support image registries with authentication

Based on spec in openstack-helm repo, support-OCI-image-registry-with-authentication-turned-on.rst Each Helm chart can configure an OCI image registry and credentials to use. A Kubernetes secret is then created with these info. Service Accounts then specify an imagePullSecret specifying the Secret with creds for the registry. Then any pod using one of these ServiceAccounts may pull images from an authenticated container registry. Change-Id: Iebda4c7a861aa13db921328776b20c14ba346269
2022-06-29 10:48:52 -04:00 · 2022-06-29 10:48:52 -04:00 · f31cfb2ef9
parent 381d066f01
commit f31cfb2ef9
189 changed files with 1856 additions and 47 deletions
--- a/calico/Chart.yaml
+++ b/calico/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v3.4.0
 description: OpenStack-Helm Calico
 name: calico
-version: 0.1.4
+version: 0.1.5
 home: https://github.com/projectcalico/calico
 icon: https://camo.githubusercontent.com/64c8b5ed6ac97553ae367348e8a59a24e2ed5bdc/687474703a2f2f646f63732e70726f6a65637463616c69636f2e6f72672f696d616765732f66656c69782e706e67
 sources:
--- a/calico/templates/secret-registry.yaml
+++ b/calico/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/calico/values.yaml
+++ b/calico/values.yaml
@ -166,6 +166,10 @@ dependencies:
        - endpoint: internal
          service: local_image_registry

+secrets:
+  oci_image_registry:
+    calico: calico-oci-image-registry
+
 endpoints:
  cluster_domain_suffix: cluster.local
  local_image_registry:
@ -180,6 +184,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      calico:
+        username: calico
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  etcd:
    auth:
      client:
@ -572,4 +591,5 @@ manifests:
  job_calico_settings: true
  service_calico_etcd: true
  secret_certificates: true
+  secret_registry: true
 ...
--- a/ceph-client/Chart.yaml
+++ b/ceph-client/Chart.yaml
@ -15,6 +15,6 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Ceph Client
 name: ceph-client
-version: 0.1.36
+version: 0.1.37
 home: https://github.com/ceph/ceph-client
 ...
--- a/ceph-client/templates/secret-registry.yaml
+++ b/ceph-client/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/ceph-client/values.yaml
+++ b/ceph-client/values.yaml
@ -188,6 +188,8 @@ secrets:
    rgw: ceph-bootstrap-rgw-keyring
    mgr: ceph-bootstrap-mgr-keyring
    admin: ceph-client-admin-keyring
+  oci_image_registry:
+    ceph-client: ceph-client-oci-image-registry

 network:
  public: 192.168.0.0/16
@ -517,6 +519,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      ceph-client:
+        username: ceph-client
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  ceph_mon:
    namespace: null
    hosts:
@ -564,4 +581,5 @@ manifests:
  helm_tests: true
  cronjob_checkPGs: true
  cronjob_defragosds: true
+  secret_registry: true
 ...
--- a/ceph-mon/Chart.yaml
+++ b/ceph-mon/Chart.yaml
@ -15,6 +15,6 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Ceph Mon
 name: ceph-mon
-version: 0.1.25
+version: 0.1.26
 home: https://github.com/ceph/ceph
 ...
--- a/ceph-mon/templates/secret-registry.yaml
+++ b/ceph-mon/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/ceph-mon/values.yaml
+++ b/ceph-mon/values.yaml
@ -215,6 +215,8 @@ secrets:
    osd: ceph-bootstrap-osd-keyring
    mgr: ceph-bootstrap-mgr-keyring
    admin: ceph-client-admin-keyring
+  oci_image_registry:
+    ceph-mon: ceph-mon-oci-image-registry-key

 network:
  public: 192.168.0.0/16
@ -424,6 +426,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      ceph-mon:
+        username: ceph-mon
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  ceph_mon:
    namespace: null
    hosts:
@ -473,4 +490,5 @@ manifests:
  service_mgr: true
  service_mon_discovery: true
  job_storage_admin_keys: true
+  secret_registry: true
 ...
--- a/ceph-osd/Chart.yaml
+++ b/ceph-osd/Chart.yaml
@ -15,6 +15,6 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Ceph OSD
 name: ceph-osd
-version: 0.1.41
+version: 0.1.42
 home: https://github.com/ceph/ceph
 ...
--- a/ceph-osd/templates/secret-registry.yaml
+++ b/ceph-osd/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/ceph-osd/values.yaml
+++ b/ceph-osd/values.yaml
@ -142,6 +142,8 @@ secrets:
  keyrings:
    osd: ceph-bootstrap-osd-keyring
    admin: ceph-client-admin-keyring
+  oci_image_registry:
+    ceph-osd: ceph-osh-oci-image-registry-key

 network:
  public: 192.168.0.0/16
@ -373,6 +375,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      ceph-osd:
+        username: ceph-osd
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  ceph_mon:
    namespace: null
    hosts:
@ -395,4 +412,5 @@ manifests:
  job_post_apply: true
  job_image_repo_sync: true
  helm_tests: true
+  secret_registry: true
 ...
--- a/ceph-provisioners/Chart.yaml
+++ b/ceph-provisioners/Chart.yaml
@ -15,6 +15,6 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Ceph Provisioner
 name: ceph-provisioners
-version: 0.1.20
+version: 0.1.21
 home: https://github.com/ceph/ceph
 ...
--- a/ceph-provisioners/templates/secret-registry.yaml
+++ b/ceph-provisioners/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/ceph-provisioners/values.yaml
+++ b/ceph-provisioners/values.yaml
@ -277,6 +277,8 @@ secrets:
  keyrings:
    admin: ceph-client-admin-keyring
    prov_adminSecretName: pvc-ceph-conf-combined-storageclass
+  oci_image_registry:
+    ceph-provisioners: ceph-provisioners-oci-image-registry-key

 network:
  public: 192.168.0.0/16
@ -431,6 +433,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      ceph-provisioners:
+        username: ceph-provisioners
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  ceph_mon:
    namespace: null
    hosts:
@ -462,4 +479,5 @@ manifests:
  job_namespace_client_ceph_config: true
  storageclass: true
  helm_tests: true
+  secret_registry: true
 ...
--- a/ceph-rgw/Chart.yaml
+++ b/ceph-rgw/Chart.yaml
@ -15,6 +15,6 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Ceph RadosGW
 name: ceph-rgw
-version: 0.1.22
+version: 0.1.23
 home: https://github.com/ceph/ceph
 ...
--- a/ceph-rgw/templates/secret-registry.yaml
+++ b/ceph-rgw/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/ceph-rgw/values.yaml
+++ b/ceph-rgw/values.yaml
@ -259,6 +259,8 @@ secrets:
    admin: ceph-keystone-admin
    swift: ceph-keystone-user
    user_rgw: ceph-keystone-user-rgw
+  oci_image_registry:
+    ceph-rgw: ceph-rgw-oci-image-registry-key
  rgw_s3:
    admin: radosgw-s3-admin-creds
  tls:
@ -548,6 +550,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      ceph-rgw:
+        username: ceph-rgw
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  identity:
    name: keystone
    namespace: null
@ -682,6 +699,7 @@ manifests:
  secret_keystone_rgw: true
  secret_ingress_tls: true
  secret_keystone: true
+  secret_registry: true
  service_ingress_rgw: true
  service_rgw: true
  helm_tests: true
--- a/cert-rotation/Chart.yaml
+++ b/cert-rotation/Chart.yaml
@ -16,5 +16,5 @@ appVersion: "1.0"
 description: Rotate the certificates generated by cert-manager
 home: https://cert-manager.io/
 name: cert-rotation
-version: 0.1.5
+version: 0.1.6
 ...
--- a/cert-rotation/templates/secret-registry.yaml
+++ b/cert-rotation/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/cert-rotation/values.yaml
+++ b/cert-rotation/values.yaml
@ -54,8 +54,29 @@ pod:
 dependencies:
  static:
    cert_rotate: null
+secrets:
+  oci_image_registry:
+    cert-rotation: cert-rotation-oci-image-registry-key
+endpoints:
+  cluster_domain_suffix: cluster.local
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      cert-rotation:
+        username: cert-rotation
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
 manifests:
  configmap_bin: true
  cron_job_cert_rotate: false
  job_cert_rotate: false
+  secret_registry: true
 ...
--- a/daemonjob-controller/Chart.yaml
+++ b/daemonjob-controller/Chart.yaml
@ -15,6 +15,6 @@ apiVersion: v1
 appVersion: v1.0.0
 description: A Helm chart for DaemonjobController
 name: daemonjob-controller
-version: 0.1.5
+version: 0.1.6
 home: https://opendev.org/openstack
 ...
--- a/daemonjob-controller/templates/secret-registry.yaml
+++ b/daemonjob-controller/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/daemonjob-controller/values.yaml
+++ b/daemonjob-controller/values.yaml
@ -67,6 +67,9 @@ pod:
        controller:
          runAsUser: 0
          readOnlyRootFilesystem: true
+secrets:
+  oci_image_registry:
+    daemonjob-controller: daemonjob-controller-oci-image-registry-key
 endpoints:
  cluster_domain_suffix: cluster.local
  local_image_registry:
@ -81,6 +84,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      daemonjob-controller:
+        username: daemonjob-controller
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  daemonjob_controller:
    hosts:
      default: daemonjob-controller
@ -112,5 +130,6 @@ manifests:
  crds_create: true
  job_image_repo_sync: true
  configmap_bin: true
+  secret_registry: true
  service: true
 ...
--- a/elastic-apm-server/Chart.yaml
+++ b/elastic-apm-server/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v6.2.3
 description: OpenStack-Helm Elastic APM Server
 name: elastic-apm-server
-version: 0.1.3
+version: 0.1.4
 home: https://www.elastic.co/guide/en/apm/get-started/current/index.html
 sources:
  - https://github.com/elastic/apm-server
--- a/elastic-apm-server/templates/secret-registry.yaml
+++ b/elastic-apm-server/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/elastic-apm-server/values.yaml
+++ b/elastic-apm-server/values.yaml
@ -40,6 +40,8 @@ images:
 secrets:
  elasticsearch:
    user: elastic-apm-server-elasticsearch-user
+  oci_image_registry:
+    elastic-apm-server: elastic-apm-server-oci-image-registry

 dependencies:
  dynamic:
@ -84,6 +86,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      elastic-apm-server:
+        username: elastic-apm-server
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  elasticsearch:
    namespace: null
    name: elasticsearch
@ -163,4 +180,5 @@ manifests:
  service: true
  job_image_repo_sync: true
  secret_elasticsearch: true
+  secret_registry: true
 ...
--- a/elastic-filebeat/Chart.yaml
+++ b/elastic-filebeat/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v7.1.0
 description: OpenStack-Helm Elastic Filebeat
 name: elastic-filebeat
-version: 0.1.3
+version: 0.1.4
 home: https://www.elastic.co/products/beats/filebeat
 sources:
  - https://github.com/elastic/beats/tree/master/filebeat
--- a/elastic-filebeat/templates/secret-registry.yaml
+++ b/elastic-filebeat/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/elastic-filebeat/values.yaml
+++ b/elastic-filebeat/values.yaml
@ -40,6 +40,8 @@ images:
 secrets:
  elasticsearch:
    user: filebeat-elasticsearch-user
+  oci_image_registry:
+    elastic-filebeat: elastic-filebeat-oci-image-registry-key

 dependencies:
  dynamic:
@ -167,6 +169,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      elastic-filebeat:
+        username: elastic-filebeat
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  elasticsearch:
    namespace: null
    name: elasticsearch
@ -264,4 +281,5 @@ manifests:
  daemonset: true
  job_image_repo_sync: true
  secret_elasticsearch: true
+  secret_registry: true
 ...
--- a/elastic-metricbeat/Chart.yaml
+++ b/elastic-metricbeat/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v7.1.0
 description: OpenStack-Helm Elastic Metricbeat
 name: elastic-metricbeat
-version: 0.1.4
+version: 0.1.5
 home: https://www.elastic.co/products/beats/metricbeat
 sources:
  - https://github.com/elastic/beats/tree/master/metricbeat
--- a/elastic-metricbeat/templates/secret-registry.yaml
+++ b/elastic-metricbeat/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/elastic-metricbeat/values.yaml
+++ b/elastic-metricbeat/values.yaml
@ -40,6 +40,8 @@ images:
 secrets:
  elasticsearch:
    user: metricbeat-elasticsearch-user
+  oci_image_registry:
+    elastic-metricbeat: elastic-metricbeat-oci-image-registry-key

 dependencies:
  dynamic:
@ -163,6 +165,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      elastic-metricbeat:
+        username: elastic-metricbeat
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  kube_state_metrics:
    namespace: null
    hosts:
@ -263,4 +280,5 @@ manifests:
  deployment: true
  job_image_repo_sync: true
  secret_elasticsearch: true
+  secret_registry: true
 ...
--- a/elastic-packetbeat/Chart.yaml
+++ b/elastic-packetbeat/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v7.1.0
 description: OpenStack-Helm Elastic Packetbeat
 name: elastic-packetbeat
-version: 0.1.3
+version: 0.1.4
 home: https://www.elastic.co/products/beats/packetbeat
 sources:
  - https://github.com/elastic/beats/tree/master/packetbeat
--- a/elastic-packetbeat/templates/secret-registry.yaml
+++ b/elastic-packetbeat/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/elastic-packetbeat/values.yaml
+++ b/elastic-packetbeat/values.yaml
@ -40,6 +40,8 @@ images:
 secrets:
  elasticsearch:
    user: packetbeat-elasticsearch-user
+  oci_image_registry:
+    elastic-packetbeat: elastic-packetbeat-oci-image-registry-key

 dependencies:
  dynamic:
@ -106,6 +108,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      elastic-packetbeat:
+        username: elastic-packetbeat
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  elasticsearch:
    name: elasticsearch
    namespace: null
@ -182,4 +199,5 @@ manifests:
  daemonset: true
  job_image_repo_sync: true
  secret_elasticsearch: true
+  secret_registry: true
 ...
--- a/elasticsearch/Chart.yaml
+++ b/elasticsearch/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v7.6.2
 description: OpenStack-Helm ElasticSearch
 name: elasticsearch
-version: 0.2.20
+version: 0.2.21
 home: https://www.elastic.co/
 sources:
  - https://github.com/elastic/elasticsearch
--- a/elasticsearch/templates/secret-registry.yaml
+++ b/elasticsearch/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/elasticsearch/values.yaml
+++ b/elasticsearch/values.yaml
@ -422,6 +422,8 @@ secrets:
    elasticsearch: elasticsearch-s3-user-creds
  elasticsearch:
    user: elasticsearch-user-secrets
+  oci_image_registry:
+    elasticsearch: elasticsearch-oci-image-registry-key
  tls:
    elasticsearch:
      elasticsearch:
@ -775,6 +777,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      elasticsearch:
+        username: elasticsearch
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  elasticsearch:
    name: elasticsearch
    namespace: null
@ -960,6 +977,7 @@ manifests:
      service_exporter: true
  network_policy: false
  secret_ingress_tls: true
+  secret_registry: true
  service_data: true
  service_discovery: true
  service_ingress: true
--- a/etcd/Chart.yaml
+++ b/etcd/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v3.4.3
 description: OpenStack-Helm etcd
 name: etcd
-version: 0.1.4
+version: 0.1.5
 home: https://coreos.com/etcd/
 icon: https://raw.githubusercontent.com/CloudCoreo/etcd-cluster/master/images/icon.png
 sources:
--- a/etcd/templates/secret-registry.yaml
+++ b/etcd/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/etcd/values.yaml
+++ b/etcd/values.yaml
@ -92,6 +92,10 @@ pod:
          memory: "1024Mi"
          cpu: "2000m"

+secrets:
+  oci_image_registry:
+    etcd: etcd-oci-image-registry-key
+
 endpoints:
  cluster_domain_suffix: cluster.local
  local_image_registry:
@ -106,6 +110,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      etcd:
+        username: etcd
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  etcd:
    name: etcd
    hosts:
@ -124,5 +143,6 @@ manifests:
  configmap_bin: true
  deployment: true
  job_image_repo_sync: true
+  secret_registry: true
  service: true
 ...
--- a/falco/Chart.yaml
+++ b/falco/Chart.yaml
@ -13,7 +13,7 @@
 ---
 apiVersion: v1
 name: falco
-version: 0.1.6
+version: 0.1.7
 appVersion: 0.11.1
 description: Sysdig Falco
 keywords:
--- a/falco/templates/secret-registry.yaml
+++ b/falco/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/falco/values.yaml
+++ b/falco/values.yaml
@ -23,6 +23,27 @@ images:
      - dep_check
      - image_repo_sync

+secrets:
+  oci_image_registry:
+    falco: falco-oci-image-registry-key
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      falco:
+        username: falco
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null

 pod:
  resources:
@ -1361,4 +1382,5 @@ manifests:
  configmap_etc: true
  configmap_custom_rules: false
  configmap_bin: true
+  secret_registry: true
 ...
--- a/flannel/Chart.yaml
+++ b/flannel/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v0.8.0
 description: OpenStack-Helm BootStrap Flannel
 name: flannel
-version: 0.1.3
+version: 0.1.4
 home: https://github.com/coreos/flannel
 icon: https://raw.githubusercontent.com/coreos/flannel/master/logos/flannel-horizontal-color.png
 sources:
--- a/flannel/templates/secret-registry.yaml
+++ b/flannel/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/flannel/values.yaml
+++ b/flannel/values.yaml
@ -63,6 +63,10 @@ dependencies:
        - endpoint: internal
          service: local_image_registry

+secrets:
+  oci_image_registry:
+    flannel: flannel-oci-image-registry-key
+
 endpoints:
  cluster_domain_suffix: cluster.local
  local_image_registry:
@ -77,10 +81,26 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      flannel:
+        username: flannel
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null

 manifests:
  configmap_bin: true
  configmap_kube_flannel_cfg: true
  daemonset_kube_flannel_ds: true
  job_image_repo_sync: true
+  secret_registry: true
 ...
--- a/fluentbit/Chart.yaml
+++ b/fluentbit/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v0.14.2
 description: OpenStack-Helm Fluentbit
 name: fluentbit
-version: 0.1.3
+version: 0.1.4
 home: https://www.fluentbit.io/
 sources:
  - https://github.com/fluent/fluentbit
--- a/fluentbit/templates/secret-registry.yaml
+++ b/fluentbit/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/fluentbit/values.yaml
+++ b/fluentbit/values.yaml
@ -173,6 +173,10 @@ conf:
        Time_Keep true
        Time_Key time

+secrets:
+  oci_image_registry:
+    fluentbit: fluentbit-oci-image-registry-key
+
 endpoints:
  cluster_domain_suffix: cluster.local
  local_image_registry:
@ -187,6 +191,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      fluentbit:
+        username: fluentbit
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  fluentd:
    namespace: null
    name: fluentd
@ -254,4 +273,5 @@ manifests:
  configmap_etc: true
  daemonset_fluentbit: true
  job_image_repo_sync: true
+  secret_registry: true
 ...
--- a/fluentd/Chart.yaml
+++ b/fluentd/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v1.10.1
 description: OpenStack-Helm Fluentd
 name: fluentd
-version: 0.1.7
+version: 0.1.8
 home: https://www.fluentd.org/
 sources:
  - https://github.com/fluent/fluentd
--- a/fluentd/templates/secret-registry.yaml
+++ b/fluentd/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/fluentd/values.yaml
+++ b/fluentd/values.yaml
@ -99,6 +99,11 @@ conf:
            user "#{ENV['ELASTICSEARCH_USERNAME']}"
          </match>
        </label>
+
+secrets:
+  oci_image_registry:
+    fluentd: fluentd-oci-image-registry-key
+
 endpoints:
  cluster_domain_suffix: cluster.local
  local_image_registry:
@ -113,6 +118,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      fluentd:
+        username: fluentd
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  elasticsearch:
    namespace: null
    name: elasticsearch
@ -255,5 +275,6 @@ manifests:
  secret_elasticsearch: true
  secret_fluentd_env: true
  secret_kafka: false
+  secret_registry: true
  service_fluentd: true
 ...
--- a/grafana/Chart.yaml
+++ b/grafana/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v7.4.5
 description: OpenStack-Helm Grafana
 name: grafana
-version: 0.1.14
+version: 0.1.15
 home: https://grafana.com/
 sources:
  - https://github.com/grafana/grafana
--- a/grafana/templates/secret-registry.yaml
+++ b/grafana/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/grafana/values.yaml
+++ b/grafana/values.yaml
@ -196,6 +196,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      grafana:
+        username: grafana
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  oslo_db:
    namespace: null
    auth:
@ -370,6 +385,8 @@ network_policy:
      - {}

 secrets:
+  oci_image_registry:
+    grafana: grafana-oci-image-registry-key
  oslo_db:
    admin: grafana-db-admin
    user: grafana-db-user
@ -403,6 +420,7 @@ manifests:
  secret_admin_creds: true
  secret_ingress_tls: true
  secret_prom_creds: true
+  secret_registry: true
  service: true
  service_ingress: true

--- a/helm-toolkit/Chart.yaml
+++ b/helm-toolkit/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Helm-Toolkit
 name: helm-toolkit
-version: 0.2.43
+version: 0.2.44
 home: https://docs.openstack.org/openstack-helm
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
 sources:
--- a/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a authenticating a registry with a secret
+examples:
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
--- a/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
+++ b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@ -42,6 +42,12 @@ kind: ServiceAccount
 metadata:
  name: {{ $saName }}
  namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+  - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
 {{- range $k, $v := $deps -}}
 {{- if eq $k "services" }}
 {{- range $serv := $v }}
--- a/ingress/Chart.yaml
+++ b/ingress/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v0.42.0
 description: OpenStack-Helm Ingress Controller
 name: ingress
-version: 0.2.8
+version: 0.2.9
 home: https://github.com/kubernetes/ingress
 sources:
  - https://github.com/kubernetes/ingress
--- a/ingress/templates/secret-registry.yaml
+++ b/ingress/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/ingress/values.yaml
+++ b/ingress/values.yaml
@ -204,6 +204,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      ingress:
+        username: ingress
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  ingress:
    hosts:
      default: ingress
@ -270,6 +285,8 @@ network_policy:
      - {}

 secrets:
+  oci_image_registry:
+    ingress: ingress-oci-image-registry-key
  tls:
    ingress:
      api:
@ -333,4 +350,5 @@ manifests:
    prometheus:
      service_exporter: true
  network_policy: false
+  secret_registry: true
 ...
--- a/kibana/Chart.yaml
+++ b/kibana/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v7.1.0
 description: OpenStack-Helm Kibana
 name: kibana
-version: 0.1.10
+version: 0.1.11
 home: https://www.elastic.co/products/kibana
 sources:
  - https://github.com/elastic/kibana
--- a/kibana/templates/secret-registry.yaml
+++ b/kibana/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/kibana/values.yaml
+++ b/kibana/values.yaml
@ -140,6 +140,8 @@ network_policy:
 secrets:
  elasticsearch:
    user: kibana-elasticsearch-user
+  oci_image_registry:
+    kibana: kibana-oci-image-registry-key
  tls:
    kibana:
      kibana:
@ -330,6 +332,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      kibana:
+        username: kibana
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  elasticsearch:
    name: elasticsearch
    namespace: null
@ -421,6 +438,7 @@ manifests:
  network_policy: false
  secret_elasticsearch: true
  secret_ingress_tls: true
+  secret_registry: true
  service: true
  service_ingress: true
  job_register_kibana_indexes: true
--- a/kube-dns/Chart.yaml
+++ b/kube-dns/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v1.14.5
 description: OpenStack-Helm Kube-DNS
 name: kube-dns
-version: 0.1.4
+version: 0.1.5
 home: https://github.com/coreos/flannel
 icon: https://raw.githubusercontent.com/coreos/flannel/master/logos/flannel-horizontal-color.png
 sources:
--- a/kube-dns/templates/secret-registry.yaml
+++ b/kube-dns/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/kube-dns/templates/serviceaccount-kube-dns.yaml
+++ b/kube-dns/templates/serviceaccount-kube-dns.yaml
@ -22,4 +22,10 @@ metadata:
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+  - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
 {{- end }}
--- a/kube-dns/values.yaml
+++ b/kube-dns/values.yaml
@ -66,6 +66,10 @@ dependencies:
    kube_dns:
      services: null

+secrets:
+  oci_image_registry:
+    kube-dns: kube-dns-oci-image-registry-key
+
 endpoints:
  cluster_domain_suffix: cluster.local
  local_image_registry:
@ -80,12 +84,28 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      kube-dns:
+        username: kube-dns
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null

 manifests:
  configmap_bin: true
  configmap_kube_dns: true
  deployment_kube_dns: true
  job_image_repo_sync: true
+  secret_registry: true
  service_kube_dns: true
  serviceaccount_kube_dns: true
 ...
--- a/kubernetes-keystone-webhook/Chart.yaml
+++ b/kubernetes-keystone-webhook/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v0.2.0
 description: OpenStack-Helm Kubernetes keystone webhook
 name: kubernetes-keystone-webhook
-version: 0.1.6
+version: 0.1.7
 home: https://github.com/kubernetes/cloud-provider-openstack
 sources:
  - https://opendev.org/openstack/openstack-helm-infra
--- a/kubernetes-keystone-webhook/templates/secret-registry.yaml
+++ b/kubernetes-keystone-webhook/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/kubernetes-keystone-webhook/values.yaml
+++ b/kubernetes-keystone-webhook/values.yaml
@ -478,9 +478,26 @@ secrets:
    admin: kubernetes-keystone-webhook-admin
  certificates:
    api: kubernetes-keystone-webhook-certs
+  oci_image_registry:
+    kubernetes-keystone-webhook: kubernetes-keystone-webhook-oci-image-registry-key

 endpoints:
  cluster_domain_suffix: cluster.local
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      kubernetes-keystone-webhook:
+        username: kubernetes-keystone-webhook
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  kubernetes:
    auth:
      api:
@ -552,6 +569,7 @@ manifests:
  pod_test: true
  secret_certificates: true
  secret_keystone: true
+  secret_registry: true
  service_ingress_api: true
  service: true
 ...
--- a/kubernetes-node-problem-detector/Chart.yaml
+++ b/kubernetes-node-problem-detector/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Kubernetes Node Problem Detector
 name: kubernetes-node-problem-detector
-version: 0.1.6
+version: 0.1.7
 home: https://github.com/kubernetes/node-problem-detector
 sources:
  - https://github.com/kubernetes/node-problem-detector
--- a/kubernetes-node-problem-detector/templates/secret-registry.yaml
+++ b/kubernetes-node-problem-detector/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/kubernetes-node-problem-detector/values.yaml
+++ b/kubernetes-node-problem-detector/values.yaml
@ -35,6 +35,10 @@ labels:
    node_selector_key: openstack-control-plane
    node_selector_value: enabled

+secrets:
+  oci_image_registry:
+    kubernetes-node-problem-detector: kubernetes-node-problem-detector-oci-image-registry-key
+
 pod:
  security_context:
    node_problem_detector:
@ -135,6 +139,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      kubernetes-node-problem-detector:
+        username: kubernetes-node-problem-detector
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  node_problem_detector:
    name: node-problem-detector
    namespace: null
@ -153,6 +172,7 @@ manifests:
  configmap_etc: true
  daemonset: true
  job_image_repo_sync: true
+  secret_registry: true
  service: false

 conf:
--- a/ldap/Chart.yaml
+++ b/ldap/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v1.2.0
 description: OpenStack-Helm LDAP
 name: ldap
-version: 0.1.3
+version: 0.1.4
 home: https://www.openldap.org/
 maintainers:
  - name: OpenStack-Helm Authors
--- a/ldap/templates/secret-registry.yaml
+++ b/ldap/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/ldap/values.yaml
+++ b/ldap/values.yaml
@ -137,6 +137,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      ldap:
+        username: ldap
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  ldap:
    hosts:
      default: ldap
@ -230,6 +245,8 @@ secrets:
  identity:
    admin: admin
    ldap: ldap
+  oci_image_registry:
+    ldap: ldap-oci-image-registry-key

 openldap:
  domain: cluster.local
@ -241,6 +258,7 @@ manifests:
  job_bootstrap: true
  job_image_repo_sync: true
  network_policy: false
+  secret_registry: true
  statefulset: true
  service: true
 ...
--- a/libvirt/Chart.yaml
+++ b/libvirt/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm libvirt
 name: libvirt
-version: 0.1.12
+version: 0.1.13
 home: https://libvirt.org
 sources:
  - https://libvirt.org/git/?p=libvirt.git;a=summary
--- a/libvirt/templates/secret-registry.yaml
+++ b/libvirt/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/libvirt/values.yaml
+++ b/libvirt/values.yaml
@ -58,6 +58,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      libvirt:
+        username: libvirt
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  libvirt_exporter:
    port:
      metrics:
@ -237,8 +252,11 @@ manifests:
  daemonset_libvirt: true
  job_image_repo_sync: true
  network_policy: false
+  secret_registry: true

 secrets:
+  oci_image_registry:
+    libvirt: libvirt-oci-image-registry-key
  tls:
    server: libvirt-tls-server
    client: libvirt-tls-client
--- a/mariadb/Chart.yaml
+++ b/mariadb/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v10.2.31
 description: OpenStack-Helm MariaDB
 name: mariadb
-version: 0.2.25
+version: 0.2.26
 home: https://mariadb.com/kb/en/
 icon: http://badges.mariadb.org/mariadb-badge-180x60.png
 sources:
--- a/mariadb/templates/secret-registry.yaml
+++ b/mariadb/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/mariadb/values.yaml
+++ b/mariadb/values.yaml
@ -496,6 +496,8 @@ secrets:
    mariadb: mariadb-backup-user
  mariadb:
    backup_restore: mariadb-backup-restore
+  oci_image_registry:
+    mariadb: mariadb-oci-image-registry-key
  tls:
    oslo_db:
      server:
@ -519,6 +521,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      mariadb:
+        username: mariadb
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  monitoring:
    name: prometheus
    namespace: null
@ -677,6 +694,7 @@ manifests:
  secret_dbaudit_password: true
  secret_backup_restore: false
  secret_etc: true
+  secret_registry: true
  service_discovery: true
  service_ingress: true
  service_error: true
--- a/memcached/Chart.yaml
+++ b/memcached/Chart.yaml
@ -15,6 +15,6 @@ apiVersion: v1
 appVersion: v1.5.5
 description: OpenStack-Helm Memcached
 name: memcached
-version: 0.1.11
+version: 0.1.12
 home: https://github.com/memcached/memcached
 ...
--- a/memcached/templates/secret-registry.yaml
+++ b/memcached/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/memcached/values.yaml
+++ b/memcached/values.yaml
@ -42,6 +42,10 @@ dependencies:
        - endpoint: internal
          service: local_image_registry

+secrets:
+  oci_image_registry:
+    memcached: memcached-oci-image-registry-key
+
 endpoints:
  cluster_domain_suffix: cluster.local
  local_image_registry:
@ -56,6 +60,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      memcached:
+        username: memcached
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  oslo_cache:
    namespace: null
    host_fqdn_override:
@ -121,6 +140,7 @@ manifests:
  job_image_repo_sync: true
  network_policy: false
  service: true
+  secret_registry: true

 pod:
  security_context:
--- a/metacontroller/Chart.yaml
+++ b/metacontroller/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v0.4.2
 description: A Helm chart for Metacontroller
 name: metacontroller
-version: 0.1.5
+version: 0.1.6
 home: https://metacontroller.app/
 keywords:
  - CRDs
--- a/metacontroller/templates/secret-registry.yaml
+++ b/metacontroller/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/metacontroller/values.yaml
+++ b/metacontroller/values.yaml
@ -81,6 +81,10 @@ pod:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false

+secrets:
+  oci_image_registry:
+    metacontroller: metacontroller-oci-image-registry-key
+
 endpoints:
  cluster_domain_suffix: cluster.local
  local_image_registry:
@ -95,6 +99,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      metacontroller:
+        username: metacontroller
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  metacontroller:
    hosts:
      default: metacontroller
@ -105,6 +124,7 @@ endpoints:
        default: 8083

 manifests:
+  secret_registry: true
  service: true
  statefulset: true
  job_image_repo_sync: true
--- a/mongodb/Chart.yaml
+++ b/mongodb/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v3.4.9
 description: OpenStack-Helm MongoDB
 name: mongodb
-version: 0.1.3
+version: 0.1.4
 home: https://www.mongodb.com
 sources:
  - https://github.com/mongodb/mongo
--- a/mongodb/templates/secret-registry.yaml
+++ b/mongodb/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/mongodb/values.yaml
+++ b/mongodb/values.yaml
@ -74,6 +74,10 @@ labels:
    node_selector_key: openstack-control-plane
    node_selector_value: enabled

+secrets:
+  oci_image_registry:
+    mongodb: mongodb-oci-image-registry-key
+
 endpoints:
  cluster_domain_suffix: cluster.local
  local_image_registry:
@ -88,6 +92,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      mongodb:
+        username: mongodb
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  mongodb:
    auth:
      admin:
@ -124,6 +143,7 @@ manifests:
  configmap_bin: true
  job_image_repo_sync: true
  secret_db_root_creds: true
+  secret_registry: true
  service: true
  statefulset: true
 ...
--- a/nagios/Chart.yaml
+++ b/nagios/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Nagios
 name: nagios
-version: 0.1.5
+version: 0.1.6
 home: https://www.nagios.org
 sources:
  - https://opendev.org/openstack/openstack-helm-addons
--- a/nagios/templates/secret-registry.yaml
+++ b/nagios/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/nagios/values.yaml
+++ b/nagios/values.yaml
@ -63,6 +63,8 @@ dependencies:
 secrets:
  nagios:
    admin: nagios-admin-creds
+  oci_image_registry:
+    nagios: nagios-oci-image-registry-key
  tls:
    nagios:
      nagios:
@ -82,6 +84,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      nagios:
+        username: nagios
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  monitoring:
    name: prometheus
    auth:
@ -295,6 +312,7 @@ manifests:
  pod_helm_test: true
  secret_nagios: true
  secret_ingress_tls: true
+  secret_registry: true
  service: true
  service_ingress: true

--- a/nfs-provisioner/Chart.yaml
+++ b/nfs-provisioner/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v2.2.1
 description: OpenStack-Helm NFS
 name: nfs-provisioner
-version: 0.1.3
+version: 0.1.4
 home: https://github.com/kubernetes-incubator/external-storage
 sources:
  - https://github.com/kubernetes-incubator/external-storage
--- a/nfs-provisioner/templates/secret-registry.yaml
+++ b/nfs-provisioner/templates/secret-registry.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
--- a/nfs-provisioner/values.yaml
+++ b/nfs-provisioner/values.yaml
@ -102,6 +102,10 @@ dependencies:
    nfs:
      services: null

+secrets:
+  oci_image_registry:
+    nfs-provisioner: nfs-provisioner-oci-image-registry-key
+
 endpoints:
  cluster_domain_suffix: cluster.local
  local_image_registry:
@ -116,6 +120,21 @@ endpoints:
    port:
      registry:
        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      nfs-provisioner:
+        username: nfs-provisioner
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
  nfs:
    hosts:
      default: nfs-provisioner
@ -131,6 +150,7 @@ manifests:
  configmap_bin: true
  deployment: true
  job_image_repo_sync: true
+  secret_registry: true
  service: true
  storage_class: true
  volume_claim: true
--- a/Show More
+++ b/Show More