diff --git a/packages/common/config/load-config.js b/packages/common/config/load-config.js index a94a8e4d9..ff3606079 100644 --- a/packages/common/config/load-config.js +++ b/packages/common/config/load-config.js @@ -680,7 +680,7 @@ const loadConfig = async ( }, deployKeySecretName: { env: "KS_DEPLOY_KEY_SECRET_NAME", - default: null, + default: "deploy-key", }, gitDiffEnabled: { option: "gitDiffEnabled", diff --git a/packages/kontinuous/tests/__snapshots__/private-mode.dev.yaml b/packages/kontinuous/tests/__snapshots__/private-mode.dev.yaml new file mode 100644 index 000000000..55414d8d7 --- /dev/null +++ b/packages/kontinuous/tests/__snapshots__/private-mode.dev.yaml @@ -0,0 +1,258 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`test build manifests with snapshots private-mode.dev 1`] = ` +"apiVersion: v1 +kind: Namespace +metadata: + annotations: + field.cattle.io/projectId: \\"1234\\" + kontinuous/gitBranch: feature-branch-1 + kontinuous/mainNamespace: \\"true\\" + kapp.k14s.io/exists: \\"\\" + kontinuous/chartPath: project.fabrique.contrib.rancher-namespace + kontinuous/source: project/charts/fabrique/charts/contrib/charts/rancher-namespace/templates/namespace.yaml + kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf + labels: + application: test-private-mode + kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf + kontinuous/deployment.env: test-private-mode-feature-branch-1 + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: namespace-test-private-mode-feature-branch-1-1cukadqi + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + cert: wildcard + name: test-private-mode-feature-branch-1 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: netpol-ingress + namespace: test-private-mode-feature-branch-1 + annotations: + kontinuous/chartPath: project.fabrique.contrib.security-policies + kontinuous/source: project/charts/fabrique/charts/contrib/charts/security-policies/templates/network-policy.yml + kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf + labels: + kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf + kontinuous/deployment.env: test-private-mode-feature-branch-1 + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: networkpolicy-netpol-ingress-61ndxljw + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous +spec: + ingress: + - from: + - podSelector: {} + - from: + - namespaceSelector: + matchLabels: + network-policy/source: ingress-controller + - from: + - namespaceSelector: + matchLabels: + network-policy/source: monitoring + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: default + annotations: + kontinuous/chartPath: project.fabrique.contrib.security-policies + kontinuous/source: project/charts/fabrique/charts/contrib/charts/security-policies/templates/service-account.yaml + kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf + labels: + kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf + kontinuous/deployment.env: test-private-mode-feature-branch-1 + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: serviceaccount-default-2g5dmk74 + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + namespace: test-private-mode-feature-branch-1 +automountServiceAccountToken: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: app + application: test-private-mode + kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf + kontinuous/deployment.env: test-private-mode-feature-branch-1 + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: deployment-app-55fzcjih + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: app + namespace: test-private-mode-feature-branch-1 + annotations: + kontinuous/chartPath: project.fabrique.contrib.app + kontinuous/source: project/charts/fabrique/charts/contrib/charts/app/templates/deployment.yaml + kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf + kontinuous/depname.full: project.fabrique.contrib.app.deployment.app + kontinuous/depname.chartResource: app.deployment.app + kontinuous/depname.chartName: app + kontinuous/depname.chartPath: project.fabrique.contrib.app + kontinuous/depname.resourcePath: deployment.app + kontinuous/depname.resourceName: app + kontinuous/depname.chartNameTopFull: app + kontinuous/depname.chartNameTop: app + kontinuous/plugin.log: \\"false\\" + reloader.stakater.com/auto: \\"true\\" +spec: + replicas: 1 + selector: + matchLabels: + component: app + strategy: + type: RollingUpdate + template: + metadata: + labels: + component: app + application: test-private-mode + namespace: test-private-mode-feature-branch-1 + kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf + kontinuous/deployment.env: test-private-mode-feature-branch-1 + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: deployment-app-55fzcjih + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + annotations: + kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: namespace + operator: In + values: + - test-private-mode-feature-branch-1 + - key: component + operator: In + values: + - app + topologyKey: kubernetes.io/hostname + containers: + - image: harbor.fabrique.social.gouv.fr/test-private-mode/app:sha-ffac537e6cbbf934b08745a378932722df287a53 + name: app + ports: + - containerPort: 3000 + name: http + livenessProbe: + failureThreshold: 15 + httpGet: + path: /index.html + port: http + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 15 + httpGet: + path: /index.html + port: http + initialDelaySeconds: 1 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + startupProbe: + failureThreshold: 12 + httpGet: + path: /index.html + port: http + periodSeconds: 5 + resources: + limits: + cpu: 1 + memory: 1Gi + requests: + cpu: 41m + memory: 121Mi + imagePullSecrets: + - name: harbor-pull-secret +--- +apiVersion: v1 +kind: Service +metadata: + labels: + component: app + application: test-private-mode + kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf + kontinuous/deployment.env: test-private-mode-feature-branch-1 + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: service-app-46z2o1vv + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: app + namespace: test-private-mode-feature-branch-1 + annotations: + kontinuous/chartPath: project.fabrique.contrib.app + kontinuous/source: project/charts/fabrique/charts/contrib/charts/app/templates/service.yaml + kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf +spec: + ports: + - name: http + port: 80 + targetPort: 3000 + selector: + component: app + type: ClusterIP +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: nginx + kontinuous/chartPath: project.fabrique.contrib.app + kontinuous/source: project/charts/fabrique/charts/contrib/charts/app/templates/ingress.yaml + kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf + labels: + component: app + application: test-private-mode + kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf + kontinuous/deployment.env: test-private-mode-feature-branch-1 + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: ingress-app-b4kcj2bx + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: app + namespace: test-private-mode-feature-branch-1 +spec: + rules: + - host: test-private-mode-feature-branch-1.dev.fabrique.social.gouv.fr + http: + paths: + - backend: + service: + name: app + port: + name: http + path: / + pathType: Prefix + tls: + - hosts: + - test-private-mode-feature-branch-1.dev.fabrique.social.gouv.fr + secretName: wildcard-crt +" +`; diff --git a/packages/kontinuous/tests/samples/private-mode/config.yaml b/packages/kontinuous/tests/samples/private-mode/config.yaml new file mode 100644 index 000000000..0dfe4aa2e --- /dev/null +++ b/packages/kontinuous/tests/samples/private-mode/config.yaml @@ -0,0 +1,5 @@ +dependencies: + fabrique: + import: socialgouv/kontinuous/plugins/fabrique + extends: + - name: private-mode \ No newline at end of file diff --git a/packages/kontinuous/tests/samples/private-mode/values.yaml b/packages/kontinuous/tests/samples/private-mode/values.yaml new file mode 100644 index 000000000..a853a290d --- /dev/null +++ b/packages/kontinuous/tests/samples/private-mode/values.yaml @@ -0,0 +1,2 @@ +app: + enabled: true diff --git a/plugins/contrib/kontinuous.yaml b/plugins/contrib/kontinuous.yaml index 14b87a22c..0d570d1c1 100644 --- a/plugins/contrib/kontinuous.yaml +++ b/plugins/contrib/kontinuous.yaml @@ -31,6 +31,8 @@ patches: enabled: true addJobsAffinityAndTolerations: enabled: false + privateImages: + enabled: false validators: rancherProjectId: diff --git a/plugins/contrib/patches/60-private-images.js b/plugins/contrib/patches/60-private-images.js new file mode 100644 index 000000000..5bb5ab264 --- /dev/null +++ b/plugins/contrib/patches/60-private-images.js @@ -0,0 +1,35 @@ +module.exports = (manifests, options) => { + const { + kinds = ["Deployment", "StatefulSet", "DaemonSet"], + imagePrefixes = [], + } = options + manifests.forEach((manifest) => { + if (kinds.includes(manifest.kind)) { + // Iterate through each container in the spec + manifest.spec.template.spec.containers.forEach((container) => { + if ( + imagePrefixes.some((imagePrefix) => + container.image.startsWith(imagePrefix) + ) + ) { + // Ensure imagePullSecrets array exists + if (!manifest.spec.template.spec.imagePullSecrets) { + manifest.spec.template.spec.imagePullSecrets = [] + } + + // Check if the secret is already added to avoid duplicates + const secretExists = + manifest.spec.template.spec.imagePullSecrets.some( + (secret) => secret.name === "harbor-pull-secret" + ) + if (!secretExists) { + // Add the harbor-pull-secret + manifest.spec.template.spec.imagePullSecrets.push({ + name: "harbor-pull-secret", + }) + } + } + }) + } + }) +} diff --git a/plugins/fabrique/extends/private-mode.yaml b/plugins/fabrique/extends/private-mode.yaml new file mode 100644 index 000000000..e9b4ee991 --- /dev/null +++ b/plugins/fabrique/extends/private-mode.yaml @@ -0,0 +1,9 @@ +config: + private: true + +dependencies: + contrib: + patches: + privateImages: + enabled: true + \ No newline at end of file diff --git a/plugins/fabrique/kontinuous.yaml b/plugins/fabrique/kontinuous.yaml index 2a6f07b1f..0e6916b94 100644 --- a/plugins/fabrique/kontinuous.yaml +++ b/plugins/fabrique/kontinuous.yaml @@ -73,6 +73,11 @@ dependencies: operator: Equal value: ci effect: NoSchedule + privateImages: + enabled: false + options: + imagePrefixes: + - "harbor.fabrique.social.gouv.fr" validators: rancherProjectId: