chore: add image pull policy and secret handling across components

Author: aleoli

apis/offloading/v1beta1/vkoptionstemplate_types.go

@@ -21,21 +21,23 @@ import (
 
 // VkOptionsTemplateSpec defines the desired state of VkOptionsTemplate.
 type VkOptionsTemplateSpec struct {
-	CreateNode              bool                        `json:"createNode"`
-	DisableNetworkCheck     bool                        `json:"disableNetworkCheck"`
-	ContainerImage          string                      `json:"containerImage"`
-	MetricsEnabled          bool                        `json:"metricsEnabled"`
-	MetricsAddress          string                      `json:"metricsAddress,omitempty"`
-	LabelsNotReflected      []string                    `json:"labelsNotReflected,omitempty"`
-	AnnotationsNotReflected []string                    `json:"annotationsNotReflected,omitempty"`
-	ReflectorsConfig        map[string]ReflectorConfig  `json:"reflectorsConfig,omitempty"`
-	Resources               corev1.ResourceRequirements `json:"resources,omitempty"`
-	ExtraArgs               []string                    `json:"extraArgs,omitempty"`
-	ExtraAnnotations        map[string]string           `json:"extraAnnotations,omitempty"`
-	ExtraLabels             map[string]string           `json:"extraLabels,omitempty"`
-	NodeExtraAnnotations    map[string]string           `json:"nodeExtraAnnotations,omitempty"`
-	NodeExtraLabels         map[string]string           `json:"nodeExtraLabels,omitempty"`
-	Replicas                *int32                      `json:"replicas,omitempty"`
+	CreateNode              bool                          `json:"createNode"`
+	DisableNetworkCheck     bool                          `json:"disableNetworkCheck"`
+	ContainerImage          string                        `json:"containerImage"`
+	MetricsEnabled          bool                          `json:"metricsEnabled"`
+	MetricsAddress          string                        `json:"metricsAddress,omitempty"`
+	LabelsNotReflected      []string                      `json:"labelsNotReflected,omitempty"`
+	AnnotationsNotReflected []string                      `json:"annotationsNotReflected,omitempty"`
+	ReflectorsConfig        map[string]ReflectorConfig    `json:"reflectorsConfig,omitempty"`
+	Resources               corev1.ResourceRequirements   `json:"resources,omitempty"`
+	ExtraArgs               []string                      `json:"extraArgs,omitempty"`
+	ExtraAnnotations        map[string]string             `json:"extraAnnotations,omitempty"`
+	ExtraLabels             map[string]string             `json:"extraLabels,omitempty"`
+	NodeExtraAnnotations    map[string]string             `json:"nodeExtraAnnotations,omitempty"`
+	NodeExtraLabels         map[string]string             `json:"nodeExtraLabels,omitempty"`
+	Replicas                *int32                        `json:"replicas,omitempty"`
+	ImagePullSecrets        []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
+	PullPolicy              corev1.PullPolicy             `json:"pullPolicy,omitempty"`
 }
 
 // ReflectorConfig contains configuration parameters of the reflector.

apis/offloading/v1beta1/zz_generated.deepcopy.go

@@ -49,6 +49,7 @@
 | discovery.config.clusterID | string | `""` | Specify an unique ID for your cluster. This ID is used to identify your cluster in the peering process. |
 | discovery.config.clusterLabels | object | `{}` | A set of labels that characterizes the local cluster when exposed remotely as a virtual node. It is suggested to specify the distinguishing characteristics that may be used to decide whether to offload pods on this cluster. |
 | fullnameOverride | string | `""` | Override the standard full name used by Helm and associated to Kubernetes/Liqo resources. |
+| imagePullSecrets | list | `[]` | Image pull secrets for all Liqo containers |
 | ipam.external.enabled | bool | `false` | Use an external IPAM to allocate the IP addresses for the pods. Enabling it will disable the internal IPAM. |
 | ipam.external.url | string | `""` | The URL of the external IPAM. |
 | ipam.externalCIDR | string | `"10.70.0.0/16"` | The subnet used for the external CIDR. |
@@ -164,7 +165,7 @@
 | proxy.replicas | int | `1` | Set the number of replicas for the proxy deployments |
 | proxy.service.annotations | object | `{}` |  |
 | proxy.service.type | string | `"ClusterIP"` |  |
-| pullPolicy | string | `"IfNotPresent"` | The pullPolicy for liqo pods. |
+| pullPolicy | string | `"IfNotPresent"` | Image pull policy for all Liqo containers |
 | requirements.kernel.enabled | bool | `true` | Enable/Disable the kernel requirements check. |
 | storage.enabled | bool | `true` | Enable/Disable the liqo virtual storage class on the local cluster. You will be able to offload your persistent volumes, while other clusters will be able to schedule their persistent workloads on the current cluster. |
 | storage.realStorageClassName | string | `""` | Name of the real storage class to use in the local cluster. |

deployments/liqo/README.md

@@ -71,6 +71,24 @@ spec:
                 additionalProperties:
                   type: string
                 type: object
+              imagePullSecrets:
+                items:
+                  description: |-
+                    LocalObjectReference contains enough information to let you locate the
+                    referenced object inside the same namespace.
+                  properties:
+                    name:
+                      default: ""
+                      description: |-
+                        Name of the referent.
+                        This field is effectively required, but due to backwards compatibility is
+                        allowed to be empty. Instances of this type with an empty value here are
+                        almost certainly wrong.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      type: string
+                  type: object
+                  x-kubernetes-map-type: atomic
+                type: array
               labelsNotReflected:
                 items:
                   type: string
@@ -87,6 +105,10 @@ spec:
                 additionalProperties:
                   type: string
                 type: object
+              pullPolicy:
+                description: PullPolicy describes a policy for if/when to pull a container
+                  image
+                type: string
               reflectorsConfig:
                 additionalProperties:
                   description: ReflectorConfig contains configuration parameters of

deployments/liqo/charts/liqo-crds/crds/offloading.liqo.io_vkoptionstemplates.yaml

@@ -240,3 +240,13 @@ Get the Container security context
 {{- define "liqo.containerSecurityContext" -}}
 allowPrivilegeEscalation: false
 {{- end -}}
+
+{{/*
+Get the image pull secrets
+*/}}
+{{- define "liqo.imagePullSecrets" -}}
+{{- if .Values.imagePullSecrets }}
+imagePullSecrets:
+{{- toYaml .Values.imagePullSecrets | nindent 0 }}
+{{- end -}}
+{{- end -}}

deployments/liqo/templates/_helpers.tpl

@@ -39,6 +39,7 @@ spec:
       securityContext:
         {{- include "liqo.podSecurityContext" . | nindent 8 }}
       serviceAccountName: {{ include "liqo.prefixedName" $ctrlManagerConfig }}
+      {{- include "liqo.imagePullSecrets" . | nindent 6 }}
       containers:
       - image: {{ .Values.controllerManager.image.name }}{{ include "liqo.suffix" $ctrlManagerConfig }}:{{ include "liqo.version" $ctrlManagerConfig }}
         imagePullPolicy: {{ .Values.pullPolicy }}

deployments/liqo/templates/liqo-controller-manager-deployment.yaml

@@ -26,6 +26,7 @@ spec:
       securityContext:
         {{- include "liqo.podSecurityContext" . | nindent 8 }}
       serviceAccountName: {{ include "liqo.prefixedName" $crdReplicatorConfig }}
+      {{- include "liqo.imagePullSecrets" . | nindent 6 }}
       containers:
         - image: {{ .Values.crdReplicator.image.name }}{{ include "liqo.suffix" $crdReplicatorConfig }}:{{ include "liqo.version" $crdReplicatorConfig }}
           imagePullPolicy: {{ .Values.pullPolicy }}

deployments/liqo/templates/liqo-crd-replicator-deployment.yaml

@@ -38,6 +38,7 @@ spec:
         {{- toYaml .Values.networking.fabric.tolerations | nindent 8 }}
         {{- end }}
       serviceAccountName: {{ include "liqo.prefixedName" $fabricConfig }}
+      {{- include "liqo.imagePullSecrets" . | nindent 6 }}
       containers:
         - image: {{ .Values.networking.fabric.image.name }}{{ include "liqo.suffix" $fabricConfig }}:{{ include "liqo.version" $fabricConfig }}
           imagePullPolicy: {{ .Values.pullPolicy }}

deployments/liqo/templates/liqo-fabric-daemonset.yaml

@@ -29,6 +29,7 @@ spec:
       securityContext:
         {{- include "liqo.podSecurityContext" . | nindent 8 }}
       serviceAccountName: {{ include "liqo.prefixedName" $ipamConfig }}
+      {{- include "liqo.imagePullSecrets" . | nindent 6 }}
       containers:
         - image: {{ .Values.ipam.internal.image.name }}{{ include "liqo.suffix" $ipamConfig }}:{{ include "liqo.version" $ipamConfig }}
           imagePullPolicy: {{ .Values.pullPolicy }}

deployments/liqo/templates/liqo-ipam-deployment.yaml

@@ -31,6 +31,7 @@ spec:
       securityContext:
         {{- include "liqo.podSecurityContext" . | nindent 8 }}
       serviceAccountName: {{ include "liqo.prefixedName" $metricConfig }}
+      {{- include "liqo.imagePullSecrets" . | nindent 6 }}
       initContainers:
         - name: {{ $certConfig.name }}
           imagePullPolicy: {{ .Values.pullPolicy }}

deployments/liqo/templates/liqo-metric-agent-deployment.yaml

@@ -27,6 +27,7 @@ spec:
     spec:
       securityContext:
         {{- include "liqo.podSecurityContext" . | nindent 8 }}
+      {{- include "liqo.imagePullSecrets" . | nindent 6 }}
       containers:
         - image: {{ .Values.proxy.image.name }}{{ include "liqo.suffix" $proxyConfig }}:{{ include "liqo.version" $proxyConfig }}
           imagePullPolicy: {{ .Values.pullPolicy }}

deployments/liqo/templates/liqo-proxy-deployment.yaml

@@ -34,6 +34,7 @@ spec:
           securityContext:
           {{- include "liqo.podSecurityContext" . | nindent 12 }}
           serviceAccountName: {{ include "liqo.prefixedName" $telemetryCronConfig }}
+          {{- include "liqo.imagePullSecrets" . | nindent 10 }}
           restartPolicy: Never
           containers:
           - image: {{ .Values.telemetry.image.name }}{{ include "liqo.suffix" $telemetryCronConfig }}:{{ include "liqo.version" $telemetryCronConfig }}

deployments/liqo/templates/liqo-telemetry-cronjob.yaml

@@ -41,6 +41,10 @@ spec:
   annotationsNotReflected:
     {{- toYaml .Values.offloading.reflection.skip.annotations | nindent 4 }}
   {{- end }}
+  {{- if .Values.pullPolicy }}
+  pullPolicy: {{ .Values.pullPolicy }}
+  {{- end }}
+  {{- include "liqo.imagePullSecrets" . | nindent 2 }}
   reflectorsConfig:
     pod: 
       workers: {{ .Values.offloading.reflection.pod.workers }}

deployments/liqo/templates/liqo-vk-options-template.yaml

@@ -38,6 +38,7 @@ spec:
       securityContext:
         {{- include "liqo.podSecurityContext" . | nindent 8 }}
       serviceAccountName: {{ include "liqo.prefixedName" $webhookConfig }}
+      {{- include "liqo.imagePullSecrets" . | nindent 6 }}
       containers:
       - image: {{ .Values.webhook.image.name }}{{ include "liqo.suffix" $webhookConfig }}:{{ include "liqo.version" $webhookConfig }}
         imagePullPolicy: {{ .Values.pullPolicy }}

deployments/liqo/templates/liqo-webhook-deployment.yaml

@@ -37,6 +37,7 @@ spec:
             spec:
               serviceAccount: "{{"{{ .Name }}"}}"
               serviceAccountName: "{{"{{ .Name }}"}}"
+              {{- include "liqo.imagePullSecrets" . | nindent 14 }}
               containers:
               - name: gateway
                 image: {{ .Values.networking.gatewayTemplates.container.gateway.image.name }}{{ include "liqo.suffix" $gatewayConfig }}:{{ include "liqo.version" $gatewayConfig }}

deployments/liqo/templates/liqo-wireguard-gateway-client-template.yaml

@@ -64,6 +64,7 @@ spec:
             spec:
               serviceAccount: "{{"{{ .Name }}"}}"
               serviceAccountName: "{{"{{ .Name }}"}}"
+              {{- include "liqo.imagePullSecrets" . | nindent 14 }}
               containers:
               - name: gateway
                 image: {{ .Values.networking.gatewayTemplates.container.gateway.image.name }}{{ include "liqo.suffix" $gatewayConfig }}:{{ include "liqo.version" $gatewayConfig }}

deployments/liqo/templates/liqo-wireguard-gateway-server-template-eks.yaml

@@ -57,6 +57,7 @@ spec:
             spec:
               serviceAccount: "{{"{{ .Name }}"}}"
               serviceAccountName: "{{"{{ .Name }}"}}"
+              {{- include "liqo.imagePullSecrets" . | nindent 14 }}
               containers:
               - name: gateway
                 image: {{ .Values.networking.gatewayTemplates.container.gateway.image.name }}{{ include "liqo.suffix" $gatewayConfig }}:{{ include "liqo.version" $gatewayConfig }}

deployments/liqo/templates/liqo-wireguard-gateway-server-template.yaml

@@ -26,6 +26,7 @@ spec:
         {{- include "liqo.podSecurityContext" . | nindent 8 }}
       restartPolicy: Never
       serviceAccountName: {{ include "liqo.prefixedName" $predelete}}
+      {{- include "liqo.imagePullSecrets" . | nindent 6 }}
       containers:
       - name: pre-delete-job
         image: {{ .Values.uninstaller.image.name }}{{ include "liqo.suffix" $predelete }}:{{ include "liqo.version" $predelete }}

deployments/liqo/templates/pre-delete-job.yaml

@@ -10,6 +10,13 @@ nameOverride: ""
 # -- Override the standard full name used by Helm and associated to Kubernetes/Liqo resources.
 fullnameOverride: ""
 
+# -- Image pull policy for all Liqo containers
+pullPolicy: IfNotPresent
+
+# -- Image pull secrets for all Liqo containers
+imagePullSecrets: []
+# - name: regcred
+
 metrics:
   # -- Enable/Disable the metrics server in every liqo component.
   enabled: false
@@ -289,9 +296,6 @@ storage:
   # -- Namespace where liqo will deploy specific PVCs. Internal parameter, do not change.
   storageNamespace: liqo-storage
 
-# -- The pullPolicy for liqo pods.
-pullPolicy: "IfNotPresent"
-
 common:
   # -- NodeSelector for all liqo pods, excluding virtual kubelet.
   nodeSelector: {}

deployments/liqo/values.yaml

@@ -133,13 +133,19 @@ func forgeVKContainers(
 		})
 	}
 
+	pullPolicy := v1.PullIfNotPresent
+	if opts.Spec.PullPolicy != "" {
+		pullPolicy = opts.Spec.PullPolicy
+	}
+
 	return []v1.Container{
 		{
-			Name:      vk.ContainerName,
-			Resources: opts.Spec.Resources,
-			Image:     opts.Spec.ContainerImage,
-			Command:   command,
-			Args:      args,
+			Name:            vk.ContainerName,
+			Resources:       opts.Spec.Resources,
+			Image:           opts.Spec.ContainerImage,
+			ImagePullPolicy: pullPolicy,
+			Command:         command,
+			Args:            args,
 			Env: []v1.EnvVar{
 				{
 					Name:      "POD_IP",
@@ -172,6 +178,7 @@ func forgeVKPodSpec(vkNamespace string, homeCluster liqov1beta1.ClusterID, local
 			virtualNode.Spec.StorageClasses, virtualNode.Spec.IngressClasses, virtualNode.Spec.LoadBalancerClasses,
 			opts),
 		ServiceAccountName: virtualNode.Name,
+		ImagePullSecrets:   opts.Spec.ImagePullSecrets,
 	}
 }