+++ b/zuul_operator/templates/zuul-registry.yaml
@ -71,6 +71,7 @@ spec:
        app.kubernetes.io/part-of: zuul
        app.kubernetes.io/component: zuul-registry
    spec:
+      imagePullSecrets: {{ spec.imagePullSecrets }}
      containers:
      - name: registry
        image: {{ spec.imagePrefix }}/zuul-registry:{{ spec.zuulImageVersion }}
--- a/zuul_operator/templates/zuul.yaml
+++ b/zuul_operator/templates/zuul.yaml
@ -140,6 +140,7 @@ spec:
      annotations:
        zuulConfSha: "{{ zuul_conf_sha }}"
    spec:
+      imagePullSecrets: {{ spec.imagePullSecrets }}
      containers:
      - name: scheduler
        image: {{ spec.imagePrefix }}/zuul-scheduler:{{ spec.zuulImageVersion }}
@ -221,6 +222,7 @@ spec:
      annotations:
        zuulConfSha: "{{ zuul_conf_sha }}"
    spec:
+      imagePullSecrets: {{ spec.imagePullSecrets }}
      containers:
      - name: web
        image: {{ spec.imagePrefix }}/zuul-web:{{ spec.zuulImageVersion }}
@ -269,6 +271,7 @@ spec:
      annotations:
        zuulConfSha: "{{ zuul_conf_sha }}"
    spec:
+      imagePullSecrets: {{ spec.imagePullSecrets }}
      containers:
      - name: fingergw
        image: {{ spec.imagePrefix }}/zuul-fingergw:{{ spec.zuulImageVersion }}
@ -318,6 +321,7 @@ spec:
      annotations:
        zuulConfSha: "{{ zuul_conf_sha }}"
    spec:
+      imagePullSecrets: {{ spec.imagePullSecrets }}
      securityContext:
        runAsUser: 10001
        runAsGroup: 10001
@ -415,6 +419,7 @@ spec:
      annotations:
        zuulConfSha: "{{ zuul_conf_sha }}"
    spec:
+      imagePullSecrets: {{ spec.imagePullSecrets }}
      securityContext:
        runAsUser: 10001
        runAsGroup: 10001
@ -502,6 +507,7 @@ spec:
        app.kubernetes.io/part-of: zuul
        app.kubernetes.io/component: zuul-preview
    spec:
+      imagePullSecrets: {{ spec.imagePullSecrets }}
      containers:
      - name: preview
        image: {{ spec.imagePrefix }}/zuul-preview:{{ spec.zuulPreviewImageVersion }}
--- a/zuul_operator/zuul.py
+++ b/zuul_operator/zuul.py
@ -83,6 +83,7 @@ class Zuul:
        registry_tls.setdefault('secretName', 'zuul-registry-tls')

        self.spec.setdefault('imagePrefix', 'docker.io/zuul')
+        self.spec.setdefault('imagePullSecrets', [])
        self.spec.setdefault('zuulImageVersion', 'latest')
        self.spec.setdefault('zuulPreviewImageVersion', 'latest')
        self.spec.setdefault('zuulRegistryImageVersion', 'latest')