From 64255263142e728ecd20d249d80b0f220000f2d9 Mon Sep 17 00:00:00 2001 From: OdooSky v3 Date: Tue, 5 May 2026 17:59:17 +0200 Subject: [PATCH] feat(chart): air-gap-friendly Odoo + Postgres image refs (B.10) --- templates/odoo-deployment.yaml | 12 ++++++++++-- templates/postgres-statefulset.yaml | 9 ++++++++- values.yaml | 20 ++++++++++++++++++++ 3 files changed, 38 insertions(+), 3 deletions(-) diff --git a/templates/odoo-deployment.yaml b/templates/odoo-deployment.yaml index d653d18..9e439e8 100644 --- a/templates/odoo-deployment.yaml +++ b/templates/odoo-deployment.yaml @@ -28,6 +28,14 @@ spec: # values.yaml would leave the existing pod alone. odoosky.io/addons-hash: {{ .Values.addons | toJson | sha256sum | trunc 16 }} spec: + {{- with .Values.imageMirror.pullSecret }} + # Air-gap support (B.10): when imageMirror.pullSecret is set, + # K8s authenticates against the mirror with this Secret to pull + # the upstream Odoo image. Default empty = anonymous (Docker + # Hub library images need no auth). + imagePullSecrets: + - name: {{ . }} + {{- end }} # fsGroup=101 makes the kubelet recursively chown the filestore # PVC's root inode to gid=101 on attach. Odoo runs as uid 101 # and writes /var/lib/odoo/sessions on first request; without @@ -59,7 +67,7 @@ spec: # and create Odoo's tables. After base is installed, # `-i base` is a no-op so subsequent boots add ~5s. - name: db-init - image: "{{ .Values.odoo.image }}:{{ .Values.odoo.tag }}" + image: "{{ if .Values.imageMirror.registry }}{{ .Values.imageMirror.registry }}/{{ end }}{{ .Values.odoo.image }}:{{ .Values.odoo.tag }}" imagePullPolicy: IfNotPresent # Override the official Odoo entrypoint so we can run psql # before odoo. The image ships with postgresql-client, so @@ -194,7 +202,7 @@ spec: {{- end }} containers: - name: odoo - image: "{{ .Values.odoo.image }}:{{ .Values.odoo.tag }}" + image: "{{ if .Values.imageMirror.registry }}{{ .Values.imageMirror.registry }}/{{ end }}{{ .Values.odoo.image }}:{{ .Values.odoo.tag }}" imagePullPolicy: IfNotPresent # Pin the active database to our tenant code. Without this # Odoo runs in multi-DB mode and exposes /web/database/manager; diff --git a/templates/postgres-statefulset.yaml b/templates/postgres-statefulset.yaml index 16f6f58..072ab22 100644 --- a/templates/postgres-statefulset.yaml +++ b/templates/postgres-statefulset.yaml @@ -28,9 +28,16 @@ spec: {{- include "instance.labels" . | nindent 8 }} odoosky.io/role: postgres spec: + {{- with .Values.imageMirror.pullSecret }} + # Air-gap support (B.10) — see odoo-deployment.yaml for the + # full rationale. Same imageMirror.pullSecret is used for the + # postgres image too so customers configure mirror auth once. + imagePullSecrets: + - name: {{ . }} + {{- end }} containers: - name: postgres - image: "{{ .Values.postgres.image }}:{{ .Values.postgres.tag }}" + image: "{{ if .Values.imageMirror.registry }}{{ .Values.imageMirror.registry }}/{{ end }}{{ .Values.postgres.image }}:{{ .Values.postgres.tag }}" imagePullPolicy: IfNotPresent ports: - name: pg diff --git a/values.yaml b/values.yaml index 52eaf36..89a7d7f 100644 --- a/values.yaml +++ b/values.yaml @@ -74,6 +74,26 @@ sizes: filestore: 50Gi database: 100Gi +# imageMirror — air-gap support (audit B.10). When `registry` is +# set, the chart prepends it to .Values.odoo.image AND +# .Values.postgres.image references at template-render time. So an +# air-gapped customer pointing at e.g. registry.example.com/dh-mirror +# renders Odoo as registry.example.com/dh-mirror/odoo:18.0 instead +# of Docker Hub's docker.io/library/odoo:18.0. Addon images already +# pull from the cluster-local registry (registry.odoosky-system) by +# Tower's image-build pipeline; this block covers the upstream Odoo +# + Postgres images that bypass that pipeline. +# +# `pullSecret` names a K8s Secret in the instance namespace that +# carries credentials for the mirror. Empty = anonymous pull (the +# default; Docker Hub's library images don't need auth). +# +# Default empty = same behaviour as before this addition — Odoo + +# Postgres images come from Docker Hub. +imageMirror: + registry: "" + pullSecret: "" + odoo: image: odoo tag: "18.0"