wallarm · braek-neck · Sep 25, 2024 · Aug 22, 2024
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -5,6 +5,8 @@ on:
     branches: ['main']
     types: ['opened', 'reopened', 'synchronize']
     paths:
+      - '.github/workflows/ci.yaml'
+      - '.github/workflows/test.yaml'
       - 'helm/**'
       - 'files/**'
       - 'cmd/**'

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -153,7 +153,10 @@ jobs:
           role: ${{ secrets.VAULT_ROLE }}
           method: kubernetes
           path: kubernetes-ci
-          secrets: kv-gitlab-ci/data/github/sidecar api_token
+          secrets: |
+            kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
+            kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;
+            kv-gitlab-ci/data/github/sidecar api_token ;
 
       - name: Checkout
         uses: actions/checkout@v3
@@ -162,6 +165,7 @@ jobs:
 
       - name: Create cluster
         run: |
+          echo ${DOCKERHUB_PASSWORD} | docker login -u ${DOCKERHUB_USER} --password-stdin
           kind create cluster \
             --config ${GITHUB_WORKSPACE}/helm/test/kind/kind.yaml \
             --image kindest/node:v${{ matrix.kubeVersion }} \
@@ -184,6 +188,12 @@ jobs:
       - name: Install Helm chart
         run: |
           unset KUBERNETES_SERVICE_HOST
+          echo "[test-env] creating secret docker-registry ..."
+          kubectl create secret docker-registry dockerhub-secret \
+            --docker-server="https://index.docker.io/v1/" \
+            --docker-username="${DOCKERHUB_USER}" \
+            --docker-password="${DOCKERHUB_PASSWORD}" \
+            [email protected]
           helm install wallarm-sidecar ./helm -f helm/values.test.yaml \
             --set config.wallarm.api.token=${API_TOKEN} \
             --debug \
@@ -200,6 +210,12 @@ jobs:
       - name: Deploy pytest
         run: |
           unset KUBERNETES_SERVICE_HOST
+          kubectl create namespace pytest
+          kubectl -n pytest create secret docker-registry dockerhub-secret \
+            --docker-server="https://index.docker.io/v1/" \
+            --docker-username="${DOCKERHUB_USER}" \
+            --docker-password="${DOCKERHUB_PASSWORD}" \
+            [email protected]
           kubectl apply -f kind/docker/manifests/init/pytest.yaml
           while [[ -z $(kubectl -n pytest get pods -o name) ]]; do
             sleep 1
@@ -227,7 +243,10 @@ jobs:
           role: ${{ secrets.VAULT_ROLE }}
           method: kubernetes
           path: kubernetes-ci
-          secrets: kv-gitlab-ci/data/github/sidecar api_token | WALLARM_API_TOKEN
+          secrets: |
+            kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
+            kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;
+            kv-gitlab-ci/data/github/sidecar api_token | WALLARM_API_TOKEN ;
 
       - name: Checkout
         uses: actions/checkout@v3
@@ -236,6 +255,7 @@ jobs:
 
       - name: Create cluster
         run: |
+          echo ${DOCKERHUB_PASSWORD} | docker login -u ${DOCKERHUB_USER} --password-stdin
           kind create cluster --image kindest/node:v1.28.7
           kubectl wait --for=condition=Ready pods --all --timeout=180s -n kube-system
 

diff --git a/helm/ci/deployment-existing-secret-values.yaml b/helm/ci/deployment-existing-secret-values.yaml
@@ -1,5 +1,7 @@
+imagePullSecrets:
+  - name: dockerhub-secret
 config:
   wallarm:
     api:
       existingSecret:
-        enabled: true
+        enabled: true
diff --git a/helm/ci/deployment-external-tarantool-values.yaml b/helm/ci/deployment-external-tarantool-values.yaml
@@ -1,4 +1,6 @@
+imagePullSecrets:
+  - name: dockerhub-secret
 postanalytics:
   external:
     enabled: true
-    host: tarantool.domain.internal
+    host: tarantool.domain.internal
diff --git a/helm/ci/deployment-values.yaml b/helm/ci/deployment-values.yaml
@@ -0,0 +1,2 @@
+imagePullSecrets:
+  - name: dockerhub-secret
diff --git a/helm/test/integration_test.py b/helm/test/integration_test.py
@@ -53,6 +53,12 @@ def create_namespace(namespace: str) -> None:
         logger.info('Create namespace ...')
         Helpers.subprocess_run(cmd)
 
+    @staticmethod
+    def copy_docker_reg(namespace: str, docker_reg_name: str, source_docker_reg_namespace: str) -> None:
+        cmd = f"kubectl get secret {docker_reg_name} -n {source_docker_reg_namespace} -o yaml | sed 's/namespace: {source_docker_reg_namespace}/namespace: {namespace}/g' | kubectl apply -n {namespace} -f -"
+        logger.info('Copy dockerhub-secret ...')
+        Helpers.subprocess_run(cmd)
+
     @staticmethod
     def create_resources(path: str, namespace: str) -> None:
         cmd = f'kubectl --namespace {namespace} create -k {path}/'
@@ -75,8 +81,9 @@ def delete_namespace(namespace: str) -> None:
         Helpers.subprocess_run(cmd)
 
     @staticmethod
-    def setup_resources(path: str, namespace: str) -> None:
+    def setup_resources(path: str, namespace: str, docker_reg_name: str, source_docker_reg_namespace: str) -> None:
         Helpers.create_namespace(namespace)
+        #Helpers.copy_docker_reg(namespace, docker_reg_name, source_docker_reg_namespace)
         Helpers.create_resources(path, namespace)
         Helpers.wait_pods(namespace)
 
@@ -118,10 +125,13 @@ def test_main_functionality(self, config, helpers, teardown_namespace):
         allowed_url = base_url + ALLOWED_HTTP_PATH
         forbidden_url = base_url + FORBIDDEN_HTTP_PATH
 
+        source_docker_reg_namespace = "pytest"
+        docker_reg_name = "dockerhub-secret"
+
         # Register teardown and setup resources for test
         teardown_namespace['namespace'] = namespace
 
-        helpers.setup_resources(config_path, namespace)
+        helpers.setup_resources(config_path, namespace, docker_reg_name, source_docker_reg_namespace)
 
         # Need delay here to ensure that service is ready to send traffic to pods
         sleep(2)

diff --git a/helm/test/run_chart_tests.sh b/helm/test/run_chart_tests.sh
@@ -23,8 +23,21 @@ CT_NAMESPACE="ct"
 SECRET_NAME="wallarm-api-token"
 SECRET_KEY="token"
 
+# This will prevent the secret for index.docker.io from being used if the DOCKERHUB_USER is not set.
+DOCKERHUB_REGISTRY_SERVER="https://index.docker.io/v1/"
+
+if [ "${DOCKERHUB_USER:-false}" = "false" ]; then
+  DOCKERHUB_REGISTRY_SERVER="fake_docker_registry_server"
+fi
+
+DOCKERHUB_SECRET_NAME="dockerhub-secret"
+DOCKERHUB_USER="${DOCKERHUB_USER:-fake_user}"
+DOCKERHUB_PASSWORD="${DOCKERHUB_PASSWORD:-fake_password}"
+
 HELM_EXTRA_ARGS="--timeout 180s"
-HELM_EXTRA_SET_ARGS="--set config.wallarm.api.token=${WALLARM_API_TOKEN} ${HELM_ARGS:-}"
+HELM_EXTRA_SET_ARGS="--set config.wallarm.api.token=${WALLARM_API_TOKEN} \
+  --set imagePullSecrets[0].name=${DOCKERHUB_SECRET_NAME} \
+  ${HELM_ARGS:-}"
 
 # Handle the case when we run chart testing with '--upgrade' option
 if [[ "${CT_MODE:-}" == "upgrade" ]]; then
@@ -43,6 +56,15 @@ if ! kubectl -n ${CT_NAMESPACE} get secret "${SECRET_NAME}" &> /dev/null; then
   kubectl -n ${CT_NAMESPACE} create secret generic "${SECRET_NAME}" --from-literal="${SECRET_KEY}"="${WALLARM_API_TOKEN}"
 fi
 
+if ! kubectl -n ${CT_NAMESPACE} get secret "${DOCKERHUB_SECRET_NAME}" &> /dev/null; then
+  echo "Creating secret ${DOCKERHUB_SECRET_NAME}..."
+  kubectl -n ${CT_NAMESPACE} create secret docker-registry "${DOCKERHUB_SECRET_NAME}" \
+              --docker-server=${DOCKERHUB_REGISTRY_SERVER} \
+              --docker-username="${DOCKERHUB_USER}" \
+              --docker-password="${DOCKERHUB_PASSWORD}" \
+              [email protected]
+fi
+
 cat <<EOF > ct.sh
 #!/bin/bash
 set -e

diff --git a/helm/values.test.yaml b/helm/values.test.yaml
@@ -8,4 +8,6 @@ config:
     fallback: "off"
 
 controller:
-  replicaCount: 1
+  replicaCount: 1
+imagePullSecrets:
+  - name: dockerhub-secret
diff --git a/kind/docker/manifests/init/pytest.yaml b/kind/docker/manifests/init/pytest.yaml
@@ -21,6 +21,8 @@ spec:
       labels:
         app.kubernetes.io/name: pytest
     spec:
+      imagePullSecrets:
+        - name: dockerhub-secret
       serviceAccountName: pytest
       containers:
       - name: pytest

diff --git a/test/smoke/run.sh b/test/smoke/run.sh
@@ -27,9 +27,10 @@ export INJECTION_STRATEGY="${INJECTION_STRATEGY:-single}"
 
 K8S_VERSION=${K8S_VERSION:-1.28.7}
 
-DOCKERHUB_REGISTRY_SERVER="https://index.docker.io/v1/"
 
 # This will prevent the secret for index.docker.io from being used if the DOCKERHUB_USER is not set.
+DOCKERHUB_REGISTRY_SERVER="https://index.docker.io/v1/"
+
 if [ "${DOCKERHUB_USER:-false}" = "false" ]; then
   DOCKERHUB_REGISTRY_SERVER="fake_docker_registry_server"
 fi