feat(chart): air-gap-friendly Odoo + Postgres image refs (B.10)

templates/odoo-deployment.yaml

@@ -28,6 +28,14 @@ spec:
         # values.yaml would leave the existing pod alone.
         odoosky.io/addons-hash: {{ .Values.addons | toJson | sha256sum | trunc 16 }}
     spec:
+      {{- with .Values.imageMirror.pullSecret }}
+      # Air-gap support (B.10): when imageMirror.pullSecret is set,
+      # K8s authenticates against the mirror with this Secret to pull
+      # the upstream Odoo image. Default empty = anonymous (Docker
+      # Hub library images need no auth).
+      imagePullSecrets:
+        - name: {{ . }}
+      {{- end }}
       # fsGroup=101 makes the kubelet recursively chown the filestore
       # PVC's root inode to gid=101 on attach. Odoo runs as uid 101
       # and writes /var/lib/odoo/sessions on first request; without
@@ -59,7 +67,7 @@ spec:
         #      and create Odoo's tables. After base is installed,
         #      `-i base` is a no-op so subsequent boots add ~5s.
         - name: db-init
-          image: "{{ .Values.odoo.image }}:{{ .Values.odoo.tag }}"
+          image: "{{ if .Values.imageMirror.registry }}{{ .Values.imageMirror.registry }}/{{ end }}{{ .Values.odoo.image }}:{{ .Values.odoo.tag }}"
           imagePullPolicy: IfNotPresent
           # Override the official Odoo entrypoint so we can run psql
           # before odoo. The image ships with postgresql-client, so
@@ -194,7 +202,7 @@ spec:
         {{- end }}
       containers:
         - name: odoo
-          image: "{{ .Values.odoo.image }}:{{ .Values.odoo.tag }}"
+          image: "{{ if .Values.imageMirror.registry }}{{ .Values.imageMirror.registry }}/{{ end }}{{ .Values.odoo.image }}:{{ .Values.odoo.tag }}"
           imagePullPolicy: IfNotPresent
           # Pin the active database to our tenant code. Without this
           # Odoo runs in multi-DB mode and exposes /web/database/manager;

templates/postgres-statefulset.yaml

@@ -28,9 +28,16 @@ spec:
         {{- include "instance.labels" . | nindent 8 }}
         odoosky.io/role: postgres
     spec:
+      {{- with .Values.imageMirror.pullSecret }}
+      # Air-gap support (B.10) — see odoo-deployment.yaml for the
+      # full rationale. Same imageMirror.pullSecret is used for the
+      # postgres image too so customers configure mirror auth once.
+      imagePullSecrets:
+        - name: {{ . }}
+      {{- end }}
       containers:
         - name: postgres
-          image: "{{ .Values.postgres.image }}:{{ .Values.postgres.tag }}"
+          image: "{{ if .Values.imageMirror.registry }}{{ .Values.imageMirror.registry }}/{{ end }}{{ .Values.postgres.image }}:{{ .Values.postgres.tag }}"
           imagePullPolicy: IfNotPresent
           ports:
             - name: pg

values.yaml

@@ -74,6 +74,26 @@ sizes:
       filestore: 50Gi
       database: 100Gi
 
+# imageMirror — air-gap support (audit B.10). When `registry` is
+# set, the chart prepends it to .Values.odoo.image AND
+# .Values.postgres.image references at template-render time. So an
+# air-gapped customer pointing at e.g. registry.example.com/dh-mirror
+# renders Odoo as registry.example.com/dh-mirror/odoo:18.0 instead
+# of Docker Hub's docker.io/library/odoo:18.0. Addon images already
+# pull from the cluster-local registry (registry.odoosky-system) by
+# Tower's image-build pipeline; this block covers the upstream Odoo
+# + Postgres images that bypass that pipeline.
+#
+# `pullSecret` names a K8s Secret in the instance namespace that
+# carries credentials for the mirror. Empty = anonymous pull (the
+# default; Docker Hub's library images don't need auth).
+#
+# Default empty = same behaviour as before this addition — Odoo +
+# Postgres images come from Docker Hub.
+imageMirror:
+  registry: ""
+  pullSecret: ""
+
 odoo:
   image: odoo
   tag: "18.0"