fix: add ghcr pull secret for microservices

2026-05-05 01:52:24 +00:00
parent c62364fe67
commit 6e098383a9
4 changed files with 30 additions and 0 deletions
@@ -5,10 +5,21 @@
      - doppler_hetznerterra_service_token | length > 0
    fail_msg: doppler_hetznerterra_service_token must be provided for External Secrets bootstrap.

+- name: Ensure GHCR pull credentials are provided
+  assert:
+    that:
+      - ghcr_username | default("") | length > 0
+      - ghcr_read_token | default("") | length > 0
+    fail_msg: ghcr_username and ghcr_read_token must be provided for private MicroServices image pulls.
+
 - name: Ensure external-secrets namespace exists
  shell: kubectl create namespace external-secrets --dry-run=client -o yaml | kubectl apply -f -
  changed_when: true

+- name: Ensure microservices namespace exists
+  shell: kubectl create namespace microservices --dry-run=client -o yaml | kubectl apply -f -
+  changed_when: true
+
 - name: Apply Doppler service token secret
  shell: >-
    kubectl -n external-secrets create secret generic doppler-hetznerterra-service-token
@@ -26,6 +37,19 @@
  no_log: true
  when: doppler_openstaticfish_microservices_service_token | default("") | length > 0

+- name: Apply GHCR pull secret for private MicroServices images
+  shell: >-
+    kubectl -n microservices create secret docker-registry ghcr-pull-secret
+    --docker-server=ghcr.io
+    --docker-username='{{ ghcr_username | default("") }}'
+    --docker-password='{{ ghcr_read_token | default("") }}'
+    --dry-run=client -o yaml | kubectl apply -f -
+  changed_when: true
+  no_log: true
+  when:
+    - ghcr_username | default("") | length > 0
+    - ghcr_read_token | default("") | length > 0
+
 - name: Note pending Doppler ClusterSecretStore bootstrap
  debug:
    msg: >-