docker-registry - dependent upon external PR

gitpod-io · Dec 12, 2021 · de31383 · de31383
1 parent cc669b9
commit de31383
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 1 deletion.
diff --git a/installer/pkg/components/docker-registry/helm.go b/installer/pkg/components/docker-registry/helm.go
@@ -31,6 +31,7 @@ var Helm = common.CompositeHelmFunc(
 			helm.KeyValue("docker-registry.service.port", strconv.Itoa(common.ProxyContainerHTTPSPort)),
 			helm.KeyValue("docker-registry.tlsSecretName", BuiltInRegistryCerts),
 			helm.KeyValue("docker-registry.image.repository", repository),
+			helm.KeyValue("docker-registry.serviceAccount.name", Component),
 		}
 
 		if len(cfg.Config.ImagePullSecrets) > 0 {

diff --git a/installer/pkg/components/docker-registry/objects.go b/installer/pkg/components/docker-registry/objects.go
@@ -6,9 +6,19 @@ package dockerregistry
 
 import (
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/pointer"
 )
 
 var Objects = common.CompositeRenderFunc(
 	certificate,
+	rolebinding,
 	secret,
+	func(ctx *common.RenderContext) ([]runtime.Object, error) {
+		if !pointer.BoolDeref(ctx.Config.ContainerRegistry.InCluster, false) {
+			return nil, nil
+		}
+
+		return common.DefaultServiceAccount(Component)(ctx)
+	},
 )
diff --git a/installer/pkg/components/docker-registry/rolebinding.go b/installer/pkg/components/docker-registry/rolebinding.go
@@ -0,0 +1,42 @@
+// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License-AGPL.txt in the project root for license information.
+
+package dockerregistry
+
+import (
+	"fmt"
+	"github.com/gitpod-io/gitpod/installer/pkg/common"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/pointer"
+)
+
+func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
+	if !pointer.BoolDeref(ctx.Config.ContainerRegistry.InCluster, false) {
+		return nil, nil
+	}
+
+	return []runtime.Object{
+		&rbacv1.RoleBinding{
+			TypeMeta: common.TypeMetaRoleBinding,
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      Component,
+				Namespace: ctx.Namespace,
+				Labels:    common.DefaultLabels(Component),
+			},
+			RoleRef: rbacv1.RoleRef{
+				Kind:     "ClusterRole",
+				Name:     fmt.Sprintf("%s-ns-psp:restricted-root-user", ctx.Namespace),
+				APIGroup: "rbac.authorization.k8s.io",
+			},
+			Subjects: []rbacv1.Subject{
+				{
+					Kind: "ServiceAccount",
+					Name: Component,
+				},
+			},
+		},
+	}, nil
+}
diff --git a/installer/third_party/charts/docker-registry/Chart.yaml b/installer/third_party/charts/docker-registry/Chart.yaml
@@ -8,5 +8,5 @@ name: docker-registry
 version: 1.0.0
 dependencies:
   - name: docker-registry
-    version: 1.14.0
+    version: 1.16.0
     repository: https://helm.twun.io