From de31383788ea2b10f6192f90ab38dd3dd489f8e6 Mon Sep 17 00:00:00 2001 From: Simon Emms Date: Tue, 7 Dec 2021 12:53:27 +0000 Subject: [PATCH] docker-registry - dependent upon external PR --- .../pkg/components/docker-registry/helm.go | 1 + .../pkg/components/docker-registry/objects.go | 10 +++++ .../components/docker-registry/rolebinding.go | 42 +++++++++++++++++++ .../charts/docker-registry/Chart.yaml | 2 +- 4 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 installer/pkg/components/docker-registry/rolebinding.go diff --git a/installer/pkg/components/docker-registry/helm.go b/installer/pkg/components/docker-registry/helm.go index 9be30d6cfe46c7..dca86783252bf4 100644 --- a/installer/pkg/components/docker-registry/helm.go +++ b/installer/pkg/components/docker-registry/helm.go @@ -31,6 +31,7 @@ var Helm = common.CompositeHelmFunc( helm.KeyValue("docker-registry.service.port", strconv.Itoa(common.ProxyContainerHTTPSPort)), helm.KeyValue("docker-registry.tlsSecretName", BuiltInRegistryCerts), helm.KeyValue("docker-registry.image.repository", repository), + helm.KeyValue("docker-registry.serviceAccount.name", Component), } if len(cfg.Config.ImagePullSecrets) > 0 { diff --git a/installer/pkg/components/docker-registry/objects.go b/installer/pkg/components/docker-registry/objects.go index 3c785529f14a86..d29d47101e21dc 100644 --- a/installer/pkg/components/docker-registry/objects.go +++ b/installer/pkg/components/docker-registry/objects.go @@ -6,9 +6,19 @@ package dockerregistry import ( "github.com/gitpod-io/gitpod/installer/pkg/common" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/utils/pointer" ) var Objects = common.CompositeRenderFunc( certificate, + rolebinding, secret, + func(ctx *common.RenderContext) ([]runtime.Object, error) { + if !pointer.BoolDeref(ctx.Config.ContainerRegistry.InCluster, false) { + return nil, nil + } + + return common.DefaultServiceAccount(Component)(ctx) + }, ) diff --git a/installer/pkg/components/docker-registry/rolebinding.go b/installer/pkg/components/docker-registry/rolebinding.go new file mode 100644 index 00000000000000..3441bfd8ed71ea --- /dev/null +++ b/installer/pkg/components/docker-registry/rolebinding.go @@ -0,0 +1,42 @@ +// Copyright (c) 2021 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package dockerregistry + +import ( + "fmt" + "github.com/gitpod-io/gitpod/installer/pkg/common" + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/utils/pointer" +) + +func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) { + if !pointer.BoolDeref(ctx.Config.ContainerRegistry.InCluster, false) { + return nil, nil + } + + return []runtime.Object{ + &rbacv1.RoleBinding{ + TypeMeta: common.TypeMetaRoleBinding, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: ctx.Namespace, + Labels: common.DefaultLabels(Component), + }, + RoleRef: rbacv1.RoleRef{ + Kind: "ClusterRole", + Name: fmt.Sprintf("%s-ns-psp:restricted-root-user", ctx.Namespace), + APIGroup: "rbac.authorization.k8s.io", + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Name: Component, + }, + }, + }, + }, nil +} diff --git a/installer/third_party/charts/docker-registry/Chart.yaml b/installer/third_party/charts/docker-registry/Chart.yaml index c7faa73601ae65..1498b0efdf8498 100644 --- a/installer/third_party/charts/docker-registry/Chart.yaml +++ b/installer/third_party/charts/docker-registry/Chart.yaml @@ -8,5 +8,5 @@ name: docker-registry version: 1.0.0 dependencies: - name: docker-registry - version: 1.14.0 + version: 1.16.0 repository: https://helm.twun.io