From eaf4199811cbd0a9f0957dd9ad29c2a82e3ea8a6 Mon Sep 17 00:00:00 2001 From: xkd9 Date: Thu, 12 Feb 2026 14:11:26 -0600 Subject: [PATCH] docker images credentials --- core/inventory/inference-config.cfg | 7 +- .../metadata/vars/inference_common.yml | 8 +- core/lib/system/precheck/read-config-file.sh | 10 +++ core/playbooks/deploy-genai-gateway.yml | 50 +++++++++++ core/playbooks/deploy-inference-models.yml | 45 ++++++++++ core/playbooks/deploy-keycloak-tls-cert.yml | 89 ++++++++++++++++++- .../deploy-observability-openshift.yml | 56 ++++++++++++ core/playbooks/deploy-observability.yml | 56 ++++++++++++ 8 files changed, 318 insertions(+), 3 deletions(-) diff --git a/core/inventory/inference-config.cfg b/core/inventory/inference-config.cfg index 57b8591d..aea348c8 100644 --- a/core/inventory/inference-config.cfg +++ b/core/inventory/inference-config.cfg @@ -17,4 +17,9 @@ deploy_observability=off deploy_llm_models=on deploy_ceph=off deploy_istio=off -uninstall_ceph=off \ No newline at end of file +uninstall_ceph=off +docker_registry_server=registry-1.docker.io +docker_registry_username=your-docker-username +docker_registry_password=your-docker-token +docker_registry_email=your-email@example.com +docker_registry_secret_name=regcred \ No newline at end of file diff --git a/core/inventory/metadata/vars/inference_common.yml b/core/inventory/metadata/vars/inference_common.yml index 48cf6a5a..98035263 100644 --- a/core/inventory/metadata/vars/inference_common.yml +++ b/core/inventory/metadata/vars/inference_common.yml @@ -4,4 +4,10 @@ helm_charts_base: "{{ lookup('env', 'PWD') }}/helm-charts" remote_home_dir: "{{ lookup('env', 'PWD') }}/scripts" remote_helm_charts_base: "/tmp/helm-charts" ansible_python_interpreter: /usr/bin/python3 -remote_home_scripts_dir: "{{ lookup('env', 'PWD') }}/scripts" \ No newline at end of file +remote_home_scripts_dir: "{{ lookup('env', 'PWD') }}/scripts" +docker_registry_server: "{{ lookup('env', 'docker_registry_server') | default('', true) }}" +docker_registry_username: "{{ lookup('env', 'docker_registry_username') | default('', true) }}" +docker_registry_password: "{{ lookup('env', 'docker_registry_password') | default('', true) }}" +docker_registry_email: "{{ lookup('env', 'docker_registry_email') | default('', true) }}" +docker_registry_secret_name: "{{ lookup('env', 'docker_registry_secret_name') | default('regcred', true) }}" +docker_registry_enabled: "{{ (docker_registry_server | length > 0) and (docker_registry_username | length > 0) and (docker_registry_password | length > 0) }}" \ No newline at end of file diff --git a/core/lib/system/precheck/read-config-file.sh b/core/lib/system/precheck/read-config-file.sh index aece9370..1706c31c 100644 --- a/core/lib/system/precheck/read-config-file.sh +++ b/core/lib/system/precheck/read-config-file.sh @@ -22,6 +22,16 @@ read_config_file() { # Load the environment variables from the temporary file source temp_env_vars rm temp_env_vars + + # Make docker registry vars available to ansible via environment lookups. + if [[ -n "$docker_registry_server" || -n "$docker_registry_username" || -n "$docker_registry_password" ]]; then + export docker_registry_server docker_registry_username docker_registry_password docker_registry_email + if [[ -z "$docker_registry_secret_name" ]]; then + docker_registry_secret_name="regcred" + fi + export docker_registry_secret_name + fi + local metadata_config_file="$HOMEDIR/inventory/metadata/inference-metadata.cfg" if [ -f "$metadata_config_file" ]; then echo "Metadata configuration file found, setting vars!" diff --git a/core/playbooks/deploy-genai-gateway.yml b/core/playbooks/deploy-genai-gateway.yml index ec6d58a0..87c04c8c 100644 --- a/core/playbooks/deploy-genai-gateway.yml +++ b/core/playbooks/deploy-genai-gateway.yml @@ -28,6 +28,46 @@ metadata: name: genai-gateway run_once: true + - name: Create or update docker pull secret for GenAI Gateway namespace + kubernetes.core.k8s: + state: present + definition: + apiVersion: v1 + kind: Secret + metadata: + name: "{{ docker_registry_secret_name }}" + namespace: genai-gateway + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: >- + {{ + { + "auths": { + docker_registry_server: { + "username": docker_registry_username, + "password": docker_registry_password, + "email": docker_registry_email, + "auth": (docker_registry_username ~ ":" ~ docker_registry_password) | b64encode + } + } + } | to_json | b64encode + }} + no_log: true + run_once: true + when: docker_registry_enabled | bool + - name: Attach docker pull secret to default service account in GenAI Gateway namespace + kubernetes.core.k8s: + state: patched + definition: + apiVersion: v1 + kind: ServiceAccount + metadata: + name: default + namespace: genai-gateway + imagePullSecrets: + - name: "{{ docker_registry_secret_name }}" + run_once: true + when: docker_registry_enabled | bool - name: Create TLS secret for GenAI Gateway community.kubernetes.k8s: state: present @@ -104,6 +144,16 @@ namespace: default run_once: true ignore_errors: true + - name: Authenticate helm registry for Docker Hub OCI charts + ansible.builtin.command: + cmd: > + helm registry login {{ docker_registry_server }} + --username {{ docker_registry_username }} + --password {{ docker_registry_password }} + no_log: true + changed_when: false + run_once: true + when: docker_registry_enabled | bool - name: Install GenAI Gateway System command: > helm dependency update {{ remote_helm_charts_base }}/genai-gateway diff --git a/core/playbooks/deploy-inference-models.yml b/core/playbooks/deploy-inference-models.yml index fd5a37a6..4c66ce02 100644 --- a/core/playbooks/deploy-inference-models.yml +++ b/core/playbooks/deploy-inference-models.yml @@ -8,6 +8,7 @@ environment: "{{ proxy_disable_env | default(env_proxy | default({})) }}" vars_files: - "{{ lookup('env', 'PWD') }}/config/vault.yml" + - "{{ lookup('env', 'PWD') }}/config/vars/inference_common.yml" - "{{ lookup('env', 'PWD') }}/config/vars/inference_llm_models.yml" - "{{ lookup('env', 'PWD') }}/config/inference_env.yml" roles: @@ -47,6 +48,50 @@ - name: Setup Environment block: + - name: Create or update docker pull secret for model deployments + kubernetes.core.k8s: + state: present + definition: + apiVersion: v1 + kind: Secret + metadata: + name: "{{ docker_registry_secret_name }}" + namespace: default + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: >- + {{ + { + "auths": { + docker_registry_server: { + "username": docker_registry_username, + "password": docker_registry_password, + "email": docker_registry_email, + "auth": (docker_registry_username ~ ":" ~ docker_registry_password) | b64encode + } + } + } | to_json | b64encode + }} + no_log: true + run_once: true + when: docker_registry_enabled | bool + tags: always + + - name: Attach docker pull secret to default service account + kubernetes.core.k8s: + state: patched + definition: + apiVersion: v1 + kind: ServiceAccount + metadata: + name: default + namespace: default + imagePullSecrets: + - name: "{{ docker_registry_secret_name }}" + run_once: true + when: docker_registry_enabled | bool + tags: always + - name: Create/Update Kubernetes Secret for Hugging Face Token kubernetes.core.k8s: name: hugging-face-token diff --git a/core/playbooks/deploy-keycloak-tls-cert.yml b/core/playbooks/deploy-keycloak-tls-cert.yml index f865c834..ae5c2c87 100644 --- a/core/playbooks/deploy-keycloak-tls-cert.yml +++ b/core/playbooks/deploy-keycloak-tls-cert.yml @@ -20,6 +20,82 @@ kind: Namespace metadata: name: auth-apisix + - name: Create or update docker pull secret in default namespace + kubernetes.core.k8s: + state: present + definition: + apiVersion: v1 + kind: Secret + metadata: + name: "{{ docker_registry_secret_name }}" + namespace: default + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: >- + {{ + { + "auths": { + docker_registry_server: { + "username": docker_registry_username, + "password": docker_registry_password, + "email": docker_registry_email, + "auth": (docker_registry_username ~ ":" ~ docker_registry_password) | b64encode + } + } + } | to_json | b64encode + }} + no_log: true + when: docker_registry_enabled | bool + - name: Create or update docker pull secret in auth-apisix namespace + kubernetes.core.k8s: + state: present + definition: + apiVersion: v1 + kind: Secret + metadata: + name: "{{ docker_registry_secret_name }}" + namespace: auth-apisix + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: >- + {{ + { + "auths": { + docker_registry_server: { + "username": docker_registry_username, + "password": docker_registry_password, + "email": docker_registry_email, + "auth": (docker_registry_username ~ ":" ~ docker_registry_password) | b64encode + } + } + } | to_json | b64encode + }} + no_log: true + when: docker_registry_enabled | bool + - name: Attach docker pull secret to default service account in default namespace + kubernetes.core.k8s: + state: patched + definition: + apiVersion: v1 + kind: ServiceAccount + metadata: + name: default + namespace: default + imagePullSecrets: + - name: "{{ docker_registry_secret_name }}" + when: docker_registry_enabled | bool + - name: Attach docker pull secret to default service account in auth-apisix namespace + kubernetes.core.k8s: + state: patched + definition: + apiVersion: v1 + kind: ServiceAccount + metadata: + name: default + namespace: auth-apisix + imagePullSecrets: + - name: "{{ docker_registry_secret_name }}" + when: docker_registry_enabled | bool - name: Output variable values debug: var: cert_file, key_file, secret_name @@ -74,7 +150,16 @@ name: genai-gateway-ingress namespace: genai-gateway ignore_errors: true - + - name: Authenticate helm registry for Docker Hub OCI charts + ansible.builtin.command: + cmd: > + helm registry login {{ docker_registry_server }} + --username {{ docker_registry_username }} + --password {{ docker_registry_password }} + no_log: true + changed_when: false + when: docker_registry_enabled | bool + - name: Deploy Keycloak System run_once: true register: helm_output @@ -86,6 +171,8 @@ create_namespace: true chart_version: "{{ keycloak_chart_version|default('22.1.0') }}" values: + global: + imagePullSecrets: "{{ [docker_registry_secret_name] if (docker_registry_enabled | bool) else [] }}" image: repository: bitnamilegacy/keycloak tag: 25.0.2-debian-12-r2 diff --git a/core/playbooks/deploy-observability-openshift.yml b/core/playbooks/deploy-observability-openshift.yml index bd435ed7..62ea7ae1 100644 --- a/core/playbooks/deploy-observability-openshift.yml +++ b/core/playbooks/deploy-observability-openshift.yml @@ -44,6 +44,48 @@ state: present run_once: true tags: always + - name: Create or update docker pull secret for observability namespace + kubernetes.core.k8s: + state: present + definition: + apiVersion: v1 + kind: Secret + metadata: + name: "{{ docker_registry_secret_name }}" + namespace: observability + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: >- + {{ + { + "auths": { + docker_registry_server: { + "username": docker_registry_username, + "password": docker_registry_password, + "email": docker_registry_email, + "auth": (docker_registry_username ~ ":" ~ docker_registry_password) | b64encode + } + } + } | to_json | b64encode + }} + no_log: true + run_once: true + when: docker_registry_enabled | bool + tags: always + - name: Attach docker pull secret to default service account in observability namespace + kubernetes.core.k8s: + state: patched + definition: + apiVersion: v1 + kind: ServiceAccount + metadata: + name: default + namespace: observability + imagePullSecrets: + - name: "{{ docker_registry_secret_name }}" + run_once: true + when: docker_registry_enabled | bool + tags: always # ========================================================================= # OPENSHIFT USER WORKLOAD MONITORING (METRICS) @@ -235,6 +277,20 @@ when: deploy_logging == "yes" tags: deploy_logging + - name: Authenticate helm registry for Docker Hub OCI charts + ansible.builtin.command: + cmd: > + helm registry login {{ docker_registry_server }} + --username {{ docker_registry_username }} + --password {{ docker_registry_password }} + no_log: true + changed_when: false + run_once: true + when: + - deploy_logging == "yes" + - docker_registry_enabled | bool + tags: deploy_logging + - name: Install Fluent Bit community.kubernetes.helm: name: logging-fluentbit diff --git a/core/playbooks/deploy-observability.yml b/core/playbooks/deploy-observability.yml index ad57d612..96f32efe 100644 --- a/core/playbooks/deploy-observability.yml +++ b/core/playbooks/deploy-observability.yml @@ -21,6 +21,48 @@ state: present run_once: true tags: always + - name: Create or update docker pull secret for observability namespace + kubernetes.core.k8s: + state: present + definition: + apiVersion: v1 + kind: Secret + metadata: + name: "{{ docker_registry_secret_name }}" + namespace: observability + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: >- + {{ + { + "auths": { + docker_registry_server: { + "username": docker_registry_username, + "password": docker_registry_password, + "email": docker_registry_email, + "auth": (docker_registry_username ~ ":" ~ docker_registry_password) | b64encode + } + } + } | to_json | b64encode + }} + no_log: true + run_once: true + when: docker_registry_enabled | bool + tags: always + - name: Attach docker pull secret to default service account in observability namespace + kubernetes.core.k8s: + state: patched + definition: + apiVersion: v1 + kind: ServiceAccount + metadata: + name: default + namespace: observability + imagePullSecrets: + - name: "{{ docker_registry_secret_name }}" + run_once: true + when: docker_registry_enabled | bool + tags: always - name: Add Observability repository community.kubernetes.helm_repository: name: prometheus-community @@ -329,6 +371,20 @@ when: deploy_logging == "yes" tags: deploy_logging + - name: Authenticate helm registry for Docker Hub OCI charts + ansible.builtin.command: + cmd: > + helm registry login {{ docker_registry_server }} + --username {{ docker_registry_username }} + --password {{ docker_registry_password }} + no_log: true + changed_when: false + run_once: true + when: + - deploy_logging == "yes" + - docker_registry_enabled | bool + tags: deploy_logging + - name: Install Fluent Bit community.kubernetes.helm: name: logging-fluentbit