feat(images): use imagePullSecret when pulling a private image

use a k8s Secret to encode a '.docker/config.json' to completely bypass the Controller when it comes to images if a private registry is being used

Handles the various possible errors coming from k8s and bubble that up through to the end user, similar to how the deis dockerclient can do.
k8s adds more information on top of what docker gives so an error message bubbled up from this compared to when the Controller was handling the Docker interaction

ref #639

Author: helgi

rootfs/api/models/app.py

@@ -338,7 +338,8 @@ def _scale_pods(self, scale_types):
                 'memory': release.config.memory,
                 'cpu': release.config.cpu,
                 'tags': release.config.tags,
-                'envs': envs,
+                'envs': release.config.values,
+                'registry': release.config.registry,
                 'version': "v{}".format(release.version),
                 'replicas': replicas,
                 'app_type': scale_type,
@@ -390,7 +391,8 @@ def deploy(self, release):
                 'memory': release.config.memory,
                 'cpu': release.config.cpu,
                 'tags': release.config.tags,
-                'envs': envs,
+                'envs': release.config.values,
+                'registry': release.config.registry,
                 # only used if there is no previous RC
                 'replicas': replicas,
                 'version': "v{}".format(release.version),
@@ -583,6 +585,7 @@ def pod_name(size=5, chars=string.ascii_lowercase + string.digits):
             'cpu': release.config.cpu,
             'tags': release.config.tags,
             'envs': release.config.values,
+            'registry': release.config.registry,
             'version': "v{}".format(release.version),
             'build_type': release.build.type,
         }

rootfs/api/models/release.py

@@ -40,7 +40,19 @@ def __str__(self):
 
     @property
     def image(self):
-        # return image if it is already in the registry, test host and then host + port
+        # Builder pushes to internal registry, exclude SHA based images from being returned
+        registry = self.config.registry
+        if (
+            registry.get('username', None) and
+            registry.get('password', None) and
+            # SHA means it came from a git push (builder)
+            not self.build.sha and
+            # hostname tells Builder where to push images
+            not registry.get('hostname', None)
+        ):
+            return self.build.image
+
+        # return image if it is already in a registry, test host and then host + port
         if (
             self.build.image.startswith(settings.REGISTRY_HOST) or
             self.build.image.startswith(settings.REGISTRY_URL)
@@ -95,16 +107,29 @@ def publish(self):
         if self.build.source_based:
             return
 
-        source_image = self.build.image
+        # Builder pushes to internal registry, exclude SHA based images from being returned early
+        registry = self.config.registry
+        if (
+            registry.get('username', None) and
+            registry.get('password', None) and
+            # SHA means it came from a git push (builder)
+            not self.build.sha and
+            # hostname tells Builder where to push images
+            not registry.get('hostname', None)
+        ):
+            log_event(self.app, '{} exists in the target registry. Using image for release {} of app {}'.format(self.build.image, self.version, self.app))  # noqa
+            return
+
         # return image if it is already in the registry, test host and then host + port
         if (
-            source_image.startswith(settings.REGISTRY_HOST) or
-            source_image.startswith(settings.REGISTRY_URL)
+            self.build.image.startswith(settings.REGISTRY_HOST) or
+            self.build.image.startswith(settings.REGISTRY_URL)
         ):
-            log_event(self.app, '{} already exists in the target registry. Using this image for release {} of app {}'.format(source_image, self.version, self.app))  # noqa
+            log_event(self.app, '{} exists in the target registry. Using image for release {} of app {}'.format(self.build.image, self.version, self.app))  # noqa
             return
 
         # add tag if it was not provided
+        source_image = self.build.image
         if ':' not in source_image:
             source_image = "{}:{}".format(source_image, self.build.version)
 

rootfs/api/tests/test_config.py

@@ -665,6 +665,36 @@ def test_registry(self, mock_requests):
         response = self.client.delete(url)
         self.assertEqual(response.status_code, 405, response.data)
 
+    def test_registry_deploy(self, mock_requests):
+        """
+        Test that registry information can be applied
+        """
+        url = '/v2/apps'
+        response = self.client.post(url)
+        self.assertEqual(response.status_code, 201, response.data)
+        app_id = response.data['id']
+
+        # Set healthcheck URL to get defaults set
+        body = {'registry': json.dumps({
+            'username': 'bob',
+            'password': 's3cur3pw1'
+        })}
+        resp = self.client.post(
+            '/v2/apps/{app_id}/config'.format(**locals()),
+            body
+        )
+        self.assertEqual(resp.status_code, 201, response.data)
+        self.assertIn('username', resp.data['registry'])
+        self.assertIn('password', resp.data['registry'])
+        self.assertEqual(resp.data['registry']['username'], 'bob')
+        self.assertEqual(resp.data['registry']['password'], 's3cur3pw1')
+
+        # post a new build
+        url = "/v2/apps/{app_id}/builds".format(**locals())
+        body = {'image': 'autotest/example'}
+        response = self.client.post(url, body)
+        self.assertEqual(response.status_code, 201, response.data)
+
     def test_config_owner_is_requesting_user(self, mock_requests):
         """
         Ensure that setting the config value is owned by the requesting user
@@ -724,6 +754,6 @@ def test_healthchecks(self, mock_requests):
 
         # post a new build
         url = "/v2/apps/{app_id}/builds".format(**locals())
-        body = {'image': 'autotest/example'}
+        body = {'image': 'quay.io/autotest/example'}
         response = self.client.post(url, body)
         self.assertEqual(response.status_code, 201, response.data)