Merge pull request #180 from wallarm/NODE-5655

NODE-5655 add docker auth to tests

Author: braek-neck

.github/workflows/ci.yaml

@@ -5,6 +5,8 @@ on:
     branches: ['main']
     types: ['opened', 'reopened', 'synchronize']
     paths:
+      - '.github/workflows/ci.yaml'
+      - '.github/workflows/test.yaml'
       - 'helm/**'
       - 'files/**'
       - 'cmd/**'

.github/workflows/test.yaml

@@ -153,7 +153,10 @@ jobs:
           role: ${{ secrets.VAULT_ROLE }}
           method: kubernetes
           path: kubernetes-ci
-          secrets: kv-gitlab-ci/data/github/sidecar api_token
+          secrets: |
+            kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
+            kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;
+            kv-gitlab-ci/data/github/sidecar api_token ;
 
       - name: Checkout
         uses: actions/checkout@v3
@@ -162,6 +165,7 @@ jobs:
 
       - name: Create cluster
         run: |
+          echo ${DOCKERHUB_PASSWORD} | docker login -u ${DOCKERHUB_USER} --password-stdin
           kind create cluster \
             --config ${GITHUB_WORKSPACE}/helm/test/kind/kind.yaml \
             --image kindest/node:v${{ matrix.kubeVersion }} \
@@ -184,6 +188,11 @@ jobs:
       - name: Install Helm chart
         run: |
           unset KUBERNETES_SERVICE_HOST
+          echo "[test-env] creating secret docker-registry ..."
+          kubectl create secret docker-registry dockerhub-secret \
+            --docker-username="${DOCKERHUB_USER}" \
+            --docker-password="${DOCKERHUB_PASSWORD}" \
+            [email protected]
           helm install wallarm-sidecar ./helm -f helm/values.test.yaml \
             --set config.wallarm.api.token=${API_TOKEN} \
             --debug \
@@ -200,6 +209,11 @@ jobs:
       - name: Deploy pytest
         run: |
           unset KUBERNETES_SERVICE_HOST
+          kubectl create namespace pytest
+          kubectl -n pytest create secret docker-registry dockerhub-secret \
+            --docker-username="${DOCKERHUB_USER}" \
+            --docker-password="${DOCKERHUB_PASSWORD}" \
+            [email protected]
           kubectl apply -f kind/docker/manifests/init/pytest.yaml
           while [[ -z $(kubectl -n pytest get pods -o name) ]]; do
             sleep 1
@@ -227,7 +241,10 @@ jobs:
           role: ${{ secrets.VAULT_ROLE }}
           method: kubernetes
           path: kubernetes-ci
-          secrets: kv-gitlab-ci/data/github/sidecar api_token | WALLARM_API_TOKEN
+          secrets: |
+            kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
+            kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;
+            kv-gitlab-ci/data/github/sidecar api_token | WALLARM_API_TOKEN ;
 
       - name: Checkout
         uses: actions/checkout@v3
@@ -236,6 +253,7 @@ jobs:
 
       - name: Create cluster
         run: |
+          echo ${DOCKERHUB_PASSWORD} | docker login -u ${DOCKERHUB_USER} --password-stdin
           kind create cluster --image kindest/node:v1.28.7
           kubectl wait --for=condition=Ready pods --all --timeout=180s -n kube-system
           

helm/ci/deployment-existing-secret-values.yaml

@@ -1,5 +1,7 @@
+imagePullSecrets:
+  - name: dockerhub-secret
 config:
   wallarm:
     api:
       existingSecret:
-        enabled: true
+        enabled: true

helm/ci/deployment-external-tarantool-values.yaml

@@ -1,4 +1,6 @@
+imagePullSecrets:
+  - name: dockerhub-secret
 postanalytics:
   external:
     enabled: true
-    host: tarantool.domain.internal
+    host: tarantool.domain.internal

helm/ci/deployment-values.yaml

@@ -0,0 +1,2 @@
+imagePullSecrets:
+  - name: dockerhub-secret

helm/test/run_chart_tests.sh

@@ -23,8 +23,20 @@ CT_NAMESPACE="ct"
 SECRET_NAME="wallarm-api-token"
 SECRET_KEY="token"
 
+
+# This will prevent the secret for index.docker.io from being used if the DOCKERHUB_USER is not set.
+if [ "${DOCKERHUB_USER:-false}" = "false" ]; then
+  DOCKERHUB_REGISTRY_SERVER="fake_docker_registry_server"
+fi
+
+DOCKERHUB_SECRET_NAME="dockerhub-secret"
+DOCKERHUB_USER="${DOCKERHUB_USER:-fake_user}"
+DOCKERHUB_PASSWORD="${DOCKERHUB_PASSWORD:-fake_password}"
+
 HELM_EXTRA_ARGS="--timeout 180s"
-HELM_EXTRA_SET_ARGS="--set config.wallarm.api.token=${WALLARM_API_TOKEN} ${HELM_ARGS:-}"
+HELM_EXTRA_SET_ARGS="--set config.wallarm.api.token=${WALLARM_API_TOKEN} \
+  --set imagePullSecrets[0].name=${DOCKERHUB_SECRET_NAME} \
+  ${HELM_ARGS:-}"
 
 # Handle the case when we run chart testing with '--upgrade' option
 if [[ "${CT_MODE:-}" == "upgrade" ]]; then
@@ -43,6 +55,14 @@ if ! kubectl -n ${CT_NAMESPACE} get secret "${SECRET_NAME}" &> /dev/null; then
   kubectl -n ${CT_NAMESPACE} create secret generic "${SECRET_NAME}" --from-literal="${SECRET_KEY}"="${WALLARM_API_TOKEN}"
 fi
 
+if ! kubectl -n ${CT_NAMESPACE} get secret "${DOCKERHUB_SECRET_NAME}" &> /dev/null; then
+  echo "Creating secret ${DOCKERHUB_SECRET_NAME}..."
+  kubectl -n ${CT_NAMESPACE} create secret docker-registry "${DOCKERHUB_SECRET_NAME}" \
+              --docker-username="${DOCKERHUB_USER}" \
+              --docker-password="${DOCKERHUB_PASSWORD}" \
+              [email protected]
+fi
+
 cat <<EOF > ct.sh
 #!/bin/bash
 set -e

helm/values.test.yaml

@@ -8,4 +8,6 @@ config:
     fallback: "off"
 
 controller:
-  replicaCount: 1
+  replicaCount: 1
+imagePullSecrets:
+  - name: dockerhub-secret

kind/docker/manifests/init/pytest.yaml

@@ -21,6 +21,8 @@ spec:
       labels:
         app.kubernetes.io/name: pytest
     spec:
+      imagePullSecrets:
+        - name: dockerhub-secret
       serviceAccountName: pytest
       containers:
       - name: pytest

test/smoke/run.sh

@@ -27,9 +27,10 @@ export INJECTION_STRATEGY="${INJECTION_STRATEGY:-single}"
 
 K8S_VERSION=${K8S_VERSION:-1.28.7}
 
-DOCKERHUB_REGISTRY_SERVER="https://index.docker.io/v1/"
 
 # This will prevent the secret for index.docker.io from being used if the DOCKERHUB_USER is not set.
+DOCKERHUB_REGISTRY_SERVER="https://index.docker.io/v1/"
+
 if [ "${DOCKERHUB_USER:-false}" = "false" ]; then
   DOCKERHUB_REGISTRY_SERVER="fake_docker_registry_server"
 fi