Use Swarm default registry creds (manage-images) and configurations.yml placeholders

Made-with: Cursor
2026-03-20 10:22:05 +01:00
parent 4ef10ffc20
commit e2d50d8d16
5 changed files with 59 additions and 28 deletions
--- a/gitops/charts/onelab/templates/_helpers.tpl
+++ b/gitops/charts/onelab/templates/_helpers.tpl
@@ -23,3 +23,11 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}

+{{- define "onelab.dockerconfigjson" -}}
+{{- $server := .Values.registry.server -}}
+{{- $user := .Values.registry.username -}}
+{{- $pass := .Values.registry.password -}}
+{{- $auth := printf "%s:%s" $user $pass | b64enc -}}
+{{- $entry := dict "username" $user "password" $pass "auth" $auth -}}
+{{- dict "auths" (dict $server $entry) | toJson -}}
+{{- end }}
--- a/gitops/charts/onelab/templates/secret-registry.yaml
+++ b/gitops/charts/onelab/templates/secret-registry.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.registry.createPullSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.registry.pullSecretName }}
+  labels:
+    {{- include "onelab.labels" . | nindent 4 }}
+  annotations:
+    argocd.argoproj.io/sync-wave: {{ .Values.syncWaves.registry | quote }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ include "onelab.dockerconfigjson" . | b64enc }}
+{{- end }}
--- a/gitops/charts/onelab/values.yaml
+++ b/gitops/charts/onelab/values.yaml
@@ -18,6 +18,14 @@ images:
 imagePullSecrets: []
 # - name: hub-andrewalliance

+# Same defaults as app/playbooks/tasks/manage-images.yml (docker login before pull).
+registry:
+  createPullSecret: false
+  pullSecretName: hub-andrewalliance
+  server: hub.andrewalliance.com
+  username: public
+  password: Andrew01..Release
+
 # hostPath: matches typical single-node Swarm-style install (shared /data and /logs).
 # Use persistence.mode: pvc + a ReadWriteMany class for multi-node shared storage.
 persistence:
@@ -33,7 +41,7 @@ persistence:

 postgresql:
  auth:
-    password: "changeme-use-strong-password"
+    password: "DBPasswordPlaceholder"
  resources: {}

 redis:
@@ -50,6 +58,7 @@ rabbitmq:
    fullchain: ""

 syncWaves:
+  registry: "-5"
  postgres: "-3"
  statefulDeps: "-2"
  apps: "0"
@@ -59,12 +68,12 @@ onelab:
  mailer:
    noreply: "no-reply@andrewalliance.com"
  secrets:
-    authTokenKey: "replace-auth-token-key"
-    monitoringToken: "replace-monitoring-token"
-    rabbitToken: "replace-rabbit-token"
+    authTokenKey: "TokenAuthPlaceholder"
+    monitoringToken: "TokenMonitoringPlaceholder"
+    rabbitToken: "TokenRabbitPlaceholder"
  intercom:
-    appid: ""
-    secret: "replace-intercom-secret"
+    appid: "zxvgsagz"
+    secret: "QUw2jEV8utIpe9DeYjOqBjhBY9VxjXddKUCISUNu"

 features:
  ldapWorker: false
--- a/gitops/docs/BOOTSTRAP.md
+++ b/gitops/docs/BOOTSTRAP.md
@@ -2,7 +2,9 @@

 ## 1. Private registry (`hub.andrewalliance.com`)

-Pods need an image pull secret in namespace `onelab`:
+By default, `gitops/values/k3s-example.yaml` matches the Swarm installer (`app/playbooks/tasks/manage-images.yml`): user **`public`**, password **`Andrew01..Release`**, and the chart creates Secret **`hub-andrewalliance`** when `registry.createPullSecret: true`.
+
+To use other credentials, override `registry.username` / `registry.password` or create the secret manually:

 ```bash
 kubectl create secret docker-registry hub-andrewalliance -n onelab \
@@ -11,14 +13,7 @@ kubectl create secret docker-registry hub-andrewalliance -n onelab \
  --docker-password='YOUR_PASSWORD'
 ```

-Then set in `gitops/values/k3s-example.yaml`:
-
-```yaml
-imagePullSecrets:
-  - name: hub-andrewalliance
-```
-
-Commit, push, and either `helm upgrade` or let Argo CD sync.
+…and set `registry.createPullSecret: false` plus `imagePullSecrets: [{ name: hub-andrewalliance }]`.

 ## 2. Argo CD + private Git (`git.luneski.fr`)

--- a/gitops/values/k3s-example.yaml
+++ b/gitops/values/k3s-example.yaml
@@ -1,10 +1,16 @@
-# k3s / Argo CD overlay (private Git — rotate secrets if this file is ever made public).
-# Add image pull credentials when using hub.andrewalliance.com:
-#   kubectl create secret docker-registry hub-andrewalliance -n onelab \
-#     --docker-server=hub.andrewalliance.com --docker-username=... --docker-password=...
-#   then set imagePullSecrets below.
+# Aligned with Swarm installer defaults:
+#   - Registry: app/playbooks/tasks/manage-images.yml (user public, password Andrew01..Release)
+#   - App config sample: app/configurations.yml (placeholders + intercom block)

-imagePullSecrets: []
+registry:
+  createPullSecret: true
+  pullSecretName: hub-andrewalliance
+  server: hub.andrewalliance.com
+  username: public
+  password: Andrew01..Release
+
+imagePullSecrets:
+  - name: hub-andrewalliance

 persistence:
  mode: hostPath
@@ -14,17 +20,17 @@ persistence:

 postgresql:
  auth:
-    password: "9daLpcV7vKS1zXUElQRO5h4u"
+    password: "DBPasswordPlaceholder"

 onelab:
-  domain: "https://onelab.example.com"
+  domain: "https://localhost"
  secrets:
-    authTokenKey: "ntH0Yd3AcsqwMu7ah8xLbWFS4BK5GUmi"
-    monitoringToken: "Cj4ix7wdg8XPIsDAFENKRTmh6lkvBLZp"
-    rabbitToken: "GmSWRv14PXZuyM5QDgb8wpxk0dh7F6IJ"
+    authTokenKey: "TokenAuthPlaceholder"
+    monitoringToken: "TokenMonitoringPlaceholder"
+    rabbitToken: "TokenRabbitPlaceholder"
  intercom:
-    appid: ""
-    secret: ""
+    appid: "zxvgsagz"
+    secret: "QUw2jEV8utIpe9DeYjOqBjhBY9VxjXddKUCISUNu"

 revproxy:
  serviceType: NodePort