From 83b300078cf9a055e46f95addced2d42a96a3754 Mon Sep 17 00:00:00 2001 From: Michael Roskrow Date: Mon, 23 Oct 2023 09:21:46 +0100 Subject: [PATCH 1/2] add overridable image repository prefix per-component --- enforcer/templates/enforcer-daemonset.yaml | 6 ++++++ enforcer/templates/enforcer-windows-daemonset.yaml | 4 ++++ kube-enforcer/templates/kube-enforcer-deployment.yaml | 8 ++++++++ 3 files changed, 18 insertions(+) diff --git a/enforcer/templates/enforcer-daemonset.yaml b/enforcer/templates/enforcer-daemonset.yaml index fc8f0d6d..3dcd2c98 100644 --- a/enforcer/templates/enforcer-daemonset.yaml +++ b/enforcer/templates/enforcer-daemonset.yaml @@ -58,7 +58,13 @@ spec: serviceAccount: {{ template "agentServiceAccount" . }} containers: - name: enforcer + {{- if and .Values.enforcer.imageCredentials.repositoryUriPrefix .Values.enforcer.image.repository .Values.enforcer.image.tag }} + image: "{{ .Values.enforcer.imageCredentials.repositoryUriPrefix }}/{{ .Values.enforcer.image.repository }}:{{ .Values.enforcer.image.tag }}" + {{- else if .Values.enforcer.imageCredentials.repositoryUriPrefix }} + image: "{{ .Values.enforcer.imageCredentials.repositoryUriPrefix }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" + {{- else }} image: "{{ .Values.global.imageCredentials.repositoryUriPrefix }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" + {{- end }} imagePullPolicy: "{{ .Values.image.pullPolicy }}" securityContext: {{- toYaml .Values.securityContext | nindent 10 }} diff --git a/enforcer/templates/enforcer-windows-daemonset.yaml b/enforcer/templates/enforcer-windows-daemonset.yaml index 9505fee5..4496fb15 100644 --- a/enforcer/templates/enforcer-windows-daemonset.yaml +++ b/enforcer/templates/enforcer-windows-daemonset.yaml @@ -47,7 +47,11 @@ spec: serviceAccount: {{ template "agentServiceAccount" . }} containers: - name: aqua-windows-enforcer + {{- if .Values.windowsEnforcer.imageCredentials.repositoryUriPrefix }} + image: "{{ .Values.windowsEnforcer.imageCredentials.repositoryUriPrefix }}/{{ .Values.windowsEnforcer.image.repository }}:{{ .Values.windowsEnforcer.image.tag }}" + {{- else }} image: "{{ .Values.global.imageCredentials.repositoryUriPrefix }}/{{ .Values.windowsEnforcer.image.repository }}:{{ .Values.windowsEnforcer.image.tag }}" + {{- end }} imagePullPolicy: "{{ .Values.windowsEnforcer.image.pullPolicy }}" securityContext: {{- toYaml .Values.windowsEnforcer.securityContext | nindent 10 }} diff --git a/kube-enforcer/templates/kube-enforcer-deployment.yaml b/kube-enforcer/templates/kube-enforcer-deployment.yaml index 33b26eb4..b25bc042 100644 --- a/kube-enforcer/templates/kube-enforcer-deployment.yaml +++ b/kube-enforcer/templates/kube-enforcer-deployment.yaml @@ -55,7 +55,11 @@ spec: securityContext: {{ toYaml . | indent 12 }} {{- end }} + {{- if .Values.imageCredentials.repositoryUriPrefix }} + image: "{{ .Values.imageCredentials.repositoryUriPrefix }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" + {{- else }} image: "{{ .Values.global.imageCredentials.repositoryUriPrefix }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" + {{- end }} imagePullPolicy: "{{ .Values.image.pullPolicy }}" {{- if .Values.vaultSecret.enabled }} command: ["/bin/sh"] @@ -123,7 +127,11 @@ spec: {{- end }} {{- if .Values.kubeEnforcerAdvance.enable }} - name: envoy + {{- if .Values.kubeEnforcerAdvance.imageCredentials.repositoryUriPrefix }} + image: "{{ .Values.kubeEnforcerAdvance.imageCredentials.repositoryUriPrefix }}/{{ .Values.kubeEnforcerAdvance.envoy.image.repository }}:{{ .Values.kubeEnforcerAdvance.envoy.image.tag }}" + {{- else }} image: "{{ .Values.global.imageCredentials.repositoryUriPrefix }}/{{ .Values.kubeEnforcerAdvance.envoy.image.repository }}:{{ .Values.kubeEnforcerAdvance.envoy.image.tag }}" + {{- end }} imagePullPolicy: "{{ .Values.kubeEnforcerAdvance.envoy.image.pullPolicy }}" command: ["/bin/sh", "-c", "cp /etc/envoy/cds.yaml /etc/aquasec/envoy/cds.yaml && touch /etc/aquasec/envoy/ca-certificates.crt && envoy -c /etc/envoy/envoy.yaml"] ports: From 58b8242facd0d46a345e5554ab8cee6df521ae18 Mon Sep 17 00:00:00 2001 From: Michael Roskrow Date: Mon, 23 Oct 2023 09:28:25 +0100 Subject: [PATCH 2/2] add optional imagePullSecrets --- enforcer/templates/enforcer-daemonset.yaml | 4 ++++ enforcer/templates/enforcer-windows-daemonset.yaml | 4 ++++ kube-enforcer/templates/kube-enforcer-deployment.yaml | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/enforcer/templates/enforcer-daemonset.yaml b/enforcer/templates/enforcer-daemonset.yaml index 3dcd2c98..7c0ba60b 100644 --- a/enforcer/templates/enforcer-daemonset.yaml +++ b/enforcer/templates/enforcer-daemonset.yaml @@ -56,6 +56,10 @@ spec: priorityClassName: {{ template "priorityClass" . }} {{- end }} serviceAccount: {{ template "agentServiceAccount" . }} + {{- if .Values.enforcer.imageCredentials.imagePullSecrets }} + imagePullSecrets: + - name: {{- .Values.enforcer.imageCredentials.imagePullSecrets.secretName }} + {{- end }} containers: - name: enforcer {{- if and .Values.enforcer.imageCredentials.repositoryUriPrefix .Values.enforcer.image.repository .Values.enforcer.image.tag }} diff --git a/enforcer/templates/enforcer-windows-daemonset.yaml b/enforcer/templates/enforcer-windows-daemonset.yaml index 4496fb15..49c0308d 100644 --- a/enforcer/templates/enforcer-windows-daemonset.yaml +++ b/enforcer/templates/enforcer-windows-daemonset.yaml @@ -45,6 +45,10 @@ spec: priorityClassName: {{ template "priorityClass" . }} {{- end }} serviceAccount: {{ template "agentServiceAccount" . }} + {{- if .Values.windowsEnforcer.imageCredentials.imagePullSecrets }} + imagePullSecrets: + - name: {{- .Values.windowsEnforcer.imageCredentials.imagePullSecrets.secretName }} + {{- end }} containers: - name: aqua-windows-enforcer {{- if .Values.windowsEnforcer.imageCredentials.repositoryUriPrefix }} diff --git a/kube-enforcer/templates/kube-enforcer-deployment.yaml b/kube-enforcer/templates/kube-enforcer-deployment.yaml index b25bc042..d5676992 100644 --- a/kube-enforcer/templates/kube-enforcer-deployment.yaml +++ b/kube-enforcer/templates/kube-enforcer-deployment.yaml @@ -49,6 +49,10 @@ spec: priorityClassName: {{ template "priorityClass" . }} {{- end }} serviceAccountName: {{ template "serviceAccount" . }} + {{- if .Values.imageCredentials.imagePullSecrets }} + imagePullSecrets: + - name: {{- .Values.imageCredentials.imagePullSecrets.secretName }} + {{- end }} containers: - name: kube-enforcer {{- with .Values.container_securityContext }}