diff --git a/gitops/charts/onelab/templates/_helpers.tpl b/gitops/charts/onelab/templates/_helpers.tpl index fdd6930..19334ec 100644 --- a/gitops/charts/onelab/templates/_helpers.tpl +++ b/gitops/charts/onelab/templates/_helpers.tpl @@ -23,3 +23,11 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} +{{- define "onelab.dockerconfigjson" -}} +{{- $server := .Values.registry.server -}} +{{- $user := .Values.registry.username -}} +{{- $pass := .Values.registry.password -}} +{{- $auth := printf "%s:%s" $user $pass | b64enc -}} +{{- $entry := dict "username" $user "password" $pass "auth" $auth -}} +{{- dict "auths" (dict $server $entry) | toJson -}} +{{- end }} diff --git a/gitops/charts/onelab/templates/secret-registry.yaml b/gitops/charts/onelab/templates/secret-registry.yaml new file mode 100644 index 0000000..b86c275 --- /dev/null +++ b/gitops/charts/onelab/templates/secret-registry.yaml @@ -0,0 +1,13 @@ +{{- if .Values.registry.createPullSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.registry.pullSecretName }} + labels: + {{- include "onelab.labels" . | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: {{ .Values.syncWaves.registry | quote }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "onelab.dockerconfigjson" . | b64enc }} +{{- end }} diff --git a/gitops/charts/onelab/values.yaml b/gitops/charts/onelab/values.yaml index c253f7c..6c811d3 100644 --- a/gitops/charts/onelab/values.yaml +++ b/gitops/charts/onelab/values.yaml @@ -18,6 +18,14 @@ images: imagePullSecrets: [] # - name: hub-andrewalliance +# Same defaults as app/playbooks/tasks/manage-images.yml (docker login before pull). +registry: + createPullSecret: false + pullSecretName: hub-andrewalliance + server: hub.andrewalliance.com + username: public + password: Andrew01..Release + # hostPath: matches typical single-node Swarm-style install (shared /data and /logs). # Use persistence.mode: pvc + a ReadWriteMany class for multi-node shared storage. persistence: @@ -33,7 +41,7 @@ persistence: postgresql: auth: - password: "changeme-use-strong-password" + password: "DBPasswordPlaceholder" resources: {} redis: @@ -50,6 +58,7 @@ rabbitmq: fullchain: "" syncWaves: + registry: "-5" postgres: "-3" statefulDeps: "-2" apps: "0" @@ -59,12 +68,12 @@ onelab: mailer: noreply: "no-reply@andrewalliance.com" secrets: - authTokenKey: "replace-auth-token-key" - monitoringToken: "replace-monitoring-token" - rabbitToken: "replace-rabbit-token" + authTokenKey: "TokenAuthPlaceholder" + monitoringToken: "TokenMonitoringPlaceholder" + rabbitToken: "TokenRabbitPlaceholder" intercom: - appid: "" - secret: "replace-intercom-secret" + appid: "zxvgsagz" + secret: "QUw2jEV8utIpe9DeYjOqBjhBY9VxjXddKUCISUNu" features: ldapWorker: false diff --git a/gitops/docs/BOOTSTRAP.md b/gitops/docs/BOOTSTRAP.md index e4d8455..825f91c 100644 --- a/gitops/docs/BOOTSTRAP.md +++ b/gitops/docs/BOOTSTRAP.md @@ -2,7 +2,9 @@ ## 1. Private registry (`hub.andrewalliance.com`) -Pods need an image pull secret in namespace `onelab`: +By default, `gitops/values/k3s-example.yaml` matches the Swarm installer (`app/playbooks/tasks/manage-images.yml`): user **`public`**, password **`Andrew01..Release`**, and the chart creates Secret **`hub-andrewalliance`** when `registry.createPullSecret: true`. + +To use other credentials, override `registry.username` / `registry.password` or create the secret manually: ```bash kubectl create secret docker-registry hub-andrewalliance -n onelab \ @@ -11,14 +13,7 @@ kubectl create secret docker-registry hub-andrewalliance -n onelab \ --docker-password='YOUR_PASSWORD' ``` -Then set in `gitops/values/k3s-example.yaml`: - -```yaml -imagePullSecrets: - - name: hub-andrewalliance -``` - -Commit, push, and either `helm upgrade` or let Argo CD sync. +…and set `registry.createPullSecret: false` plus `imagePullSecrets: [{ name: hub-andrewalliance }]`. ## 2. Argo CD + private Git (`git.luneski.fr`) diff --git a/gitops/values/k3s-example.yaml b/gitops/values/k3s-example.yaml index 7724bcc..fe4d42b 100644 --- a/gitops/values/k3s-example.yaml +++ b/gitops/values/k3s-example.yaml @@ -1,10 +1,16 @@ -# k3s / Argo CD overlay (private Git — rotate secrets if this file is ever made public). -# Add image pull credentials when using hub.andrewalliance.com: -# kubectl create secret docker-registry hub-andrewalliance -n onelab \ -# --docker-server=hub.andrewalliance.com --docker-username=... --docker-password=... -# then set imagePullSecrets below. +# Aligned with Swarm installer defaults: +# - Registry: app/playbooks/tasks/manage-images.yml (user public, password Andrew01..Release) +# - App config sample: app/configurations.yml (placeholders + intercom block) -imagePullSecrets: [] +registry: + createPullSecret: true + pullSecretName: hub-andrewalliance + server: hub.andrewalliance.com + username: public + password: Andrew01..Release + +imagePullSecrets: + - name: hub-andrewalliance persistence: mode: hostPath @@ -14,17 +20,17 @@ persistence: postgresql: auth: - password: "9daLpcV7vKS1zXUElQRO5h4u" + password: "DBPasswordPlaceholder" onelab: - domain: "https://onelab.example.com" + domain: "https://localhost" secrets: - authTokenKey: "ntH0Yd3AcsqwMu7ah8xLbWFS4BK5GUmi" - monitoringToken: "Cj4ix7wdg8XPIsDAFENKRTmh6lkvBLZp" - rabbitToken: "GmSWRv14PXZuyM5QDgb8wpxk0dh7F6IJ" + authTokenKey: "TokenAuthPlaceholder" + monitoringToken: "TokenMonitoringPlaceholder" + rabbitToken: "TokenRabbitPlaceholder" intercom: - appid: "" - secret: "" + appid: "zxvgsagz" + secret: "QUw2jEV8utIpe9DeYjOqBjhBY9VxjXddKUCISUNu" revproxy: serviceType: NodePort