I had the following discussion with openstack-helm guys on their IRC channel during their ‘office hours’.

 

Our plan is to write up a SPEC for this in openstack-helm.

 

[10:48:56]  <GregWaines> hey there ... general question on the topic of interworking with a Docker Registry with authentication turned on

[10:49:07]  <GregWaines> Has anyone looked at how to extend the helm-toolkit function to support docker registry credentials ?

[10:49:22]  <GregWaines> e.g. we were thinking of adding an optional imagePullSecret entry in the serviceAccount template ?

[10:49:31]  <GregWaines> Although don't understand how we could put this in an 'optional' manner ?

[10:49:37]  <GregWaines> Any thoughts ?

 [11:30:29]  <srwilkers> hey GregWaines -- it could be handled as optional by wrapping that section of the template in a conditional.  we do that for other optional fields, like tolerations on daemonsets

[11:30:33]  <srwilkers> let me grab a link

[11:31:10]  <srwilkers> https://github.com/openstack/openstack-helm-infra/blob/master/fluent-logging/templates/daemonset-fluent-bit.yaml#L96-L98

[11:33:22]  <GregWaines> the other option we just experimented with ....

[11:33:49]  <GregWaines> if you ALWAYS put in the ImagePullSecret in the serviceAccount template ... with a well-known secret name

[11:34:18]  <GregWaines> then it appears that this STILL works with a Registry with noauth ....if the secret does not exist or even if the secret exists

[11:34:40]  <GregWaines> ... and then would also work with a Registry with auth turned on ... as long as the secret exists with the proper credentials

[11:35:08]  <GregWaines> would that be acceptable upstream ?

[11:35:37]  <GregWaines> i.e. would require no change to upstream operational model if using noauth Registry

[11:36:04]  <GregWaines> but if using a tokenAuth Registry ... would require that user first create that secret and then apply the helm charts

[11:51:18]  <GregWaines> srwilkers: we looked at doing something similar to your example .... but in the serviceAccount template, I think the only env variables that can be checked are from the specific helm chart ... and there really isn't a variable common across all helm charts that we could use

 [11:55:59]  <srwilkers> GregWaines: well, this would require adding something common across all charts to take advantage of.  ideally, this would start small (ie, create a helm-toolkit function, then added it to a chart as a RFC upstream), then once proved out it could be rolled out across the rest of the charts

[11:56:10]  <srwilkers> preferably, something under the current images: key in the charts probably

[11:59:06]  <GregWaines> srwilkers: k, thanks for your input ... we'll probably work on suggesting something upstream in a SPEC in the near future

[11:59:26]  <srwilkers> i think that might be the best way forward GregWaines :)

[11:59:43]  <srwilkers> let me know when you're ready to throw a spec up and want some eyes on it

[12:47:25]  <GregWaines> srwilkers: will do.

 

Greg.

 

Hey ... We’re relatively new to openstack-helm.

We are trying to use the openstack-helm charts with a Docker Registry

that has token authentication turned on.

With the current charts, there does not seem to be a way to do this.

I.e. there is not an ‘imagePullSecrets’ in the defined

pods/containers or in the defined serviceAccounts .

Our thinking would be to add a default imagePullSecret to all of the

serviceAccounts defined in the openstack-helm serviceaccount

template.

OR is there another way to use openstack-helm charts with a Docker

Registry with authentication turned on ?

Any info is appreciated,

Greg / Angie / Jerry.