[BB-5096] Fix k8s gitlab container registry authentication issue
Description
This MR fixes the authentication issue during docker login with GitLab Container Registry from the k8s cluster.
Terraform will now create -
- A Deploy Token that will be used to authenticate with GitLab Container Registry.
- A k8s namespace for each Tutor instance.
- A k8s secret containing the deploy token.
- Modifies the default service account for each k8s namespace to add
imagePullSecrets
.
Supporting information
https://tasks.opencraft.com/browse/BB-5096
Testing instructions
Image build support for each instance is being added via !13 (merged), which is not yet merged. I've rebased that MR on this MR so that we can test these changes.
- Check this failing pipeline before this changes.
- Specifically check this job how it failed due to an authentication issue.
- This is the passed pipeline due to these changes.
- Check this job, it was able to pull images from the GitLab Container registry.
You can also check if those resources are created properly via Terraform. To do that, you need to
- Clone bb-4779-theme-overrides branch of the
grove-development
repository. - Copy
private.yml.example
toprivate.yml
. - Update contents of the file to -
---
variables:
# The numeric ID of the GitLab project. Doesn't need to be set on GitLab CI as it can be autodetected (via $CI_PROJECT_ID).
# The project should be a fork of https://gitlab.com/opencraft/dev/grove-template/
# You can see at https://gitlab.com/opencraft/dev/grove-template/ that its project ID is 24377526
GITLAB_PROJECT_NUMERIC_ID: 29099014
# Your GitLab username
GITLAB_USERNAME: <YOUR_USERNAME>
# A GitLab personal access token with Maintainer access to that repository
# (required to use GitLab state backend, see https://docs.gitlab.com/ee/user/infrastructure/terraform_state.html)
# Create one at https://gitlab.com/-/profile/personal_access_tokens with "api" permission
GITLAB_PASSWORD: <ACCESS_TOKEN>
# Get these values from GitLab CI/CD env - https://gitlab.com/opencraft/dev/grove-development/-/settings/ci_cd
AWS_ACCESS_KEY_ID:
AWS_SECRET_ACCESS_KEY:
CI_REGISTRY_IMAGE: registry.gitlab.com/opencraft/dev/grove-development
- Go to the
control
directory and run./kubectl get secrets -n themeoverride -o yaml
to check the secret. - Run
./kubectl get serviceaccounts -n themeoverride default -o yaml
to check thatimagePullSecrets
is set to the secret.
Note: If you face an issue running ./kubectl
command, check the generated kubeconfig-private.yml
file. If there is a debug log written on the top of the file, delete it and try again. It's an known issue.
Reviewer
Edited by Giovanni Cimolin da Silva