chore: pass imagePullSecret to helm (#1670)

## Description Pass build arg `withPullSecret` to helm ## Related Issue Fixes #1660  Relates to #1640 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Unit, [Journey](https://github.com/defenseunicorns/pepr/tree/main/journey), [E2E Tests](https://github.com/defenseunicorns/pepr-excellent-examples), [docs](https://github.com/defenseunicorns/pepr/tree/main/docs), [adr](https://github.com/defenseunicorns/pepr/tree/main/adr) added or updated as needed - [x] [Contributor Guide Steps](https://docs.pepr.dev/main/contribute/#submitting-a-pull-request) followed --------- Signed-off-by: Case Wylie <[email protected]> Co-authored-by: Barrett LaFrance <[email protected]>
defenseunicorns · Jan 16, 2025 · d500850 · d500850
1 parent d47ba65
commit d500850
Show file tree

Hide file tree

Showing 7 changed files with 53 additions and 33 deletions.
diff --git a/integration/cli/build.nonconflict.test.ts b/integration/cli/build.nonconflict.test.ts
@@ -50,30 +50,26 @@ describe("build", () => {
       let packageJson;
       let uuid: string;
 
-      it(
-        "builds",
-        async () => {
-          await fs.rename(`${testModule}/pepr.ts`, `${testModule}/${entryPoint}`);
-
-          const argz = [
-            `--entry-point ${entryPoint}`,
-            `--custom-image ${customImage}`,
-            `--output-dir ${outputDir}`,
-            `--timeout ${timeout}`,
-            `--withPullSecret ${withPullSecret}`,
-            `--zarf ${zarf}`,
-          ].join(" ");
-          const build = await pepr.cli(testModule, { cmd: `pepr build ${argz}` });
-
-          expect(build.exitcode).toBe(0);
-          expect(build.stderr.join("").trim()).toBe("");
-          expect(build.stdout.join("").trim()).toContain("K8s resource for the module saved");
-
-          packageJson = await resource.fromFile(`${testModule}/package.json`);
-          uuid = packageJson.pepr.uuid;
-        },
-        time.toMs("1m"),
-      );
+      beforeAll(async () => {
+        await fs.rename(`${testModule}/pepr.ts`, `${testModule}/${entryPoint}`);
+
+        const argz = [
+          `--entry-point ${entryPoint}`,
+          `--custom-image ${customImage}`,
+          `--output-dir ${outputDir}`,
+          `--timeout ${timeout}`,
+          `--withPullSecret ${withPullSecret}`,
+          `--zarf ${zarf}`,
+        ].join(" ");
+        const build = await pepr.cli(testModule, { cmd: `pepr build ${argz}` });
+
+        expect(build.exitcode).toBe(0);
+        expect(build.stderr.join("").trim()).toBe("");
+        expect(build.stdout.join("").trim()).toContain("K8s resource for the module saved");
+
+        packageJson = await resource.fromFile(`${testModule}/package.json`);
+        uuid = packageJson.pepr.uuid;
+      }, time.toMs("1m"));
 
       const getDepConImg = (deploy: kind.Deployment, container: string): string => {
         return deploy!
@@ -157,13 +153,17 @@ describe("build", () => {
         };
 
         const moduleYaml = await resource.fromFile(`${outputDir}/pepr-module-${uuid}.yaml`);
+
         const admission = resource.select(moduleYaml, kind.Deployment, `pepr-${uuid}`);
         const admissionSecrets = getDepImgPull(admission);
         expect(admissionSecrets).toEqual([withPullSecret]);
 
         const watcher = resource.select(moduleYaml, kind.Deployment, `pepr-${uuid}-watcher`);
         const watcherSecrets = getDepImgPull(watcher);
         expect(watcherSecrets).toEqual([withPullSecret]);
+
+        const valuesYaml = await resource.fromFile(`${outputDir}/${uuid}-chart/values.yaml`);
+        expect(valuesYaml.imagePullSecrets).toContain(withPullSecret);
       });
 
       it("--zarf, works", async () => {

diff --git a/src/cli/build.ts b/src/cli/build.ts
@@ -58,6 +58,7 @@ export default function (program: RootCmd): void {
     .option(
       "--withPullSecret <imagePullSecret>",
       "Image Pull Secret: Use image pull secret for controller Deployment.",
+      "",
     )
 
     .addOption(
@@ -124,6 +125,7 @@ export default function (program: RootCmd): void {
             rbacMode: determineRbacMode(opts, cfg),
           },
           path,
+          opts.withPullSecret === "" ? [] : [opts.withPullSecret],
         );
 
         // If registry is set to Iron Bank, use Iron Bank image

diff --git a/src/cli/deploy.ts b/src/cli/deploy.ts
@@ -128,6 +128,7 @@ export default function (program: RootCmd): void {
       const webhook = new Assets(
         { ...builtModule.cfg.pepr, description: builtModule.cfg.description },
         builtModule.path,
+        [],
       );
       webhook.image = opts.image ?? webhook.image;
 

diff --git a/src/lib/assets/assets.ts b/src/lib/assets/assets.ts
@@ -31,23 +31,27 @@ export class Assets {
   readonly name: string;
   readonly tls: TLSOut;
   readonly apiToken: string;
+  readonly config: ModuleConfig;
+  readonly path: string;
   readonly alwaysIgnore!: WebhookIgnore;
+  readonly imagePullSecrets: string[];
   capabilities!: CapabilityExport[];
-
   image: string;
   buildTimestamp: string;
+  readonly host?: string;
 
-  constructor(
-    readonly config: ModuleConfig,
-    readonly path: string,
-    readonly host?: string,
-  ) {
+  constructor(config: ModuleConfig, path: string, imagePullSecrets: string[], host?: string) {
     this.name = `pepr-${config.uuid}`;
+    this.imagePullSecrets = imagePullSecrets;
     this.buildTimestamp = `${Date.now()}`;
+    this.config = config;
+    this.path = path;
+    this.host = host;
     this.alwaysIgnore = config.alwaysIgnore;
     this.image = `ghcr.io/defenseunicorns/pepr/controller:v${config.peprVersion}`;
+
     // Generate the ephemeral tls things
-    this.tls = genTLS(this.host || `${this.name}.pepr-system.svc`);
+    this.tls = genTLS(host || `${this.name}.pepr-system.svc`);
 
     // Generate the api token for the controller / webhook
     this.apiToken = crypto.randomBytes(32).toString("hex");
@@ -163,7 +167,7 @@ export class Assets {
         apiToken: this.apiToken,
         capabilities: this.capabilities,
       };
-      await overridesFile(overrideData, helm.files.valuesYaml);
+      await overridesFile(overrideData, helm.files.valuesYaml, this.imagePullSecrets);
 
       const webhooks = {
         mutate: await webhookGeneratorFunction(this, WebhookType.MUTATE, this.config.webhookTimeout),

diff --git a/src/lib/assets/helm.ts b/src/lib/assets/helm.ts
@@ -99,6 +99,12 @@ export function watcherDeployTemplate(buildTimestamp: string): string {
               - name: watcher
                 image: {{ .Values.watcher.image }}
                 imagePullPolicy: IfNotPresent
+                {{- if gt (len .Values.imagePullSecrets) 0 }}
+                imagePullSecrets:
+                  {{- range .Values.imagePullSecrets }}
+                  - name: {{ . }}
+                  {{- end }}
+                {{- end }}
                 command:
                   - node
                   - /app/node_modules/pepr/dist/controller.js
@@ -183,6 +189,12 @@ export function admissionDeployTemplate(buildTimestamp: string): string {
               - name: server
                 image: {{ .Values.admission.image }}
                 imagePullPolicy: IfNotPresent
+                {{- if gt (len .Values.imagePullSecrets) 0 }}
+                imagePullSecrets:
+                  {{- range .Values.imagePullSecrets }}
+                  - name: {{ . }}
+                  {{- end }}
+                {{- end }}
                 command:
                   - node
                   - /app/node_modules/pepr/dist/controller.js

diff --git a/src/lib/assets/index.test.ts b/src/lib/assets/index.test.ts
@@ -48,7 +48,6 @@ describe("createWebhookYaml", () => {
 
   it("replaces placeholders in the YAML correctly", () => {
     const result = createWebhookYaml("pepr-static-test", moduleConfig, webhookConfiguration);
-    console.log(result);
     expect(result).toContain("{{ .Values.uuid }}");
     expect(result).toContain("{{ .Values.admission.failurePolicy }}");
     expect(result).toContain("{{ .Values.admission.webhookTimeout }}");

diff --git a/src/lib/assets/yaml/overridesFile.ts b/src/lib/assets/yaml/overridesFile.ts
@@ -20,10 +20,12 @@ type ChartOverrides = CommonOverrideValues & {
 export async function overridesFile(
   { hash, name, image, config, apiToken, capabilities }: ChartOverrides,
   path: string,
+  imagePullSecrets: string[],
 ): Promise<void> {
   const rbacOverrides = clusterRole(name, capabilities, config.rbacMode, config.rbac).rules;
 
   const overrides = {
+    imagePullSecrets,
     additionalIgnoredNamespaces: [],
     rbac: rbacOverrides,
     secrets: {