Move external container registry earlier in the deployment; imagePull…

…Secrets for keycloak added (#945)

qhub/deploy.py

@@ -123,8 +123,8 @@ def guided_install(
                 f'"{config["domain"]}" [Press Enter when Complete]'
             )
 
-        # Now Keycloak Helm chart
-        targets = ["module.kubernetes-keycloak-helm"]
+        # Now Keycloak Helm chart (External Docker Registry before that if we need one)
+        targets = ["module.external-container-reg", "module.kubernetes-keycloak-helm"]
         logger.info(f"Running Terraform Stage: {targets}")
         terraform.apply(
             directory="infrastructure",

qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/kubernetes.tf

@@ -183,6 +183,20 @@ module "kubernetes-ingress" {
 
 ### Keycloak
 
+
+module "external-container-reg" {
+  source = "./modules/extcr"
+
+  count = {{ cookiecutter.external_container_reg.enabled | default(false,true) | jsonify }} ? 1 : 0
+
+  namespace         = var.environment
+  access_key_id     = "{{ cookiecutter.external_container_reg.access_key_id | default("",true) }}"
+  secret_access_key = "{{ cookiecutter.external_container_reg.secret_access_key | default("",true) }}"
+  extcr_account     = "{{ cookiecutter.external_container_reg.extcr_account | default("",true) }}"
+  extcr_region      = "{{ cookiecutter.external_container_reg.extcr_region | default("",true) }}"
+}
+
+
 resource "random_password" "keycloak-qhub-bot-password" {
   length  = 32
   special = false
@@ -210,7 +224,8 @@ module "kubernetes-keycloak-helm" {
 
 
   depends_on = [
-    module.kubernetes-ingress
+    module.kubernetes-ingress,
+    module.external-container-reg
   ]
 }
 
@@ -294,14 +309,6 @@ module "qhub" {
 
   dask_gateway_extra_config = file("dask_gateway_config.py.j2")
 
-  extcr_config = {
-    enabled : {{ cookiecutter.external_container_reg.enabled | default(false,true) | jsonify }}
-    access_key_id : "{{ cookiecutter.external_container_reg.access_key_id | default("",true) }}"
-    secret_access_key : "{{ cookiecutter.external_container_reg.secret_access_key | default("",true) }}"
-    extcr_account : "{{ cookiecutter.external_container_reg.extcr_account | default("",true) }}"
-    extcr_region : "{{ cookiecutter.external_container_reg.extcr_region | default("",true) }}"
-  }
-
   forwardauth-callback-url-path = local.forwardauth-callback-url-path
 
   OAUTH_CLIENT_ID        = local.jupyterhub-keycloak-client-id

qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/keycloak-helm/values.yaml

@@ -3,6 +3,9 @@ ingress:
   # we will need to define our own IngressRoute elsewhere.
   enabled: false
 
+imagePullSecrets:
+  - name: "extcrcreds"
+
 extraEnv: |
   - name: PROXY_ADDRESS_FORWARDING
     value: "true"

qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/services/jupyterhub/values.yaml

@@ -21,6 +21,8 @@ scheduling:
     enabled: false
     replicas: 1
 
+imagePullSecrets:
+  - extcrcreds
 
 singleuser:
   defaultUrl: "/lab"

qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/services/meta/qhub/main.tf

@@ -394,15 +394,3 @@ resource "kubernetes_manifest" "forwardauth" {
     }
   }
 }
-
-module "external-container-reg" {
-  source = "../../extcr"
-
-  count = var.extcr_config.enabled ? 1 : 0
-
-  namespace         = var.namespace
-  access_key_id     = var.extcr_config.access_key_id
-  secret_access_key = var.extcr_config.secret_access_key
-  extcr_account     = var.extcr_config.extcr_account
-  extcr_region      = var.extcr_config.extcr_region
-}

qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/services/meta/qhub/variables.tf

@@ -100,11 +100,6 @@ variable "certificate-secret-name" {
   default     = ""
 }
 
-variable "extcr_config" {
-  description = "Customer's access details for external container reg"
-  type        = map(any)
-}
-
 variable "forwardauth-callback-url-path" {
   description = "Callback URL Path for ForwardAuth"
   type        = string