Add cloud-base registry configuration values to Helm chart (#56)

* adds dedicate value for gcp service account this service account annotation is required in order to authenticate with GCR * adds azure and gcp fields to helm chart values so that these settings can be set "explicitly" instead of use other, less-descriptive fields to configure the same thing
dominodatalab · Aug 19, 2022 · f3de88d · f3de88d
1 parent ca95078
commit f3de88d
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 2 deletions.
diff --git a/deployments/helm/hephaestus/templates/controller/deployment.yaml b/deployments/helm/hephaestus/templates/controller/deployment.yaml
@@ -42,9 +42,23 @@ spec:
           args:
             - start
             - --config=/etc/hephaestus/config.yaml
-          {{- with .Values.controller.manager.extraEnvVars }}
+          {{- with .Values.controller.manager }}
+          {{- if or .extraEnvVars .cloudRegistryAuth.azure.enabled }}
           env:
+            {{- with .extraEnvVars }}
             {{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 12 }}
+            {{- end }}
+            {{- if .cloudRegistryAuth.azure.enabled }}
+            - name: AZURE_TENANT_ID
+              value: {{ required "Azure tenantID is required when enabled!" .cloudRegistryAuth.azure.tenantID | quote }}
+            - name: AZURE_CLIENT_ID
+              value: {{ required "Azure clientID is required when enabled!" .cloudRegistryAuth.azure.clientID | quote }}
+            {{- with .cloudRegistryAuth.azure.clientSecret }}
+            - name: AZURE_CLIENT_SECRET
+              value: {{ . | quote }}
+            {{- end }}
+            {{- end }}
+          {{- end }}
           {{- end }}
           ports:
             {{- with .Values.controller.manager }}

diff --git a/deployments/helm/hephaestus/templates/controller/serviceaccount.yaml b/deployments/helm/hephaestus/templates/controller/serviceaccount.yaml
@@ -5,8 +5,15 @@ metadata:
   name: {{ include "hephaestus.serviceAccountName" . }}
   labels:
     {{- include "hephaestus.controller.labels.standard" . | nindent 4 }}
-  {{- with .Values.controller.serviceAccount.annotations }}
+  {{- with .Values.controller }}
+  {{- if or .serviceAccount.annotations .manager.cloudRegistryAuth.gcp.enabled }}
   annotations:
+    {{- with .serviceAccount.annotations }}
     {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if .manager.cloudRegistryAuth.gcp.enabled }}
+    "iam.gke.io/gcp-service-account": {{ required "GCP ServiceAccount is required when enabled!" .manager.cloudRegistryAuth.gcp.serviceAccount | quote }}
+    {{- end }}
+  {{- end }}
   {{- end }}
 {{- end }}
diff --git a/deployments/helm/hephaestus/values.yaml b/deployments/helm/hephaestus/values.yaml
@@ -148,6 +148,19 @@ controller:
     # Secrets (name: path) to expose into builds that request it
     secrets: {}
 
+    # Cloud-based registry credentials configuration
+    cloudRegistryAuth:
+      # Azure credentials required to access ACR
+      azure:
+        enabled: false
+        tenantID: ""
+        clientID: ""
+        clientSecret: ""
+      # GCP credentials required to access GCR
+      gcp:
+        enabled: false
+        serviceAccount: ""
+
     # Build status messaging configuration
     messaging:
       # Enable message publisher