From c448ecf1d6b0dc5a517a0f9b6a8f90bd2ef3d96f Mon Sep 17 00:00:00 2001
From: John ODonnell <john.odonnell@cyberark.com>
Date: Fri, 24 Feb 2023 12:27:48 -0500
Subject: [PATCH] Add ImagePullSecret to Helm deployment

---
 deploy/1_check_dependencies.sh                        | 1 +
 deploy/summon/secrets.yml                             | 2 ++
 deploy/test/test_cases/test_case_setup.sh             | 4 ++--
 deploy/utils.sh                                       | 3 +++
 helm/secrets-provider/ci/test-values-template.yaml    | 1 +
 helm/secrets-provider/templates/secrets-provider.yaml | 4 ++++
 helm/secrets-provider/values.yaml                     | 2 ++
 7 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/deploy/1_check_dependencies.sh b/deploy/1_check_dependencies.sh
index a5a0d11b..7f175e5d 100755
--- a/deploy/1_check_dependencies.sh
+++ b/deploy/1_check_dependencies.sh
@@ -18,6 +18,7 @@ check_env_var "APP_NAMESPACE_NAME"
 if [[ "${DEV}" = "false" ]]; then
   check_env_var "DOCKER_REGISTRY_PATH"
   check_env_var "DOCKER_REGISTRY_URL"
+  check_env_var "IMAGE_PULL_SECRET"
 
   if [[ "$PLATFORM" = "openshift" ]]; then
     check_env_var "OPENSHIFT_USERNAME"
diff --git a/deploy/summon/secrets.yml b/deploy/summon/secrets.yml
index f49c830f..91699474 100644
--- a/deploy/summon/secrets.yml
+++ b/deploy/summon/secrets.yml
@@ -15,6 +15,8 @@ common:
   OPENSHIFT_USERNAME: ""
   OPENSHIFT_PASSWORD: ""
 
+  IMAGE_PULL_SECRET: dockerpullsecret
+
 gke:
   GCLOUD_CLUSTER_NAME: !var ci/gke/rapid/cluster-name
   GCLOUD_ZONE: !var ci/gke/zone
diff --git a/deploy/test/test_cases/test_case_setup.sh b/deploy/test/test_cases/test_case_setup.sh
index 764afe33..006ff722 100755
--- a/deploy/test/test_cases/test_case_setup.sh
+++ b/deploy/test/test_cases/test_case_setup.sh
@@ -4,7 +4,7 @@ set -euxo pipefail
 if [ "${DEV}" = "false" ]; then
   announce "Creating image pull secret."
   if [[ "${PLATFORM}" == "kubernetes" ]]; then
-   $cli_with_timeout delete --ignore-not-found secret dockerpullsecret
+   $cli_with_timeout delete --ignore-not-found secret $IMAGE_PULL_SECRET
 
    $cli_with_timeout create secret docker-registry dockerpullsecret \
     --docker-server="${PULL_DOCKER_REGISTRY_URL}" \
@@ -14,7 +14,7 @@ if [ "${DEV}" = "false" ]; then
   elif [[ "$PLATFORM" == "openshift" ]]; then
     $cli_with_timeout delete --ignore-not-found secrets dockerpullsecret
 
-    $cli_with_timeout create secret docker-registry dockerpullsecret \
+    $cli_with_timeout create secret docker-registry $IMAGE_PULL_SECRET \
       --docker-server="${PULL_DOCKER_REGISTRY_PATH}" \
       --docker-username=_ \
       --docker-password=$($cli_with_timeout whoami -t) \
diff --git a/deploy/utils.sh b/deploy/utils.sh
index c30abc03..ba04f7d0 100644
--- a/deploy/utils.sh
+++ b/deploy/utils.sh
@@ -123,6 +123,7 @@ runDockerCommand() {
       -e CONJUR_DEPLOYMENT \
       -e RUN_IN_DOCKER \
       -e SUMMON_ENV \
+      -e IMAGE_PULL_SECRET \
       -v $GCLOUD_SERVICE_KEY:/tmp$GCLOUD_SERVICE_KEY \
       -v /var/run/docker.sock:/var/run/docker.sock \
       -v ~/.config:/root/.config \
@@ -165,6 +166,7 @@ runDockerCommand() {
       -e CONJUR_DEPLOYMENT \
       -e RUN_IN_DOCKER \
       -e SUMMON_ENV \
+      -e IMAGE_PULL_SECRET \
       -v /var/run/docker.sock:/var/run/docker.sock \
       -v ~/.config:/root/.config \
       -v "$PWD/../helm":/helm \
@@ -286,6 +288,7 @@ fill_helm_chart() {
       -e "s#{{ DEBUG }}# ${DEBUG:-"false"}#g" \
       -e "s#{{ RETRY_COUNT_LIMIT }}# ${RETRY_COUNT_LIMIT:-"5"}#g" \
       -e "s#{{ RETRY_INTERVAL_SEC }}# ${RETRY_INTERVAL_SEC:-"5"}#g" \
+      -e "s#{{ IMAGE_PULL_SECRET }}# ${IMAGE_PULL_SECRET:-""}#g" \
       "$helm_path/helm/secrets-provider/ci/test-values-template.yaml" > "$helm_path/helm/secrets-provider/ci/${id}test-values-$UNIQUE_TEST_ID.yaml"
   done
 }
diff --git a/helm/secrets-provider/ci/test-values-template.yaml b/helm/secrets-provider/ci/test-values-template.yaml
index e166fcc0..401795bc 100644
--- a/helm/secrets-provider/ci/test-values-template.yaml
+++ b/helm/secrets-provider/ci/test-values-template.yaml
@@ -15,6 +15,7 @@ secretsProvider:
   imagePullPolicy: {{ IMAGE_PULL_POLICY }}
   tag: {{ TAG }}
   name: cyberark-secrets-provider-for-k8s
+  imagePullSecret: {{ IMAGE_PULL_SECRET }}
 
 # Additional labels to apply to all resources.
 labels: { {{ LABELS }} }
diff --git a/helm/secrets-provider/templates/secrets-provider.yaml b/helm/secrets-provider/templates/secrets-provider.yaml
index ed37ed95..3d400076 100644
--- a/helm/secrets-provider/templates/secrets-provider.yaml
+++ b/helm/secrets-provider/templates/secrets-provider.yaml
@@ -110,5 +110,9 @@ spec:
                   expirationSeconds: {{ .Values.environment.conjur.authnJWT.expiration }}
                   audience: {{ .Values.environment.conjur.authnJWT.audience }}
       {{- end }}
+      {{- if .Values.secretsProvider.imagePullSecret }}
+      imagePullSecrets:
+      - name: {{ .Values.secretsProvider.imagePullSecret }}
+      {{- end }}
       restartPolicy: Never
   backoffLimit: 0
diff --git a/helm/secrets-provider/values.yaml b/helm/secrets-provider/values.yaml
index 3546d66f..d78de9fb 100644
--- a/helm/secrets-provider/values.yaml
+++ b/helm/secrets-provider/values.yaml
@@ -18,6 +18,8 @@ secretsProvider:
   name: cyberark-secrets-provider-for-k8s
   # Optional: Kubernetes Job name. Defaults to Helm Release.
   jobName:
+  # Optional: Name of image pull secret, if Secrets Provider image is in private repository
+  imagePullSecret:
 
 # OPTIONAL: Additional labels to apply to Job resource.
 labels: {}