Merge pull request #164 from smarunich/cr-pull-secret

smarunich · web-flow · commit d8457c5bd876 · 2022-12-05T13:12:45.000-05:00
adding support for cr-pull-secret for wasm
diff --git a/infra/aws/outputs.tf b/infra/aws/outputs.tf
@@ -2,6 +2,15 @@ output "registry" {
   value = module.aws_base[0].registry
 }
 
+output "registry_username" {
+  value = module.aws_base[0].registry_username
+}
+
+output "registry_password" {
+  value = module.aws_base[0].registry_password
+  sensitive = true
+}
+
 output "public_ip" {
   value = module.aws_jumpbox[0].public_ip
 }
diff --git a/infra/azure/outputs.tf b/infra/azure/outputs.tf
@@ -2,6 +2,15 @@ output "registry" {
   value = module.azure_base[0].registry
 }
 
+output "registry_username" {
+  value = module.azure_base[0].registry_username
+}
+
+output "registry_password" {
+  value = module.azure_base[0].registry_password
+  sensitive = true
+}
+
 output "public_ip" {
   value = module.azure_jumpbox[0].public_ip
 }
diff --git a/infra/gcp/outputs.tf b/infra/gcp/outputs.tf
@@ -2,6 +2,15 @@ output "registry" {
   value = module.gcp_base[0].registry
 }
 
+output "registry_username" {
+  value = module.gcp_base[0].registry_username
+}
+
+output "registry_password" {
+  value = module.gcp_base[0].registry_password
+  sensitive = true
+}
+
 output "public_ip" {
   value = module.gcp_jumpbox[0].public_ip
 }
diff --git a/modules/aws/base/main.tf b/modules/aws/base/main.tf
@@ -85,3 +85,5 @@ resource "aws_ecr_repository" "tsb" {
   }
 }
 
+data "aws_ecr_authorization_token" "token" {
+}
diff --git a/modules/aws/base/outputs.tf b/modules/aws/base/outputs.tf
@@ -14,6 +14,14 @@ output "registry_id" {
   value = aws_ecr_repository.tsb.registry_id
 }
 
+output "registry_username" {
+  value = data.aws_ecr_authorization_token.token.user_name
+}
+
+output "registry_password" {
+  value = data.aws_ecr_authorization_token.token.password
+}
+
 output "cidr" {
   value = var.cidr
 }
diff --git a/modules/azure/base/outputs.tf b/modules/azure/base/outputs.tf
@@ -18,6 +18,9 @@ output "registry" {
   value = azurerm_container_registry.acr.login_server
 }
 
+output "registry_id" {
+  value = azurerm_container_registry.acr.id
+}
 output "registry_username" {
   value = azurerm_container_registry.acr.admin_username
 }
@@ -26,10 +29,6 @@ output "registry_password" {
   value = azurerm_container_registry.acr.admin_password
 }
 
-output "registry_id" {
-  value = azurerm_container_registry.acr.id
-}
-
 output "cidr" {
   value = var.cidr
 }
diff --git a/modules/gcp/base/main.tf b/modules/gcp/base/main.tf
@@ -91,3 +91,22 @@ resource "google_compute_firewall" "tsb" {
   }
 
 }
+
+resource "google_service_account" "gcr_pull" {
+  project = var.project_id
+  account_id = "${var.name_prefix}-gcr-pull"
+}
+resource "google_project_iam_member" "storage_viewer" {
+  project = var.project_id
+  role = "roles/storage.objectViewer"
+  member = "serviceAccount:${google_service_account.gcr_pull.email}"
+}
+resource "google_project_iam_member" "artifact_reader" {
+  project = var.project_id
+  role = "roles/artifactregistry.reader"
+  member = "serviceAccount:${google_service_account.gcr_pull.email}"
+}
+
+resource "google_service_account_key" "gcr_pull_key" {
+  service_account_id = google_service_account.gcr_pull.name
+}
diff --git a/modules/gcp/base/outputs.tf b/modules/gcp/base/outputs.tf
@@ -13,6 +13,13 @@ output "registry" {
   value = "gcr.io/${var.project_id}"
 }
 
+output "registry_username" {
+  value = "_json_key"
+}
+output "registry_password" {
+  value = base64decode(google_service_account_key.gcr_pull_key.private_key)
+}
+
 output "cidr" {
   value = var.cidr
 }
diff --git a/modules/tsb/cp/main.tf b/modules/tsb/cp/main.tf
@@ -121,6 +121,31 @@ resource "kubernetes_secret_v1" "cacerts" {
   type       = "kubernetes.io/generic"
   depends_on = [helm_release.controlplane]
 }
+
+resource "kubernetes_secret_v1" "cr_pull_secret" {
+  metadata {
+    name      = "cr-pull-secret"
+    namespace = "istio-system"
+    annotations = {
+      clustername = var.cluster_name
+    }
+  }
+
+  data = {
+    ".dockerconfigjson" = jsonencode({
+      auths = {
+        "${var.registry}" = {
+          "username" = var.registry_username
+          "password" = var.registry_password
+        }
+      }
+    })
+  }
+
+  type       = "kubernetes.io/dockerconfigjson"
+  depends_on = [helm_release.controlplane]
+}
+
 resource "helm_release" "dataplane" {
   name                = "dataplane"
   repository          = var.tsb_helm_repository
diff --git a/modules/tsb/cp/variables.tf b/modules/tsb/cp/variables.tf
@@ -72,7 +72,10 @@ variable "tsb_image_sync_apikey" {
 
 variable "registry" {
 }
-
+variable "registry_username" {
+}
+variable "registry_password" {
+}
 variable "es_host" {
 }
 
diff --git a/tsb/cp/main.tf b/tsb/cp/main.tf
@@ -53,6 +53,8 @@ module "tsb_cp" {
   jumpbox_username                = var.jumpbox_username
   jumpbox_pkey                    = data.terraform_remote_state.infra.outputs.pkey
   registry                        = data.terraform_remote_state.infra.outputs.registry
+  registry_username               = data.terraform_remote_state.infra.outputs.registry_username
+  registry_password               = data.terraform_remote_state.infra.outputs.registry_password
   cluster_name                    = data.terraform_remote_state.infra.outputs.cluster_name
   k8s_host                        = data.terraform_remote_state.infra.outputs.host
   k8s_cluster_ca_certificate      = data.terraform_remote_state.infra.outputs.cluster_ca_certificate

Original file line number	Diff line number	Diff line change
`@@ -85,3 +85,5 @@ resource "aws_ecr_repository" "tsb" {`
`85`	`85`	`}`
`86`	`86`	`}`
`87`	`87`
	`88`	`+data "aws_ecr_authorization_token" "token" {`
	`89`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,14 @@ output "registry_id" {`
`14`	`14`	`value = aws_ecr_repository.tsb.registry_id`
`15`	`15`	`}`
`16`	`16`
	`17`	`+output "registry_username" {`
	`18`	`+ value = data.aws_ecr_authorization_token.token.user_name`
	`19`	`+}`
	`20`	`+`
	`21`	`+output "registry_password" {`
	`22`	`+ value = data.aws_ecr_authorization_token.token.password`
	`23`	`+}`
	`24`	`+`
`17`	`25`	`output "cidr" {`
`18`	`26`	`value = var.cidr`
`19`	`27`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,9 @@ output "registry" {`
`18`	`18`	`value = azurerm_container_registry.acr.login_server`
`19`	`19`	`}`
`20`	`20`
	`21`	`+output "registry_id" {`
	`22`	`+ value = azurerm_container_registry.acr.id`
	`23`	`+}`
`21`	`24`	`output "registry_username" {`
`22`	`25`	`value = azurerm_container_registry.acr.admin_username`
`23`	`26`	`}`
`@@ -26,10 +29,6 @@ output "registry_password" {`
`26`	`29`	`value = azurerm_container_registry.acr.admin_password`
`27`	`30`	`}`
`28`	`31`
`29`		`-output "registry_id" {`
`30`		`- value = azurerm_container_registry.acr.id`
`31`		`-}`
`32`		`-`
`33`	`32`	`output "cidr" {`
`34`	`33`	`value = var.cidr`
`35`	`34`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,13 @@ output "registry" {`
`13`	`13`	`value = "gcr.io/${var.project_id}"`
`14`	`14`	`}`
`15`	`15`
	`16`	`+output "registry_username" {`
	`17`	`+ value = "_json_key"`
	`18`	`+}`
	`19`	`+output "registry_password" {`
	`20`	`+ value = base64decode(google_service_account_key.gcr_pull_key.private_key)`
	`21`	`+}`
	`22`	`+`
`16`	`23`	`output "cidr" {`
`17`	`24`	`value = var.cidr`
`18`	`25`	`}`
Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,10 @@ variable "tsb_image_sync_apikey" {`
`72`	`72`
`73`	`73`	`variable "registry" {`
`74`	`74`	`}`
`75`		`-`
	`75`	`+variable "registry_username" {`
	`76`	`+}`
	`77`	`+variable "registry_password" {`
	`78`	`+}`
`76`	`79`	`variable "es_host" {`
`77`	`80`	`}`
`78`	`81`