Implement registries for Kubernetes backend (#4092)

According to [the documentation](https://woodpecker-ci.org/docs/administration/backends/kubernetes#images-from-private-registries), per-organization and per-pipeline registries are currently unsupported for the Kubernetes backend. This patch implements this missing functionality by creating and deleting a matching secret for each pod with a matched registry, using the same name, labels, and annotations as the pod, and appending it to its `imagePullSecrets` list. This patch adds tests for the new functionality, and has been manually end-to-end-tested in KinD by using a private image hosted in the matching gitea instance. This will require updating the matching helm charts to add the create/delete permissions to the agent role, which **is already done**. close #2987
2025-11-23 21:44:44 +02:00 · 2024-09-29 18:03:05 -06:00
parent ecb59ce1c4
commit b52b021acb
8 changed files with 215 additions and 13 deletions
--- a/pipeline/backend/kubernetes/secrets_test.go
+++ b/pipeline/backend/kubernetes/secrets_test.go
@@ -15,10 +15,14 @@
 package kubernetes

 import (
+	"encoding/json"
 	"testing"

+	"github.com/kinbiko/jsonassert"
 	"github.com/stretchr/testify/assert"
 	v1 "k8s.io/api/core/v1"
+
+	"go.woodpecker-ci.org/woodpecker/v2/pipeline/backend/types"
 )

 func TestNativeSecretsEnabled(t *testing.T) {
@@ -178,3 +182,61 @@ func TestFileSecret(t *testing.T) {
 		},
 	}, nsp.mounts)
 }
+
+func TestNoAuthNoSecret(t *testing.T) {
+	assert.False(t, needsRegistrySecret(&types.Step{}))
+}
+
+func TestNoPasswordNoSecret(t *testing.T) {
+	assert.False(t, needsRegistrySecret(&types.Step{
+		AuthConfig: types.Auth{Username: "foo"},
+	}))
+}
+
+func TestNoUsernameNoSecret(t *testing.T) {
+	assert.False(t, needsRegistrySecret(&types.Step{
+		AuthConfig: types.Auth{Password: "foo"},
+	}))
+}
+
+func TestUsernameAndPasswordNeedsSecret(t *testing.T) {
+	assert.True(t, needsRegistrySecret(&types.Step{
+		AuthConfig: types.Auth{Username: "foo", Password: "bar"},
+	}))
+}
+
+func TestRegistrySecret(t *testing.T) {
+	const expected = `{
+		"metadata": {
+			"name": "wp-01he8bebctabr3kgk0qj36d2me-0",
+			"namespace": "woodpecker",
+			"creationTimestamp": null,
+			"labels": {
+				"step": "go-test"
+			}
+		},
+		"type": "kubernetes.io/dockerconfigjson",
+		"data": {
+			".dockerconfigjson": "eyJhdXRocyI6eyJkb2NrZXIuaW8iOnsidXNlcm5hbWUiOiJmb28iLCJwYXNzd29yZCI6ImJhciJ9fX0="
+		}
+	}`
+
+	secret, err := mkRegistrySecret(&types.Step{
+		UUID:  "01he8bebctabr3kgk0qj36d2me-0",
+		Name:  "go-test",
+		Image: "meltwater/drone-cache",
+		AuthConfig: types.Auth{
+			Username: "foo",
+			Password: "bar",
+		},
+	}, &config{
+		Namespace: "woodpecker",
+	})
+	assert.NoError(t, err)
+
+	secretJSON, err := json.Marshal(secret)
+	assert.NoError(t, err)
+
+	ja := jsonassert.New(t)
+	ja.Assertf(string(secretJSON), expected)
+}