feat: add docker-secret to kubernetes

Signed-off-by: Guilhem Barthés <[email protected]>
Substra · Mar 19, 2024 · a8064fa · a8064fa
1 parent 5f3f136
commit a8064fa
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 1 deletion.
diff --git a/backend/substrapp/compute_tasks/compute_pod.py b/backend/substrapp/compute_tasks/compute_pod.py
@@ -132,7 +132,12 @@ def create_pod(
             ]
         )
     )
+    image_pull_secret = os.getenv("DOCKER_CONFIG_SECRET_NAME")
 
+    if image_pull_secret:
+        image_pull_secrets = [kubernetes.client.V1LocalObjectReference(name=image_pull_secret)]
+    else:
+        image_pull_secrets = None
     spec = kubernetes.client.V1PodSpec(
         restart_policy="Never",
         affinity=pod_affinity,
@@ -141,6 +146,7 @@ def create_pod(
         security_context=get_pod_security_context(),
         termination_grace_period_seconds=0,
         automount_service_account_token=False,
+        image_pull_secrets=image_pull_secrets,
     )
 
     pod = kubernetes.client.V1Pod(api_version="v1", kind="Pod", metadata=metadata, spec=spec)

diff --git a/charts/substra-backend/templates/statefulset-worker.yaml b/charts/substra-backend/templates/statefulset-worker.yaml
@@ -115,6 +115,10 @@ spec:
               value: {{ include "substra-backend.objectStore.url" . | quote }}
             - name: ENABLE_DATASAMPLE_STORAGE_IN_SERVERMEDIAS
               value: {{ .Values.DataSampleStorageInServerMedia | quote }}
+            {{- if .Values.kaniko.dockerConfigSecretName }}
+            - name: DOCKER_CONFIG_SECRET_NAME
+              value: {{ .Values.kaniko.dockerConfigSecretName }}
+            {{- end }}
           {{- with .Values.extraEnv }}
 {{ toYaml . | indent 12 }}
           {{- end }}

diff --git a/examples/secrets/secret-harbor-dockerconfig.yaml b/examples/secrets/secret-harbor-dockerconfig.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 data:
-  .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3IuaGFyYm9yLnN2Yy5jbHVzdGVyLmxvY2FsOjg0NDMiOnsidXNlcm5hbWUiOiJhZG1pbiIsInBhc3N3b3JkIjoiaGFyYm9yUEBzc3dvcmQyNDAzIiwiYXV0aCI6IllXUnRhVzQ2YUdGeVltOXlVRUJ6YzNkdmNtUXlOREF6In19fQ==
+  .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3IuaGFyYm9yLnN2Yy5jbHVzdGVyLmxvY2FsOjMwMDQ2Ijp7InVzZXJuYW1lIjoiYWRtaW4iLCJwYXNzd29yZCI6ImhhcmJvclBAc3N3b3JkMjQwMyIsImF1dGgiOiJZV1J0YVc0NmFHRnlZbTl5VUVCemMzZHZjbVF5TkRBeiJ9LCJoYXJib3IuaGFyYm9yLnN2Yy5jbHVzdGVyLmxvY2FsOjg0NDMiOnsidXNlcm5hbWUiOiJhZG1pbiIsInBhc3N3b3JkIjoiaGFyYm9yUEBzc3dvcmQyNDAzIiwiYXV0aCI6IllXUnRhVzQ2YUdGeVltOXlVRUJ6YzNkdmNtUXlOREF6In0sImxvY2FsaG9zdDozMDA0NiI6eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJoYXJib3JQQHNzd29yZDI0MDMiLCJhdXRoIjoiWVdSdGFXNDZhR0Z5WW05eVVFQnpjM2R2Y21ReU5EQXoifSwicmVnaXN0cnkub3JnLTIuaW50ZXJuYWw6MzAwNDYiOnsidXNlcm5hbWUiOiJhZG1pbiIsInBhc3N3b3JkIjoiaGFyYm9yUEBzc3dvcmQyNDAzIiwiYXV0aCI6IllXUnRhVzQ2YUdGeVltOXlVRUJ6YzNkdmNtUXlOREF6In19fQ==
 kind: Secret
 metadata:
   creationTimestamp: null