[DPE-1033/DPE-1188] Add docker authenticated pulls & Drop SigNoz self hosted

README.md

@@ -226,6 +226,73 @@ log into the tool. Examples:
 - ArgoCD: Secret is named `argocd-initial-admin-secret` with a default username of `admin`
 - Grafana: Secret is named `victoria-metrics-k8s-stack-grafana` with a default username of `admin`
 
+### Authenticated docker pulls
+As docker limits the number of unauthenticated pulls for images for anonymous accounts
+we are using a DPE service account named `dpesagebionetworks` to authenticate all pulls
+from docker. To accomplish this task the following steps were taken:
+
+1) Log into docker hub with credentials stored in lastpass
+2) Create a new Personal access token for the account
+3) Copy the personal access token into the Spacelift stack for "Kubernetes Deployments" as an environment variable named "TF_VAR_docker_access_token"
+4) Update the `variables.tf` in the relevant module to include the variable as shown below
+5) Update the `main.tf` to add a new kubernetes secret (Below) for all namespaces where an authenticated docker pull needs to occur
+6) Update any helm charts to reference the authentication as described in [this document](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)
+7) Deploy the changes via terraform to the kubernetes cluster and apply the changes via ArgoCD or FluxCD
+
+
+To add to `variables.tf`
+```terraform
+variable "docker_server" {
+  description = "The docker registry URL"
+  default     = "https://index.docker.io/v1/"
+  type        = string
+}
+
+variable "docker_username" {
+  description = "Username to log into docker for authenticated pulls"
+  default     = "dpesagebionetworks"
+  type        = string
+}
+
+variable "docker_access_token" {
+  description = "The access token to use for docker authenticated pulls. Created via by setting 'TF_VAR_docker_access_token' within spacelift as an environment variable"
+  type        = string
+}
+
+variable "docker_email" {
+  description = "The email for the docker account"
+  default     = "[email protected]"
+  type        = string
+}
+
+```
+
+To add to `main.tf`
+```terraform
+resource "kubernetes_secret" "docker-cfg" {
+  metadata {
+    name      = "docker-cfg"
+    namespace = var.namespace
+  }
+
+  type = "kubernetes.io/dockerconfigjson"
+
+  data = {
+    ".dockerconfigjson" = jsonencode({
+      auths = {
+        "${var.docker_server}" = {
+          "username" = var.docker_username,
+          "password" = var.docker_access_token,
+          "email"    = var.docker_email
+          "auth"     = base64encode("${var.docker_username}:${var.docker_access_token}")
+        }
+      }
+    })
+  }
+}
+```
+
+
 ## Tear down of EKS stacks
 If you need to fully tear down all of the infra start at the smallest point and work
 outwards. Destroy items in this order:

deployments/stacks/dpe-k8s-deployments/main.tf

@@ -58,11 +58,12 @@ module "airflow" {
   depends_on = [module.victoria-metrics, module.argo-cd]
   # source       = "spacelift.io/sagebionetworks/airflow/aws"
   # version      = "0.4.0"
-  source       = "../../../modules/apache-airflow"
-  auto_deploy  = var.auto_deploy
-  auto_prune   = var.auto_prune
-  git_revision = local.git_revision
-  namespace    = "airflow"
+  source              = "../../../modules/apache-airflow"
+  auto_deploy         = var.auto_deploy
+  auto_prune          = var.auto_prune
+  git_revision        = local.git_revision
+  namespace           = "airflow"
+  docker_access_token = var.docker_access_token
 }
 
 module "postgres-cloud-native-operator" {
@@ -88,37 +89,6 @@ module "postgres-cloud-native-database" {
   deploy_pooler        = true
 }
 
-module "clickhouse-backup-bucket" {
-  source                    = "../../../modules/s3-bucket"
-  bucket_name               = "clickhouse-backup-${var.aws_account_id}-${var.cluster_name}"
-  enable_versioning         = false
-  aws_account_id            = var.aws_account_id
-  cluster_name              = var.cluster_name
-  cluster_oidc_provider_arn = var.cluster_oidc_provider_arn
-}
-
-module "signoz" {
-  depends_on = [module.argo-cd]
-  # source               = "spacelift.io/sagebionetworks/postgres-cloud-native-database/aws"
-  # version              = "0.5.0"
-  source                = "../../../modules/signoz"
-  auto_deploy           = var.auto_deploy
-  auto_prune            = var.auto_prune
-  git_revision          = local.git_revision
-  namespace             = "signoz"
-  argo_deployment_name  = "signoz"
-  enable_otel_ingress   = var.enable_otel_ingress && var.enable_cluster_ingress
-  gateway_namespace     = "envoy-gateway"
-  cluster_name          = var.cluster_name
-  auth0_jwks_uri        = var.auth0_jwks_uri
-  smtp_password         = var.smtp_password
-  smtp_user             = var.smtp_user
-  smtp_from             = var.smtp_from
-  auth0_identifier      = var.auth0_identifier
-  s3_backup_bucket_name = module.clickhouse-backup-bucket.bucket_name
-  s3_access_role_arn    = module.clickhouse-backup-bucket.access_role_arn
-}
-
 module "envoy-gateway" {
   count      = var.enable_cluster_ingress ? 1 : 0
   depends_on = [module.argo-cd, module.cert-manager]
@@ -132,6 +102,7 @@ module "envoy-gateway" {
   argo_deployment_name = "envoy-gateway"
   cluster_issuer_name  = "lets-encrypt-prod"
   ssl_hostname         = var.ssl_hostname
+  docker_access_token  = var.docker_access_token
 }
 
 module "cert-manager" {

deployments/stacks/dpe-k8s-deployments/variables.tf

@@ -113,3 +113,9 @@ variable "smtp_from" {
   type        = string
   default     = ""
 }
+
+variable "docker_access_token" {
+  description = "The access token to use for docker authenticated pulls. Created via by setting 'TF_VAR_docker_access_token' within spacelift as an environment variable"
+  type        = string
+  default     = ""
+}

modules/apache-airflow/main.tf

@@ -79,3 +79,25 @@ spec:
     namespace: ${var.namespace}
 YAML
 }
+
+resource "kubernetes_secret" "docker-cfg" {
+  metadata {
+    name      = "docker-cfg"
+    namespace = var.namespace
+  }
+
+  type = "kubernetes.io/dockerconfigjson"
+
+  data = {
+    ".dockerconfigjson" = jsonencode({
+      auths = {
+        "${var.docker_server}" = {
+          "username" = var.docker_username,
+          "password" = var.docker_access_token,
+          "email"    = var.docker_email
+          "auth"     = base64encode("${var.docker_username}:${var.docker_access_token}")
+        }
+      }
+    })
+  }
+}

modules/apache-airflow/templates/values.yaml

@@ -2354,7 +2354,7 @@ redis:
 # Auth secret for a private registry
 # This is used if pulling airflow images from a private registry
 registry:
-  secretName: ~
+  secretName: docker-cfg
 
   # Example:
   # connection:

modules/apache-airflow/variables.tf

@@ -19,4 +19,27 @@ variable "git_revision" {
 variable "namespace" {
   description = "The namespace to deploy into"
   type        = string
-}
+}
+
+variable "docker_server" {
+  description = "The docker registry URL"
+  default     = "https://index.docker.io/v1/"
+  type        = string
+}
+
+variable "docker_username" {
+  description = "Username to log into docker for authenticated pulls"
+  default     = "dpesagebionetworks"
+  type        = string
+}
+
+variable "docker_access_token" {
+  description = "The access token to use for docker authenticated pulls. Created via by setting 'TF_VAR_docker_access_token' within spacelift as an environment variable"
+  type        = string
+}
+
+variable "docker_email" {
+  description = "The email for the docker account"
+  default     = "[email protected]"
+  type        = string
+}

modules/envoy-gateway/main.tf

@@ -68,3 +68,25 @@ spec:
     namespace: ${var.namespace}
 YAML
 }
+
+resource "kubernetes_secret" "docker-cfg" {
+  metadata {
+    name      = "docker-cfg"
+    namespace = var.namespace
+  }
+
+  type = "kubernetes.io/dockerconfigjson"
+
+  data = {
+    ".dockerconfigjson" = jsonencode({
+      auths = {
+        "${var.docker_server}" = {
+          "username" = var.docker_username,
+          "password" = var.docker_access_token,
+          "email"    = var.docker_email
+          "auth"     = base64encode("${var.docker_username}:${var.docker_access_token}")
+        }
+      }
+    })
+  }
+}

modules/envoy-gateway/templates/values.yaml

@@ -9,15 +9,17 @@ global:
       # Default behavior: latest images will be Always else IfNotPresent.
       pullPolicy: IfNotPresent
       # List of secrets in the same namespace of the component that can be used to pull images from private repositories.
-      pullSecrets: []
+      pullSecrets:
+      - name: docker-cfg
     ratelimit:
       # This is the full image name including the hub, repo, and tag.
       image: "docker.io/envoyproxy/ratelimit:master"
       # Specify image pull policy if default behavior isn't desired.
       # Default behavior: latest images will be Always else IfNotPresent.
       pullPolicy: IfNotPresent
       # List of secrets in the same namespace of the component that can be used to pull images from private repositories.
-      pullSecrets: []
+      pullSecrets:
+      - name: docker-cfg
 podDisruptionBudget:
   minAvailable: 0
   # maxUnavailable: 1

modules/envoy-gateway/variables.tf

@@ -35,3 +35,26 @@ variable "ssl_hostname" {
   description = "The hostname to use for the SSL certificate"
   type        = string
 }
+
+variable "docker_server" {
+  description = "The docker registry URL"
+  default     = "https://index.docker.io/v1/"
+  type        = string
+}
+
+variable "docker_username" {
+  description = "Username to log into docker for authenticated pulls"
+  default     = "dpesagebionetworks"
+  type        = string
+}
+
+variable "docker_access_token" {
+  description = "The access token to use for docker authenticated pulls. Created via by setting 'TF_VAR_docker_access_token' within spacelift as an environment variable"
+  type        = string
+}
+
+variable "docker_email" {
+  description = "The email for the docker account"
+  default     = "[email protected]"
+  type        = string
+}