Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport of [NET-10985] Fix bug where imagePullSecrets were not set up for Gateways into release/1.4.x #4373

Conversation

hc-github-team-consul-core
Copy link
Collaborator

@hc-github-team-consul-core hc-github-team-consul-core commented Sep 27, 2024

Backport

This PR is auto-generated from #4316 to be assessed for backporting due to the inclusion of the label backport/1.4.x.

The below text is copied from the body of the original PR.


Fixes #4312

Note

In order for the pull secrets to work for a Gateway, they must be available in any namespace that a Gateway is deployed to. This is already the case with injected mesh sidecars if you, for example, consume consul-dataplane from a private image registry, so I have not made any special accomadations for Gateways.

Changes proposed in this PR

Plumb global.imagePullSecrets onto the ServiceAccount created for each Gateway

How I've tested this PR

  1. Created a private registry on DockerHub for consul-dataplane, which is used by the gateway's Deployment

    docker pull hashicorp/consul-dataplane:1.5.3
    docker tag hashicorp/consul-dataplane:1.5.3 <your_dockerhub_username>/consul-dataplane:1.5.3
    docker login
    docker push <your_dockerhub_username>/consul-dataplane:1.5.3
  2. Created an image pull secret for DockerHub in my K8s cluster

  3. Set global.imageConsulDataplane to the private registry version

  4. Install using this version of the Helm chart and this build of consul-k8s-control-plane

    values.yaml
    global:
      name: consul
      datacenter: dc1
      imageConsulDataplane: docker.io/<your_dockerhub_username>/consul-dataplane:1.5.3
      imageK8S: consul-k8s-control-plane:local
      imagePullSecrets:
      - name: regcred
      tls:
        enabled: true
        enableAutoEncrypt: true
      acls:
        manageSystemACLs: true
    connectInject:
      enabled: true
    kind create cluster
    make dev-docker && kind load docker-image consul-k8s-control-plane:local
    helm upgrade --install consul /path/to/consul-k8s/charts/consul --namespace consul --create-namespace --values ./values.yaml

How I expect reviewers to test this PR

See above

Checklist


Overview of commits

Copy link

hashicorp-cla-app bot commented Sep 27, 2024

CLA assistant check
All committers have signed the CLA.

Copy link

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes


temp seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA.
If you have already a GitHub account, please add the email address used for this commit to your account.

Have you signed the CLA already but the status is still pending? Recheck it.

…ys (#4316)

* Plumb global.imagePullSecrets through to Gateway's ServiceAccount

Since pull secrets are a list of structured objects that cannot easily be passed as a flag value to the container, this approach uses a JSON config file that is created as a ConfigMap and then mounted into the connect-injector Pod and parsed on startup.

* Leave camp cleaner than I found it

* Make path to config file configurable

* Add changelog entry

* Add note to changelog entry

* Ensure ServiceAccount is created if any image pull secrets are provided

* Add test coverage for image pull secret inclusion on gateway ServiceAccount

* Adjust note in changelog

* Add a helpful comment explaining when/why we create a ServiceAccount

* Update .changelog/4316.txt

Co-authored-by: Blake Covarrubias <blake@covarrubi.as>

* Return ServiceAccount name when image pull secrets warrant it

* Improve unit tests to assert presence of ServiceAccount name on Deployment

* Copy helpful comment added elsewhere

---------

Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
@nathancoleman nathancoleman force-pushed the backport/gateway-image-pull-secrets/uniformly-bold-firefly branch from fa22ca5 to 20dd671 Compare October 2, 2024 17:22
@nathancoleman nathancoleman marked this pull request as ready for review October 2, 2024 17:23
@nathancoleman nathancoleman merged commit e7e743a into release/1.4.x Oct 3, 2024
49 of 50 checks passed
@nathancoleman nathancoleman deleted the backport/gateway-image-pull-secrets/uniformly-bold-firefly branch October 3, 2024 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants