Adding support for private registries (image pull) (#438)

* Previously functions could not pull private images
* Also fix single-namespace install
  - transports now install correctly
* Only supports OpenFaaS
  - Riff does not support image pull secrets

Needs e2e tests.  Tested manually on minikube

Author: berndtj

charts/dispatch/charts/function-manager/templates/config-map.yaml

@@ -19,7 +19,8 @@ data:
           "gateway": "{{ .Values.faas.openfaas.gateway }}",
           "funcNamespace": "{{ .Values.faas.openfaas.namespace }}",
           "funcDefaultLimits": {{ toJson .Values.faas.openfaas.funcDefaultLimits }},
-          "funcDefaultRequests": {{ toJson .Values.faas.openfaas.funcDefaultRequests }}
+          "funcDefaultRequests": {{ toJson .Values.faas.openfaas.funcDefaultRequests }},
+          "imagePullSecret": "{{ .Values.faas.openfaas.imagePullSecret }}"
         },
         "riff": {
           "kafkaBrokers": ["{{ join ", " .Values.global.kafka.brokers }}"],

charts/dispatch/charts/function-manager/values.yaml

@@ -46,6 +46,7 @@ faas:
   openfaas:
     gateway: "http://gateway.openfaas:8080/"
     namespace: openfaas
+    imagePullSecret:
     # Set the default resource limits for the function containers
     funcDefaultLimits:
     #  CPU: 500m

charts/openfaas/templates/rbac.yaml

@@ -34,6 +34,14 @@ rules:
       - create
       - delete
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding

cmd/function-manager/main.go

@@ -45,6 +45,7 @@ var drivers = map[string]func(string) functions.FaaSDriver{
 			FuncNamespace:       config.Global.Function.OpenFaas.FuncNamespace,
 			FuncDefaultRequests: config.Global.Function.OpenFaas.FuncDefaultRequests,
 			FuncDefaultLimits:   config.Global.Function.OpenFaas.FuncDefaultLimits,
+			ImagePullSecret:     config.Global.Function.OpenFaas.ImagePullSecret,
 		})
 		if err != nil {
 			log.Fatalf("Error starting OpenFaaS driver: %+v", err)

docs/_guides/advanced.md

@@ -146,6 +146,25 @@ Docker hub example:
 $ kubectl create secret docker-registry regsecret --docker-server='https://index.docker.io/v1/' --docker-username=dockerhub-user --docker-password='...' --docker-email=dockerhub-user@gmail.com
 ```
 
+### Image Pull Secrets
+
+Depending on the image registry, secrets may be required to pull images.  **Only OpenFaaS supports image
+pull secrets**.  To configure image pull secrets simply configure installation:
+
+```yaml
+apiGateway:
+  ...
+dispatch:
+  ...
+  imagePullSecret: pull-secret
+  imageRegistry:
+    name: some-repo.example.com
+    username: username
+    password: password
+```
+
+The installer will take care of creating a secret and associating it to OpenFaaS.
+
 ## Import self-signed TLS certificates into Kubernetes secret
 
 To be able to securely connect to Dispatch, we need to set up a TLS certificate.

pkg/config/config.go

@@ -46,6 +46,7 @@ type OpenFaas struct {
 	Gateway             string             `json:"gateway"`
 	K8sConfig           string             `json:"k8sConfig"`
 	FuncNamespace       string             `json:"funcNamespace"`
+	ImagePullSecret     string             `json:"imagePullSecret"`
 	FuncDefaultLimits   *FunctionResources `json:"funcDefaultLimits"`
 	FuncDefaultRequests *FunctionResources `json:"funcDefaultRequests"`
 }

pkg/dispatchcli/cmd/install.go

@@ -160,6 +160,7 @@ type dispatchInstallConfig struct {
 	Database           string                `json:"database,omitempty" validate:"required,eq=postgres"`
 	PersistData        bool                  `json:"persistData,omitempty" validate:"omitempty"`
 	ImageRegistry      *imageRegistryConfig  `json:"imageRegistry,omitempty" validate:"omitempty"`
+	ImagePullSecret    string                `json:"imagePullSecret,omitempty" validate:"omitempty"`
 	OAuth2Proxy        *oauth2ProxyConfig    `json:"oauth2Proxy,omitempty" validate:"required"`
 	TLS                *tlsConfig            `json:"tls,omitempty" validate:"required"`
 	SkipAuth           bool                  `json:"skipAuth,omitempty" validate:"omitempty"`
@@ -673,6 +674,9 @@ func runInstall(out, errOut io.Writer, cmd *cobra.Command, args []string) error
 		config.Ingress.Chart.Namespace = installSingleNS
 		config.DockerRegistry.Chart.Namespace = installSingleNS
 		config.DispatchConfig.Service.K8sServiceCatalog.Namespace = installSingleNS
+		config.RabbitMQ.Chart.Namespace = installSingleNS
+		config.Kafka.Chart.Namespace = installSingleNS
+		config.Kafka.Brokers = []string{fmt.Sprintf("transport-kafka.%s:9092", installSingleNS)}
 	}
 
 	if installService("certs") || !installDryRun {
@@ -846,6 +850,45 @@ func runInstall(out, errOut io.Writer, cmd *cobra.Command, args []string) error
 		}
 	}
 
+	if config.DispatchConfig.ImagePullSecret != "" {
+		if config.DispatchConfig.Faas != "openfaas" {
+			return errors.Errorf(
+				"Must use openfaas with private registries %s is unsupported", config.DispatchConfig.Faas)
+		}
+		// the installed openfaas version expects the "dockercfg" credential format, but the current
+		// kubectl (>1.9.1) creates "dockerconfigjson" credentials which openfaas doesn't like.  This
+		// has been fixed in recent openfaas, and then the following code will go away.
+		auth := fmt.Sprintf(
+			"%s:%s", config.DispatchConfig.ImageRegistry.Username, config.DispatchConfig.ImageRegistry.Password)
+		dockercfg := map[string]map[string]string{
+			config.DispatchConfig.ImageRegistry.Name: map[string]string{
+				"username": config.DispatchConfig.ImageRegistry.Username,
+				"password": config.DispatchConfig.ImageRegistry.Password,
+				"email":    config.DispatchConfig.ImageRegistry.Email,
+				"auth":     base64.StdEncoding.EncodeToString([]byte(auth)),
+			},
+		}
+		cfg, _ := json.Marshal(dockercfg)
+		kubectl := exec.Command(
+			"kubectl", "delete", "secret", config.DispatchConfig.ImagePullSecret,
+			"-n", config.OpenFaas.Chart.Namespace)
+		kubectlOut, err := kubectl.CombinedOutput()
+		if err != nil {
+			if !strings.Contains(string(kubectlOut), "NotFound") {
+				return errors.Wrapf(err, "failed to delete existing image pull secret: %s", kubectlOut)
+			}
+		}
+		kubectl = exec.Command(
+			"kubectl", "create", "secret", "generic", config.DispatchConfig.ImagePullSecret,
+			"-n", config.OpenFaas.Chart.Namespace,
+			"--type", "kubernetes.io/dockercfg",
+			"--from-literal", fmt.Sprintf(".dockercfg=%s", cfg))
+		kubectlOut, err = kubectl.CombinedOutput()
+		if err != nil {
+			return errors.Wrapf(err, "failed to create image pull secret: %s", kubectlOut)
+		}
+	}
+
 	if installService("dispatch") {
 		chart := path.Join(installChartsDir, "dispatch")
 		if installChartsDir != "dispatch" {
@@ -934,6 +977,7 @@ func runInstall(out, errOut io.Writer, cmd *cobra.Command, args []string) error
 			"function-manager.faas.selected":                      config.DispatchConfig.Faas,
 			"function-manager.faas.openfaas.gateway":              openfaasGatewayHost,
 			"function-manager.faas.openfaas.namespace":            config.OpenFaas.Chart.Namespace,
+			"function-manager.faas.openfaas.imagePullSecret":      config.DispatchConfig.ImagePullSecret,
 			"function-manager.faas.riff.gateway":                  riffGatewayHost,
 			"function-manager.faas.riff.namespace":                config.Riff.Chart.Namespace,
 			"event-manager.transport":                             config.DispatchConfig.EventTransport,

pkg/dispatchcli/cmd/install_config.go

@@ -127,6 +127,7 @@ dispatch:
   #  username:
   #  email:
   #  password:
+  imagePullSecret:
   service:
     catalog: k8sservicecatalog
     k8sservicecatalog:

pkg/functions/builder.go

@@ -84,8 +84,11 @@ func (ib *DockerImageBuilder) BuildImage(faas, fnID string, exec *Exec) (string,
 	defer os.RemoveAll(tmpDir)
 
 	log.Debugf("Created tmpDir: %s", tmpDir)
-
-	if err := images.DockerError(ib.docker.ImagePull(context.Background(), exec.Image, types.ImagePullOptions{})); err != nil {
+	opts := types.ImagePullOptions{}
+	if ib.registryAuth != "" {
+		opts.RegistryAuth = ib.registryAuth
+	}
+	if err := images.DockerError(ib.docker.ImagePull(context.Background(), exec.Image, opts)); err != nil {
 		return "", errors.Wrapf(err, "failed to pull image '%s'", exec.Image)
 	}
 

pkg/functions/openfaas/driver.go

@@ -48,6 +48,7 @@ type Config struct {
 	FuncDefaultLimits   *config.FunctionResources
 	FuncDefaultRequests *config.FunctionResources
 	CreateTimeout       *int
+	ImagePullSecret     string
 }
 
 type ofDriver struct {
@@ -59,7 +60,8 @@ type ofDriver struct {
 
 	deployments v1beta1.DeploymentInterface
 
-	createTimeout int
+	createTimeout   int
+	imagePullSecret string
 
 	funcDefaultLimits   *requests.FunctionResources
 	funcDefaultRequests *requests.FunctionResources
@@ -114,6 +116,9 @@ func New(config *Config) (functions.FaaSDriver, error) {
 	if config.CreateTimeout != nil {
 		d.createTimeout = *config.CreateTimeout
 	}
+	if config.ImagePullSecret != "" {
+		d.imagePullSecret = config.ImagePullSecret
+	}
 
 	return d, nil
 }
@@ -143,6 +148,9 @@ func (d *ofDriver) Create(f *functions.Function, exec *functions.Exec) error {
 		Limits:      d.funcDefaultLimits,
 		Requests:    d.funcDefaultRequests,
 	}
+	if d.imagePullSecret != "" {
+		req.Secrets = []string{d.imagePullSecret}
+	}
 
 	reqBytes, _ := json.Marshal(&req)
 	res, err := d.httpClient.Post(d.gateway+"/system/functions", jsonContentType, bytes.NewReader(reqBytes))