Skip to content

docker images credentials #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rcl2i wants to merge 1 commit into
base: dell-deploy-1.4
Choose a base branch
from
Open

docker images credentials #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion core/inventory/inference-config.cfg
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,9 @@ deploy_observability=off
deploy_llm_models=on
deploy_ceph=off
deploy_istio=off
uninstall_ceph=off
uninstall_ceph=off
docker_registry_server=registry-1.docker.io
docker_registry_username=your-docker-username
docker_registry_password=your-docker-token
docker_registry_email=your-email@example.com
docker_registry_secret_name=regcred
8 changes: 7 additions & 1 deletion core/inventory/metadata/vars/inference_common.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,10 @@ helm_charts_base: "{{ lookup('env', 'PWD') }}/helm-charts"
remote_home_dir: "{{ lookup('env', 'PWD') }}/scripts"
remote_helm_charts_base: "/tmp/helm-charts"
ansible_python_interpreter: /usr/bin/python3
remote_home_scripts_dir: "{{ lookup('env', 'PWD') }}/scripts"
remote_home_scripts_dir: "{{ lookup('env', 'PWD') }}/scripts"
docker_registry_server: "{{ lookup('env', 'docker_registry_server') | default('', true) }}"
docker_registry_username: "{{ lookup('env', 'docker_registry_username') | default('', true) }}"
docker_registry_password: "{{ lookup('env', 'docker_registry_password') | default('', true) }}"
docker_registry_email: "{{ lookup('env', 'docker_registry_email') | default('', true) }}"
docker_registry_secret_name: "{{ lookup('env', 'docker_registry_secret_name') | default('regcred', true) }}"
docker_registry_enabled: "{{ (docker_registry_server | length > 0) and (docker_registry_username | length > 0) and (docker_registry_password | length > 0) }}"
10 changes: 10 additions & 0 deletions core/lib/system/precheck/read-config-file.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,16 @@ read_config_file() {
# Load the environment variables from the temporary file
source temp_env_vars
rm temp_env_vars

# Make docker registry vars available to ansible via environment lookups.
if [[ -n "$docker_registry_server" || -n "$docker_registry_username" || -n "$docker_registry_password" ]]; then
export docker_registry_server docker_registry_username docker_registry_password docker_registry_email
if [[ -z "$docker_registry_secret_name" ]]; then
docker_registry_secret_name="regcred"
fi
export docker_registry_secret_name
fi

local metadata_config_file="$HOMEDIR/inventory/metadata/inference-metadata.cfg"
if [ -f "$metadata_config_file" ]; then
echo "Metadata configuration file found, setting vars!"
Expand Down
50 changes: 50 additions & 0 deletions core/playbooks/deploy-genai-gateway.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,46 @@
metadata:
name: genai-gateway
run_once: true
- name: Create or update docker pull secret for GenAI Gateway namespace
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: Secret
metadata:
name: "{{ docker_registry_secret_name }}"
namespace: genai-gateway
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: >-
{{
{
"auths": {
docker_registry_server: {
"username": docker_registry_username,
"password": docker_registry_password,
"email": docker_registry_email,
"auth": (docker_registry_username ~ ":" ~ docker_registry_password) | b64encode
}
}
} | to_json | b64encode
}}
no_log: true
run_once: true
when: docker_registry_enabled | bool
- name: Attach docker pull secret to default service account in GenAI Gateway namespace
kubernetes.core.k8s:
state: patched
definition:
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: genai-gateway
imagePullSecrets:
- name: "{{ docker_registry_secret_name }}"
run_once: true
when: docker_registry_enabled | bool
- name: Create TLS secret for GenAI Gateway
community.kubernetes.k8s:
state: present
Expand Down Expand Up @@ -104,6 +144,16 @@
namespace: default
run_once: true
ignore_errors: true
- name: Authenticate helm registry for Docker Hub OCI charts
ansible.builtin.command:
cmd: >
helm registry login {{ docker_registry_server }}
--username {{ docker_registry_username }}
--password {{ docker_registry_password }}
no_log: true
changed_when: false
run_once: true
when: docker_registry_enabled | bool
- name: Install GenAI Gateway System
command: >
helm dependency update {{ remote_helm_charts_base }}/genai-gateway
Expand Down
45 changes: 45 additions & 0 deletions core/playbooks/deploy-inference-models.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
environment: "{{ proxy_disable_env | default(env_proxy | default({})) }}"
vars_files:
- "{{ lookup('env', 'PWD') }}/config/vault.yml"
- "{{ lookup('env', 'PWD') }}/config/vars/inference_common.yml"
- "{{ lookup('env', 'PWD') }}/config/vars/inference_llm_models.yml"
- "{{ lookup('env', 'PWD') }}/config/inference_env.yml"
roles:
Expand Down Expand Up @@ -47,6 +48,50 @@

- name: Setup Environment
block:
- name: Create or update docker pull secret for model deployments
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: Secret
metadata:
name: "{{ docker_registry_secret_name }}"
namespace: default
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: >-
{{
{
"auths": {
docker_registry_server: {
"username": docker_registry_username,
"password": docker_registry_password,
"email": docker_registry_email,
"auth": (docker_registry_username ~ ":" ~ docker_registry_password) | b64encode
}
}
} | to_json | b64encode
}}
no_log: true
run_once: true
when: docker_registry_enabled | bool
tags: always

- name: Attach docker pull secret to default service account
kubernetes.core.k8s:
state: patched
definition:
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: default
imagePullSecrets:
- name: "{{ docker_registry_secret_name }}"
run_once: true
when: docker_registry_enabled | bool
tags: always

- name: Create/Update Kubernetes Secret for Hugging Face Token
kubernetes.core.k8s:
name: hugging-face-token
Expand Down
89 changes: 88 additions & 1 deletion core/playbooks/deploy-keycloak-tls-cert.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,82 @@
kind: Namespace
metadata:
name: auth-apisix
- name: Create or update docker pull secret in default namespace
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: Secret
metadata:
name: "{{ docker_registry_secret_name }}"
namespace: default
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: >-
{{
{
"auths": {
docker_registry_server: {
"username": docker_registry_username,
"password": docker_registry_password,
"email": docker_registry_email,
"auth": (docker_registry_username ~ ":" ~ docker_registry_password) | b64encode
}
}
} | to_json | b64encode
}}
no_log: true
when: docker_registry_enabled | bool
- name: Create or update docker pull secret in auth-apisix namespace
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: Secret
metadata:
name: "{{ docker_registry_secret_name }}"
namespace: auth-apisix
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: >-
{{
{
"auths": {
docker_registry_server: {
"username": docker_registry_username,
"password": docker_registry_password,
"email": docker_registry_email,
"auth": (docker_registry_username ~ ":" ~ docker_registry_password) | b64encode
}
}
} | to_json | b64encode
}}
no_log: true
when: docker_registry_enabled | bool
- name: Attach docker pull secret to default service account in default namespace
kubernetes.core.k8s:
state: patched
definition:
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: default
imagePullSecrets:
- name: "{{ docker_registry_secret_name }}"
when: docker_registry_enabled | bool
- name: Attach docker pull secret to default service account in auth-apisix namespace
kubernetes.core.k8s:
state: patched
definition:
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: auth-apisix
imagePullSecrets:
- name: "{{ docker_registry_secret_name }}"
when: docker_registry_enabled | bool
- name: Output variable values
debug:
var: cert_file, key_file, secret_name
Expand Down Expand Up @@ -74,7 +150,16 @@
name: genai-gateway-ingress
namespace: genai-gateway
ignore_errors: true

- name: Authenticate helm registry for Docker Hub OCI charts
ansible.builtin.command:
cmd: >
helm registry login {{ docker_registry_server }}
--username {{ docker_registry_username }}
--password {{ docker_registry_password }}
no_log: true
changed_when: false
when: docker_registry_enabled | bool

- name: Deploy Keycloak System
run_once: true
register: helm_output
Expand All @@ -86,6 +171,8 @@
create_namespace: true
chart_version: "{{ keycloak_chart_version|default('22.1.0') }}"
values:
global:
imagePullSecrets: "{{ [docker_registry_secret_name] if (docker_registry_enabled | bool) else [] }}"
image:
repository: bitnamilegacy/keycloak
tag: 25.0.2-debian-12-r2
Expand Down
56 changes: 56 additions & 0 deletions core/playbooks/deploy-observability-openshift.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,48 @@
state: present
run_once: true
tags: always
- name: Create or update docker pull secret for observability namespace
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: Secret
metadata:
name: "{{ docker_registry_secret_name }}"
namespace: observability
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: >-
{{
{
"auths": {
docker_registry_server: {
"username": docker_registry_username,
"password": docker_registry_password,
"email": docker_registry_email,
"auth": (docker_registry_username ~ ":" ~ docker_registry_password) | b64encode
}
}
} | to_json | b64encode
}}
no_log: true
run_once: true
when: docker_registry_enabled | bool
tags: always
- name: Attach docker pull secret to default service account in observability namespace
kubernetes.core.k8s:
state: patched
definition:
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: observability
imagePullSecrets:
- name: "{{ docker_registry_secret_name }}"
run_once: true
when: docker_registry_enabled | bool
tags: always

# =========================================================================
# OPENSHIFT USER WORKLOAD MONITORING (METRICS)
Expand Down Expand Up @@ -235,6 +277,20 @@
when: deploy_logging == "yes"
tags: deploy_logging

- name: Authenticate helm registry for Docker Hub OCI charts
ansible.builtin.command:
cmd: >
helm registry login {{ docker_registry_server }}
--username {{ docker_registry_username }}
--password {{ docker_registry_password }}
no_log: true
changed_when: false
run_once: true
when:
- deploy_logging == "yes"
- docker_registry_enabled | bool
tags: deploy_logging

- name: Install Fluent Bit
community.kubernetes.helm:
name: logging-fluentbit
Expand Down
Loading