[kots] Allow multiple docker pull secrets

Author: corneliusludmann

install/kots/manifests/gitpod-installer-job.yaml

@@ -146,22 +146,18 @@ spec:
               then
                 echo "Gitpod: configuring mirrored container registry"
 
-                yq e -i ".containerRegistry.inCluster = false" "${CONFIG_FILE}"
-                yq e -i ".containerRegistry.external.url = \"{{repl LocalRegistryAddress }}\"" "${CONFIG_FILE}"
-                yq e -i ".containerRegistry.external.certificate.kind = \"secret\"" "${CONFIG_FILE}"
-                yq e -i ".containerRegistry.external.certificate.name = \"{{repl ImagePullSecretName }}\"" "${CONFIG_FILE}"
                 yq e -i ".repository = \"{{repl LocalRegistryAddress }}\"" "${CONFIG_FILE}"
                 yq e -i ".imagePullSecrets[0].kind = \"secret\"" "${CONFIG_FILE}"
                 yq e -i ".imagePullSecrets[0].name = \"{{repl ImagePullSecretName }}\"" "${CONFIG_FILE}"
                 yq e -i '.dropImageRepo = true' "${CONFIG_FILE}"
-              elif [ '{{repl ConfigOptionEquals "reg_incluster" "0" }}' = "true" ];
+              fi
+
+              if [ '{{repl ConfigOptionEquals "reg_incluster" "0" }}' = "true" ];
               then
                 echo "Gitpod: configuring external container registry"
 
                 yq e -i ".containerRegistry.inCluster = false" "${CONFIG_FILE}"
                 yq e -i ".containerRegistry.external.url = \"{{repl ConfigOption "reg_url" }}\"" "${CONFIG_FILE}"
-                yq e -i ".containerRegistry.external.certificate.kind = \"secret\"" "${CONFIG_FILE}"
-                yq e -i ".containerRegistry.external.certificate.name = \"container-registry\"" "${CONFIG_FILE}"
               else
                 if [ '{{repl ConfigOptionEquals "reg_incluster_storage" "s3" }}' = "true" ];
                 then
@@ -174,6 +170,9 @@ spec:
                   yq e -i ".containerRegistry.s3storage.certificate.name = \"container-registry-s3-backend\"" "${CONFIG_FILE}"
                 fi
               fi
+              # merged-registry-auths will be created below
+              yq e -i ".containerRegistry.external.certificate.kind = \"secret\"" "${CONFIG_FILE}"
+              yq e -i ".containerRegistry.external.certificate.name = \"merged-registry-auths\"" "${CONFIG_FILE}"
 
               if [ '{{repl ConfigOptionNotEquals "store_provider" "incluster" }}' = "true" ];
               then
@@ -273,6 +272,26 @@ spec:
                 'del(select(.kind == "StatefulSet" and .metadata.name == "openvsx-proxy").status)' \
                 "${GITPOD_OBJECTS}/templates/gitpod.yaml"
 
+              # Merge different docker pull secrets into one secret
+              if [ '{{repl HasLocalRegistry }}' = "true" ];
+              then
+                kubectl get secret "{{repl ImagePullSecretName }}" -o=jsonpath="{.data['\.dockerconfigjson']}" | base64 -d | yq -P - > registry-auth-airgap.yaml
+              fi
+              if [ '{{repl ConfigOptionEquals "reg_incluster" "0" }}' = "true" ];
+              then
+                kubectl get secret "container-registry" -o=jsonpath="{.data['\.dockerconfigjson']}" | base64 -d | yq -P - > registry-auth-external.yaml
+              else
+                yq eval 'select(.kind == "Secret" and .metadata.name == "builtin-registry-auth").data.".dockerconfigjson"' \
+                  "${GITPOD_OBJECTS}/templates/gitpod.yaml" | base64 -d | yq -P - > registry-auth-builtin.yaml
+              fi
+              # merge all files together (https://mikefarah.gitbook.io/yq/operators/reduce#merge-all-yaml-files-together)
+              yq -o=json eval-all '. as $item ireduce ({}; . * $item )' registry-auth-*.yaml > merged-registry-auths.yaml
+              # create secret and update if exists (https://stackoverflow.com/a/45881259/1364435)
+              kubectl create secret generic merged-registry-auths \
+                --save-config --dry-run=client \
+                --from-file=.dockerconfigjson=./merged-registry-auths.yaml \
+                -o yaml > "${GITPOD_OBJECTS}/templates/merged-registry-auths.yaml"
+
               echo "Gitpod: Escape any Golang template values"
               sed -i -r 's/(.*\{\{.*)/{{`\1`}}/' "${GITPOD_OBJECTS}/templates/gitpod.yaml"
 

install/kots/manifests/kots-config.yaml

@@ -28,7 +28,6 @@ spec:
         - name: reg_incluster
           title: Use in-cluster container registry
           type: bool
-          when: '{{repl eq HasLocalRegistry false }}'
           default: "1"
           help_text: You may either use an in-cluster container registry or configure your own external container registry for better performance. This container registry must be accessible from your Kubernetes cluster.
           recommended: false
@@ -85,27 +84,27 @@ spec:
         - name: reg_url
           title: Container registry URL
           type: text
-          when: '{{repl and (eq HasLocalRegistry false) (ConfigOptionEquals "reg_incluster" "0") }}'
+          when: '{{repl (ConfigOptionEquals "reg_incluster" "0") }}'
           required: true
           help_text: The container registry URL. This will usually be the fully qualified domain of your registry.
 
         - name: reg_server
           title: Container registry server
           type: text
-          when: '{{repl and (eq HasLocalRegistry false) (ConfigOptionEquals "reg_incluster" "0") }}'
+          when: '{{repl (ConfigOptionEquals "reg_incluster" "0") }}'
           help_text: The container registry server. This is used when [generating your credentials](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line). Depending upon your provider, this may or may not be the same as the registry URL. If not specified, the URL will be used.
 
         - name: reg_username
           title: Container registry username
           type: text
-          when: '{{repl and (eq HasLocalRegistry false) (ConfigOptionEquals "reg_incluster" "0") }}'
+          when: '{{repl (ConfigOptionEquals "reg_incluster" "0") }}'
           required: true
           help_text: The username for your container registry.
 
         - name: reg_password
           title: Container registry password
           type: password
-          when: '{{repl and (eq HasLocalRegistry false) (ConfigOptionEquals "reg_incluster" "0") }}'
+          when: '{{repl (ConfigOptionEquals "reg_incluster" "0") }}'
           required: true
           help_text: The password for your container registry.