Merge pull request #267 from stefanprodan/image-pull-secret-gen

Add image pull secret generator to Timoni's CUE schemas
stefanprodan · Dec 3, 2023 · da003ac · da003ac
2 parents 3aa7e45 + 92822a3
commit da003ac
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 4 deletions.
diff --git a/Makefile b/Makefile
@@ -36,7 +36,10 @@ cue-fmt: ## Format CUE schemas.
 vet: ## Vet Go code.
 	go vet ./...
 
-lint-samples: build cue-fmt ## Lint the CUE samples.
+cue-vet: ## Vet CUE schemas.
+	cue vet ./schemas/...
+
+lint-samples: build cue-vet cue-fmt ## Lint the CUE samples.
 	./bin/timoni mod lint ./examples/minimal
 	./bin/timoni mod lint ./examples/redis
 	./bin/timoni mod lint ./cmd/timoni/testdata/module

diff --git a/schemas/timoni.sh/core/v1alpha1/image.cue b/schemas/timoni.sh/core/v1alpha1/image.cue
@@ -3,7 +3,10 @@
 
 package v1alpha1
 
-import "strings"
+import (
+	"encoding/base64"
+	"strings"
+)
 
 // Image defines the schema for OCI image reference used in Kubernetes PodSpec container image.
 #Image: {
@@ -22,6 +25,10 @@ import "strings"
 	// Spec: https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests.
 	digest!: string
 
+	// PullPolicy defines the pull policy for the image.
+	// By default, it is set to IfNotPresent.
+	pullPolicy: *"IfNotPresent" | "Always" | "Never"
+
 	// Reference is the image address computed from repository, tag and digest
 	// in the format [REPOSITORY]:[TAG]@[DIGEST].
 	reference: string
@@ -42,3 +49,53 @@ import "strings"
 		reference: "\(repository):latest"
 	}
 }
+
+// ImagePullSecret is a generator for Kubernetes Secrets of type kubernetes.io/dockerconfigjson.
+// Spec: https://kubernetes.io/docs/concepts/configuration/secret/#docker-config-secrets.
+#ImagePullSecret: {
+	// Metadata is the Kubernetes object's metadata generated by Timoni.
+	meta=metadata: #Metadata
+
+	// Registry is the hostname of the container registry in the format [HOST[:PORT_NUMBER]].
+	registry!: string
+
+	// Username is the username used to authenticate to the container registry.
+	username!: string
+
+	// Password is the password used to authenticate to the container registry.
+	password!: string
+
+	// Optional suffix used to generate the Secret name.
+	suffix: *"" | string
+
+	let auth = base64.Encode(null, username+":"+password)
+
+	// The object is a read-only struct that contains the generated
+	// Kubernetes Secret of type kubernetes.io/dockerconfigjson.
+	object: {
+		apiVersion: "v1"
+		kind:       "Secret"
+		type:       "kubernetes.io/dockerconfigjson"
+		metadata: {
+			name:      meta.name + suffix
+			namespace: meta.namespace
+			labels:    meta.labels
+			if meta.annotations != _|_ {
+				annotations: meta.annotations
+			}
+		}
+		stringData: {
+			".dockerconfigjson": #"""
+				{
+					"auths": {
+						"\#(registry)": {
+							"username": "\#(username)",
+							"password": "\#(password)",
+							"auth": "\#(auth)"
+						}
+					}
+				}
+			"""#
+		}
+	}
+}
diff --git a/schemas/timoni.sh/core/v1alpha1/selector.cue b/schemas/timoni.sh/core/v1alpha1/selector.cue
@@ -3,8 +3,6 @@
 
 package v1alpha1
 
-import "strings"
-
 // Selector defines the schema for Kubernetes Pod label selector used in Deployments, Services, Jobs, etc.
 #Selector: {
 	// Name must be unique within a namespace. Is required when creating resources.