Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of [NET-10985] Fix bug where imagePullSecrets were not set up for Gateways into release/1.3.x #4372

Merged
merged 1 commit into from
Oct 3, 2024
Merged

Backport of [NET-10985] Fix bug where imagePullSecrets were not set up for Gateways into release/1.3.x #4372

merged 1 commit into from
Oct 3, 2024

Conversation

hc-github-team-consul-core
Copy link

@hc-github-team-consul-core hc-github-team-consul-core commented Sep 27, 2024
edited by nathancoleman
Loading

Backport

This PR is auto-generated from #4316 to be assessed for backporting due to the inclusion of the label backport/1.3.x.

The below text is copied from the body of the original PR.

Fixes #4312

Note

In order for the pull secrets to work for a Gateway, they must be available in any namespace that a Gateway is deployed to. This is already the case with injected mesh sidecars if you, for example, consume consul-dataplane from a private image registry, so I have not made any special accomadations for Gateways.

Changes proposed in this PR

Plumb global.imagePullSecrets onto the ServiceAccount created for each Gateway

How I've tested this PR

  1. Created a private registry on DockerHub for consul-dataplane, which is used by the gateway's Deployment

    docker pull hashicorp/consul-dataplane:1.5.3
docker tag hashicorp/consul-dataplane:1.5.3 <your_dockerhub_username>/consul-dataplane:1.5.3
docker login
docker push <your_dockerhub_username>/consul-dataplane:1.5.3

  2. Created an image pull secret for DockerHub in my K8s cluster

  3. Set global.imageConsulDataplane to the private registry version

  4. Install using this version of the Helm chart and this build of consul-k8s-control-plane

    values.yaml 
    global:
  name: consul
  datacenter: dc1
  imageConsulDataplane: docker.io/<your_dockerhub_username>/consul-dataplane:1.5.3
  imageK8S: consul-k8s-control-plane:local
  imagePullSecrets:
  - name: regcred
  tls:
    enabled: true
    enableAutoEncrypt: true
  acls:
    manageSystemACLs: true
connectInject:
  enabled: true
    kind create cluster
make dev-docker && kind load docker-image consul-k8s-control-plane:local
helm upgrade --install consul /path/to/consul-k8s/charts/consul --namespace consul --create-namespace --values ./values.yaml

How I expect reviewers to test this PR

See above

Checklist

Overview of commits

@hashicorp-cla-app HashiCorp CLA App
Copy link

hashicorp-cla-app bot commented Sep 27, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@hashicorp-cla-app HashiCorp CLA App
Copy link

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

temp seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA.
If you have already a GitHub account, please add the email address used for this commit to your account.

Have you signed the CLA already but the status is still pending? Recheck it.

@nathancoleman @blake
[NET-10985] Fix bug where imagePullSecrets were not set up for Gatewa…
cbe68bf 
…ys (#4316)

* Plumb global.imagePullSecrets through to Gateway's ServiceAccount

Since pull secrets are a list of structured objects that cannot easily be passed as a flag value to the container, this approach uses a JSON config file that is created as a ConfigMap and then mounted into the connect-injector Pod and parsed on startup.

* Leave camp cleaner than I found it

* Make path to config file configurable

* Add changelog entry

* Add note to changelog entry

* Ensure ServiceAccount is created if any image pull secrets are provided

* Add test coverage for image pull secret inclusion on gateway ServiceAccount

* Adjust note in changelog

* Add a helpful comment explaining when/why we create a ServiceAccount

* Update .changelog/4316.txt

Co-authored-by: Blake Covarrubias <[email protected]>

* Return ServiceAccount name when image pull secrets warrant it

* Improve unit tests to assert presence of ServiceAccount name on Deployment

* Copy helpful comment added elsewhere

---------

Co-authored-by: Blake Covarrubias <[email protected]>
@nathancoleman nathancoleman force-pushed the backport/gateway-image-pull-secrets/vertically-communal-shiner branch from e3f9ec3 to cbe68bf Compare October 2, 2024 17:18
@nathancoleman nathancoleman marked this pull request as ready for review October 2, 2024 17:20
@nathancoleman nathancoleman merged commit fa5e492 into release/1.3.x Oct 3, 2024
49 of 50 checks passed
@nathancoleman nathancoleman deleted the backport/gateway-image-pull-secrets/vertically-communal-shiner branch October 3, 2024 16:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nathancoleman nathancoleman nathancoleman approved these changes

Assignees

@nathancoleman nathancoleman

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hc-github-team-consul-core @nathancoleman