defenseunicorns · cmwylie19 · Jun 21, 2024 · Jun 21, 2024 · Jun 21, 2024 · Jun 21, 2024
@@ -7,15 +7,56 @@ import { Assets } from "../lib/assets";
 import { buildModule } from "./build";
 import { RootCmd } from "./root";
 import { validateCapabilityNames, namespaceDeploymentsReady } from "../lib/helpers";
+import { ImagePullSecret } from "../lib/types";
+import { sanitizeName } from "./init/utils";
+import { deployImagePullSecret } from "../lib/assets/deploy";
 
 export default function (program: RootCmd) {
   program
     .command("deploy")
     .description("Deploy a Pepr Module")
     .option("-i, --image [image]", "Override the image tag")
     .option("--confirm", "Skip confirmation prompt")
+    .option("--pullSecret <name>", "Deploy imagePullSecret for Controller private registry")
+    .option("--docker-server <server>", "Docker server address")
+    .option("--docker-username <username>", "Docker registry username")
+    .option("--docker-email <email>", "Email for Docker registry")
+    .option("--docker-password <password>", "Password for Docker registry")
     .option("--force", "Force deploy the module, override manager field")
     .action(async opts => {
+      let imagePullSecret: ImagePullSecret | undefined;
+
+      if (
+        opts.pullSecret &&
+        opts.pullSecret.length > 0 &&
+        (!opts.dockerServer || !opts.dockerUsername || !opts.dockerEmail || !opts.dockerPassword)
+      ) {
+        console.error(
+          "Error: Must provide docker server, username, email, and password when providing pull secret",
+        );
+        process.exit(1);
+      } else if (opts.pullSecret && opts.pullSecret !== sanitizeName(opts.pullSecret)) {
+        // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names
+        console.error(
+          "Invalid imagePullSecret name. Please provide a valid name as defined in RFC 1123.",
+        );
+        process.exit(1);
+      } else if (opts.pullSecret) {
+        imagePullSecret = {
+          auths: {
+            [opts.dockerServer]: {
+              username: opts.dockerUsername,
+              password: opts.dockerPassword,
+              email: opts.dockerEmail,
+              auth: Buffer.from(`${opts.dockerUsername}:${opts.dockerPassword}`).toString("base64"),
+            },
+          },
+        };
+
+        await deployImagePullSecret(imagePullSecret, opts.pullSecret);
+        return;
+      }
+
       if (!opts.confirm) {
         // Prompt the user to confirm
         const confirm = await prompt({

@@ -12,8 +12,35 @@ import { deployment, moduleSecret, namespace, watcher } from "./pods";
 import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
 import { peprStoreCRD } from "./store";
 import { webhookConfig } from "./webhooks";
-import { CapabilityExport } from "../types";
+import { CapabilityExport, ImagePullSecret } from "../types";
 
+export async function deployImagePullSecret(imagePullSecret: ImagePullSecret, name: string) {
+  try {
+    await K8s(kind.Namespace).Get("pepr-system");
+  } catch {
+    await K8s(kind.Namespace).Apply(namespace());
+  }
+
+  try {
+    await K8s(kind.Secret).Apply(
+      {
+        apiVersion: "v1",
+        kind: "Secret",
+        metadata: {
+          name,
+          namespace: "pepr-system",
+        },
+        type: "kubernetes.io/dockerconfigjson",
+        data: {
+          ".dockerconfigjson": Buffer.from(JSON.stringify(imagePullSecret)).toString("base64"),
+        },
+      },
+      { force: true },
+    );
+  } catch (e) {
+    Log.error(e);
+  }
+}
 export async function deploy(assets: Assets, force: boolean, webhookTimeout?: number) {
   Log.info("Establishing connection to Kubernetes");
 

@@ -7,6 +7,20 @@ import { WatchAction } from "kubernetes-fluent-client/dist/fluent/types";
 import { PeprMutateRequest } from "./mutate-request";
 import { PeprValidateRequest } from "./validate-request";
 
+/**
+ * Specifically for deploying images with a private registry
+ */
+export interface ImagePullSecret {
+  auths: {
+    [server: string]: {
+      username: string;
+      password: string;
+      email: string;
+      auth: string;
+    };
+  };
+}
+
 /**
  * Specifically for parsing logs in monitor mode
  */