Skip to content

[BB-5096] Fix k8s gitlab container registry authentication issue

Shimul Chowdhury requested to merge shimulch/k8s-gitlab-container-registry into main

Description

This MR fixes the authentication issue during docker login with GitLab Container Registry from the k8s cluster.

Terraform will now create -

  • A Deploy Token that will be used to authenticate with GitLab Container Registry.
  • A k8s namespace for each Tutor instance.
  • A k8s secret containing the deploy token.
  • Modifies the default service account for each k8s namespace to add imagePullSecrets.

Supporting information

https://tasks.opencraft.com/browse/BB-5096

Testing instructions

Image build support for each instance is being added via !13 (merged), which is not yet merged. I've rebased that MR on this MR so that we can test these changes.

  1. Check this failing pipeline before this changes.
  2. Specifically check this job how it failed due to an authentication issue.
  3. This is the passed pipeline due to these changes.
  4. Check this job, it was able to pull images from the GitLab Container registry.

You can also check if those resources are created properly via Terraform. To do that, you need to

  1. Clone bb-4779-theme-overrides branch of the grove-development repository.
  2. Copy private.yml.example to private.yml.
  3. Update contents of the file to -
---

variables:

  # The numeric ID of the GitLab project. Doesn't need to be set on GitLab CI as it can be autodetected (via $CI_PROJECT_ID).
  # The project should be a fork of https://gitlab.com/opencraft/dev/grove-template/
  # You can see at https://gitlab.com/opencraft/dev/grove-template/ that its project ID is 24377526
  GITLAB_PROJECT_NUMERIC_ID: 29099014

  # Your GitLab username
  GITLAB_USERNAME: <YOUR_USERNAME>

  # A GitLab personal access token with Maintainer access to that repository
  # (required to use GitLab state backend, see https://docs.gitlab.com/ee/user/infrastructure/terraform_state.html)
  # Create one at https://gitlab.com/-/profile/personal_access_tokens with "api" permission
  GITLAB_PASSWORD: <ACCESS_TOKEN>

  # Get these values from GitLab CI/CD env - https://gitlab.com/opencraft/dev/grove-development/-/settings/ci_cd
  AWS_ACCESS_KEY_ID:
  AWS_SECRET_ACCESS_KEY: 

  CI_REGISTRY_IMAGE: registry.gitlab.com/opencraft/dev/grove-development
  1. Go to the control directory and run ./kubectl get secrets -n themeoverride -o yaml to check the secret.
  2. Run ./kubectl get serviceaccounts -n themeoverride default -o yaml to check that imagePullSecrets is set to the secret.

Note: If you face an issue running ./kubectl command, check the generated kubeconfig-private.yml file. If there is a debug log written on the top of the file, delete it and try again. It's an known issue.

Reviewer

Edited by Giovanni Cimolin da Silva

Merge request reports