diff --git a/stable/spinnaker/README.md b/stable/spinnaker/README.md index 9bd26fc33774..6c4135c378fc 100644 --- a/stable/spinnaker/README.md +++ b/stable/spinnaker/README.md @@ -60,6 +60,32 @@ for Spinnaker. If you want to add arbitrary clusters need to do the following: deploymentContext: my-context ``` +## Specifying Docker Registries and Valid Images (Repositories) + +Spinnaker will only give you access to Docker images that have been whitelisted, if you're using a private registry or a private repository you also need to provide credentials. Update the following values of the chart to do so: + + ```yaml + dockerRegistries: + - name: dockerhub + address: index.docker.io + repositories: + - library/alpine + - library/ubuntu + - library/centos + - library/nginx + # - name: gcr + # address: https://gcr.io + # username: _json_key + # password: '' + # email: 1234@5678.com + ``` + +You can provide passwords as a Helm value, or you can use a pre-created secret containing your registry passwords. The secret should have an item per Registry in the format: `: `. In which case you'll specify the secret to use in `dockerRegistryAccountSecret` like so: + + ```yaml + dockerRegistryAccountSecret: myregistry-secrets + ``` + ## Customizing your installation ### Manual diff --git a/stable/spinnaker/templates/configmap/halyard-config.yaml b/stable/spinnaker/templates/configmap/halyard-config.yaml index 193c7201e034..fe2f4dcaba0a 100644 --- a/stable/spinnaker/templates/configmap/halyard-config.yaml +++ b/stable/spinnaker/templates/configmap/halyard-config.yaml @@ -6,6 +6,8 @@ metadata: {{ include "spinnaker.standard-labels" . | indent 4 }} data: install.sh: | + #!/bin/bash + # Wait for the Hal daemon to be ready export DAEMON_ENDPOINT=http://{{ template "spinnaker.fullname" . }}-halyard:8064 export HAL_COMMAND="hal --daemon-endpoint $DAEMON_ENDPOINT" @@ -63,8 +65,17 @@ data: PROVIDER_COMMAND='add' fi + CREDS="" + {{ if $registry.username -}} + CREDS+="--username {{ $registry.username }} --password-file /opt/registry/passwords/{{ $registry.name }}" + {{ if $registry.email -}} + CREDS+=" --email {{ $registry.email }}" + {{- end -}} + {{- end }} + $HAL_COMMAND config provider docker-registry account $PROVIDER_COMMAND {{ $registry.name }} --address {{ $registry.address }} \ - --repositories {{ range $index, $repository := $registry.repositories }}{{- $repository }},{{- end }} + ${CREDS} --repositories {{ range $index, $repository := $registry.repositories }}{{if $index}},{{end}}{{- $repository }}{{- end }} + {{- end }} $HAL_COMMAND config provider kubernetes enable diff --git a/stable/spinnaker/templates/secrets/registry.yaml b/stable/spinnaker/templates/secrets/registry.yaml index ea0211d4f152..bfc3d64181ba 100644 --- a/stable/spinnaker/templates/secrets/registry.yaml +++ b/stable/spinnaker/templates/secrets/registry.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.dockerRegistryAccountSecret }} apiVersion: v1 kind: Secret metadata: @@ -7,6 +8,7 @@ metadata: component: clouddriver type: Opaque data: - {{- range $index, $account := .Values.accounts }} - password-{{ $account.name }}: {{ default "" $account.password | b64enc | quote }} + {{- range $index, $account := .Values.dockerRegistries }} + {{ $account.name }}: {{ default "" $account.password | b64enc | quote }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/spinnaker/templates/statefulsets/halyard.yaml b/stable/spinnaker/templates/statefulsets/halyard.yaml index 2dfd407ba769..07083a579cd7 100644 --- a/stable/spinnaker/templates/statefulsets/halyard.yaml +++ b/stable/spinnaker/templates/statefulsets/halyard.yaml @@ -68,6 +68,13 @@ spec: secret: secretName: {{ template "spinnaker.fullname" . }}-gcs {{- end }} + - name: reg-secrets + secret: + {{- if .Values.dockerRegistryAccountSecret }} + secretName: {{ .Values.dockerRegistryAccountSecret }} + {{- else }} + secretName: {{ template "spinnaker.fullname" .}}-registry + {{- end }} {{- if and .Values.s3.enabled .Values.s3.accessKey .Values.s3.secretKey }} - name: s3-secrets secret: @@ -98,6 +105,8 @@ spec: mountPath: /home/spinnaker - name: halyard-config mountPath: /opt/halyard/config + - name: reg-secrets + mountPath: /opt/registry/passwords volumeClaimTemplates: - metadata: name: halyard-home diff --git a/stable/spinnaker/values.yaml b/stable/spinnaker/values.yaml index 72c3b4bb4983..a3d187d21757 100644 --- a/stable/spinnaker/values.yaml +++ b/stable/spinnaker/values.yaml @@ -31,6 +31,15 @@ dockerRegistries: # password: '' # email: 1234@5678.com +# If you don't want to put your passwords into a values file +# you can use a pre-created secret instead of putting passwords +# (specify secret name in below `dockerRegistryAccountSecret`) +# per account above with data in the format: +# : + +# dockerRegistryAccountSecret: myregistry-secrets + + kubeConfig: # Use this when you want to register arbitrary clusters with Spinnaker # Upload your ~/kube/.config to a secret @@ -70,6 +79,10 @@ redis: nodeSelector: {} cluster: enabled: false +# Uncomment if you don't want to create a PVC for redis +# master: +# persistence: +# enabled: false # Minio access/secret keys for the in-cluster S3 usage # Minio is not exposed publically @@ -81,6 +94,9 @@ minio: secretKey: spinnakeradmin bucket: "spinnaker" nodeSelector: {} +# Uncomment if you don't want to create a PVC for minio +# persistence: +# enabled: false gcs: enabled: false