From 23336ca77f865997529401cced0db3e41b61d650 Mon Sep 17 00:00:00 2001 From: laverya <2318911+laverya@users.noreply.github.com> Date: Mon, 11 May 2026 01:38:11 +0000 Subject: [PATCH] Create new Registry version --- addons/registry/3.1.1/Manifest | 2 + addons/registry/3.1.1/README.md | 21 ++ addons/registry/3.1.1/deployment-pvc.yaml | 112 ++++++ addons/registry/3.1.1/install.sh | 327 ++++++++++++++++++ addons/registry/3.1.1/kustomization.yaml | 3 + .../3.1.1/patch-deployment-migrate-s3.yaml | 43 +++ .../3.1.1/patch-deployment-velero.yaml | 85 +++++ addons/registry/3.1.1/service.yaml | 16 + .../registry/3.1.1/tmpl-cluster-ip-patch.yaml | 9 + .../3.1.1/tmpl-configmap-migrate-s3.yaml | 35 ++ .../registry/3.1.1/tmpl-configmap-velero.yaml | 51 +++ .../3.1.1/tmpl-deployment-objectstore.yaml | 140 ++++++++ .../registry/3.1.1/tmpl-node-port-patch.yaml | 15 + .../3.1.1/tmpl-persistentvolumeclaim.yaml | 13 + addons/registry/3.1.1/tmpl-secret.yaml | 10 + addons/registry/3.1.1/tmpl-troubleshoot.yaml | 38 ++ web/src/installers/versions.js | 1 + 17 files changed, 921 insertions(+) create mode 100644 addons/registry/3.1.1/Manifest create mode 100644 addons/registry/3.1.1/README.md create mode 100644 addons/registry/3.1.1/deployment-pvc.yaml create mode 100644 addons/registry/3.1.1/install.sh create mode 100644 addons/registry/3.1.1/kustomization.yaml create mode 100644 addons/registry/3.1.1/patch-deployment-migrate-s3.yaml create mode 100644 addons/registry/3.1.1/patch-deployment-velero.yaml create mode 100644 addons/registry/3.1.1/service.yaml create mode 100644 addons/registry/3.1.1/tmpl-cluster-ip-patch.yaml create mode 100644 addons/registry/3.1.1/tmpl-configmap-migrate-s3.yaml create mode 100644 addons/registry/3.1.1/tmpl-configmap-velero.yaml create mode 100644 addons/registry/3.1.1/tmpl-deployment-objectstore.yaml create mode 100644 addons/registry/3.1.1/tmpl-node-port-patch.yaml create mode 100644 addons/registry/3.1.1/tmpl-persistentvolumeclaim.yaml create mode 100644 addons/registry/3.1.1/tmpl-secret.yaml create mode 100644 addons/registry/3.1.1/tmpl-troubleshoot.yaml diff --git a/addons/registry/3.1.1/Manifest b/addons/registry/3.1.1/Manifest new file mode 100644 index 0000000000..b8d008f800 --- /dev/null +++ b/addons/registry/3.1.1/Manifest @@ -0,0 +1,2 @@ +image registry registry:3.1.1 +image s3cmd kurlsh/s3cmd:20260224-0d00dd0 diff --git a/addons/registry/3.1.1/README.md b/addons/registry/3.1.1/README.md new file mode 100644 index 0000000000..881358433e --- /dev/null +++ b/addons/registry/3.1.1/README.md @@ -0,0 +1,21 @@ + +[Docker registry](https://github.com/docker/distribution) is an OCI compatible image registry. +This addon deploys it to the `kurl` namespace. + +## TLS + +TLS is enabled on the registry using a certificate signed by the Kubernetes cluster CA. +The kubeadm bootstrapping process distributes the CA to every node in the cluster at filepath /etc/kubernetes/pki/ca.crt. +The registry addon script copies that file to /etc/docker/certs.d//ca.crt, telling Docker to trust the registry certificate signed by that CA. +The service IP is from the Service of type ClusterIP that is created along with the Deployment. + +## Auth + +All access to the registry requires authentication with [basic auth](https://docs.docker.com/registry/deploying/#native-basic-auth). +A new user/password is generated and placed in a secret in the default namespace to be used as an imagePullSecret by Pods. +The user has push/pull access to all repos in the registry. + +## Options + +By default it is not possible to push to the registry from remote hosts. +Use the `registry-publish-port=` flag to configure the registry to listen on a NodePort. diff --git a/addons/registry/3.1.1/deployment-pvc.yaml b/addons/registry/3.1.1/deployment-pvc.yaml new file mode 100644 index 0000000000..1b1058c9d6 --- /dev/null +++ b/addons/registry/3.1.1/deployment-pvc.yaml @@ -0,0 +1,112 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: registry-config + labels: + app: registry +data: + config.yml: |- + health: + storagedriver: + enabled: true + interval: 10s + threshold: 3 + auth: + htpasswd: + realm: basic-realm + path: /auth/htpasswd + http: + addr: :443 + headers: + X-Content-Type-Options: + - nosniff + tls: + certificate: /etc/pki/registry.crt + key: /etc/pki/registry.key + log: + fields: + service: registry + accesslog: + disabled: true + storage: + delete: + enabled: true + filesystem: + rootdirectory: /var/lib/registry + cache: + blobdescriptor: inmemory + maintenance: + uploadpurging: + enabled: false + version: 0.1 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: registry +spec: + selector: + matchLabels: + app: registry + replicas: 1 + strategy: + type: + Recreate + template: + metadata: + labels: + app: registry + spec: + terminationGracePeriodSeconds: 30 + containers: + - name: registry + image: registry:3.1.1 + imagePullPolicy: IfNotPresent + command: + - /bin/registry + - serve + - /etc/docker/registry/config.yml + ports: + - containerPort: 443 + protocol: TCP + volumeMounts: + - name: registry-data + mountPath: /var/lib/registry + - name: registry-config + mountPath: /etc/docker/registry + - name: registry-pki + mountPath: /etc/pki + - name: registry-htpasswd + mountPath: /auth + env: + - name: REGISTRY_HTTP_SECRET + valueFrom: + secretKeyRef: + key: haSharedSecret + name: registry-session-secret + - name: OTEL_TRACES_EXPORTER + value: "none" + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 1 + successThreshold: 2 + timeoutSeconds: 1 + httpGet: + path: / + port: 443 + scheme: HTTPS + volumes: + - name: registry-data + persistentVolumeClaim: + claimName: registry-pvc + - name: registry-config + configMap: + name: registry-config + - name: registry-pki + secret: + secretName: registry-pki + - name: registry-htpasswd + secret: + secretName: registry-htpasswd diff --git a/addons/registry/3.1.1/install.sh b/addons/registry/3.1.1/install.sh new file mode 100644 index 0000000000..5f98e8e08f --- /dev/null +++ b/addons/registry/3.1.1/install.sh @@ -0,0 +1,327 @@ +# shellcheck disable=SC2148 +function registry() { + + registry_install + + kubectl apply -k "$DIR/kustomize/registry" + + if registry_is_pvc_migrating; then + logWarn "Registry will migrate from object store to pvc" + try_5m registry_pvc_migrated + logSuccess "Registry migration complete" + fi + + logSubstep "Configuring Registry" + registry_cred_secrets + registry_pki_secret "$DOCKER_REGISTRY_IP" + registry_docker_ca + logSuccess "Registry configured successfully" + + registry_healthy +} + +function registry_install() { + logSubstep "Installing Registry" + regsitry_init_service # need this again because kustomize folder is cleaned before install + registry_session_secret + + # Only create registry deployment with object store if rook or minio exists IN THE INSTALLER SPEC and the registry pvc + # doesn't already exist. + log "Checking if PVC and Object Store exists" + if ! registry_pvc_exists && object_store_exists; then + log "PVC and Object Store were found. Creating Registry Deployment with Object Store data" + registry_object_store_bucket + # shellcheck disable=SC2034 # used in the deployment template + objectStoreIP=$($DIR/bin/kurl format-address $OBJECT_STORE_CLUSTER_IP) + objectStoreHostname=$(echo $OBJECT_STORE_CLUSTER_HOST | sed 's/http:\/\///') + log "Object Store IP: $objectStoreIP" + log "Object Store Hostname: $objectStoreHostname" + render_yaml_file "$DIR/addons/registry/3.1.1/tmpl-deployment-objectstore.yaml" > "$DIR/kustomize/registry/deployment-objectstore.yaml" + insert_resources "$DIR/kustomize/registry/kustomization.yaml" deployment-objectstore.yaml + + cp "$DIR/addons/registry/3.1.1/patch-deployment-velero.yaml" "$DIR/kustomize/registry/patch-deployment-velero.yaml" + insert_patches_strategic_merge "$DIR/kustomize/registry/kustomization.yaml" patch-deployment-velero.yaml + render_yaml_file "$DIR/addons/registry/3.1.1/tmpl-configmap-velero.yaml" > "$DIR/kustomize/registry/configmap-velero.yaml" + insert_resources "$DIR/kustomize/registry/kustomization.yaml" configmap-velero.yaml + else + log "PVC and Object Store were NOT found. Creating Registry Deployment" + determine_registry_pvc_size + cp "$DIR/addons/registry/3.1.1/deployment-pvc.yaml" "$DIR/kustomize/registry/deployment-pvc.yaml" + render_yaml_file "$DIR/addons/registry/3.1.1/tmpl-persistentvolumeclaim.yaml" > "$DIR/kustomize/registry/persistentvolumeclaim.yaml" + insert_resources "$DIR/kustomize/registry/kustomization.yaml" deployment-pvc.yaml + insert_resources "$DIR/kustomize/registry/kustomization.yaml" persistentvolumeclaim.yaml + fi + + log "Checking if PVC migration will be required" + if registry_will_migrate_pvc; then + logWarn "Registry migration in progres......" + + # Object store credentials already live in the previously created secret + render_yaml_file "$DIR/addons/registry/3.1.1/tmpl-configmap-migrate-s3.yaml" > "$DIR/kustomize/registry/configmap-migrate-s3.yaml" + insert_resources "$DIR/kustomize/registry/kustomization.yaml" configmap-migrate-s3.yaml + cp "$DIR/addons/registry/3.1.1/patch-deployment-migrate-s3.yaml" "$DIR/kustomize/registry/patch-deployment-migrate-s3.yaml" + insert_patches_strategic_merge "$DIR/kustomize/registry/kustomization.yaml" patch-deployment-migrate-s3.yaml + fi + + render_yaml_file "$DIR/addons/registry/3.1.1/tmpl-troubleshoot.yaml" > "$DIR/kustomize/registry/troubleshoot.yaml" + insert_resources "$DIR/kustomize/registry/kustomization.yaml" troubleshoot.yaml + + logSuccess "Registry installed successfully" +} + +# The regsitry will migrate from object store to pvc is there isn't already a PVC, the object store was remove from the installer, BUT +# it is still detected as running in the cluster. The latter 2 conditions happen during a CSI migration. +function registry_will_migrate_pvc() { + # If KOTSADM_DISABLE_S3 is not set, don't allow the migration + if [ "$KOTSADM_DISABLE_S3" != 1 ]; then + return 1 + fi + if ! registry_pvc_exists && ! object_store_exists && object_store_running ; then + return 0 + fi + return 1 +} + +# When re-running the installer, make sure that you can perform a migration +# even when an existing install of the same addon version is detected (and `registry()` is NOT called in this case). +# Implements hook [addon]_already_applied() +function registry_already_applied() { + + if registry_will_migrate_pvc; then + registry_install + + kubectl apply -k "$DIR/kustomize/registry" + + logWarn "Registry will migrate from object store to pvc" + try_5m registry_pvc_migrated + logSuccess "Registry migration complete" + fi +} + +function registry_pre_init() { + if [ -n "$KURL_REGISTRY_IP" ]; then + DOCKER_REGISTRY_IP=$(kubectl -n kurl get service registry -o=jsonpath='{@.spec.clusterIP}' 2>/dev/null || echo "") + if [ -n "$DOCKER_REGISTRY_IP" ] && [ "$DOCKER_REGISTRY_IP" != "$KURL_REGISTRY_IP" ]; then + bail "kurl-registry-ip is specified, however registry service is already assigned $DOCKER_REGISTRY_IP" + fi + fi +} + +function registry_init() { + + DOCKER_REGISTRY_IP=$(kubectl -n kurl get service registry -o=jsonpath='{@.spec.clusterIP}' 2>/dev/null || echo "") + + regsitry_init_service + + kubectl apply -k "$DIR/kustomize/registry" + + DOCKER_REGISTRY_IP=$(kubectl -n kurl get service registry -o=jsonpath='{@.spec.clusterIP}') +} + +function regsitry_init_service() { + log "Applying resources" + mkdir -p "$DIR/kustomize/registry" + cp "$DIR/addons/registry/3.1.1/kustomization.yaml" "$DIR/kustomize/registry/kustomization.yaml" + + cp "$DIR/addons/registry/3.1.1/service.yaml" "$DIR/kustomize/registry/service.yaml" + insert_resources "$DIR/kustomize/registry/kustomization.yaml" service.yaml + + if [ -n "$DOCKER_REGISTRY_IP" ] && [ -z "$KURL_REGISTRY_IP" ]; then + KURL_REGISTRY_IP=$DOCKER_REGISTRY_IP + fi + + if [ -n "$REGISTRY_PUBLISH_PORT" ]; then + render_yaml_file "$DIR/addons/registry/3.1.1/tmpl-node-port-patch.yaml" > "$DIR/kustomize/registry/node-port-patch.yaml" + insert_patches_strategic_merge "$DIR/kustomize/registry/kustomization.yaml" "node-port-patch.yaml" + fi + + if [ -n "$KURL_REGISTRY_IP" ]; then + render_yaml_file "$DIR/addons/registry/3.1.1/tmpl-cluster-ip-patch.yaml" > "$DIR/kustomize/registry/cluster-ip-patch.yaml" + insert_patches_strategic_merge "$DIR/kustomize/registry/kustomization.yaml" "cluster-ip-patch.yaml" + fi +} + +function registry_join() { + registry_docker_ca +} + +function registry_session_secret() { + log "Adding secret" + if kubernetes_resource_exists kurl secret registry-session-secret; then + return 0 + fi + + insert_resources "$DIR/kustomize/registry/kustomization.yaml" secret.yaml + + local HA_SHARED_SECRET=$(< /dev/urandom tr -dc A-Za-z0-9 | head -c9) + render_yaml_file "$DIR/addons/registry/3.1.1/tmpl-secret.yaml" > "$DIR/kustomize/registry/secret.yaml" +} + +# Create the registry-htpasswd secret in the kurl namespace for the registry to use for +# authentication and the registry-credentials secret in the default namespace for pods to use for +# image pulls +function registry_cred_secrets() { + log "Checking if secrets exist" + if kubernetes_resource_exists kurl secret registry-htpasswd && kubernetes_resource_exists default secret registry-creds ; then + log "Secrets found. Patching kotsadm labels" + kubectl -n kurl patch secret registry-htpasswd -p '{"metadata":{"labels":{"kots.io/kotsadm":"true", "kots.io/backup":"velero"}}}' + kubectl -n default patch secret registry-creds -p '{"metadata":{"labels":{"kots.io/kotsadm":"true", "kots.io/backup":"velero"}}}' + return 0 + fi + + log "Deleting registry-htpasswd and registry-creds secrets" + kubectl -n kurl delete secret registry-htpasswd &>/dev/null || true + kubectl -n default delete secret registry-creds &>/dev/null || true + + log "Generating password" + local user=kurl + local password=$(< /dev/urandom tr -dc A-Za-z0-9 | head -c9) + + # if the registry pod is already running it will pick up changes to the secret without restart + BIN_HTPASSWD=./bin/htpasswd + $BIN_HTPASSWD -u "$user" -p "$password" -f htpasswd + + log "Patching password" + kubectl -n kurl create secret generic registry-htpasswd --from-file=htpasswd + kubectl -n kurl patch secret registry-htpasswd -p '{"metadata":{"labels":{"kots.io/kotsadm":"true", "kots.io/backup":"velero"}}}' + rm htpasswd + + local server="$DOCKER_REGISTRY_IP" + if [ "$IPV6_ONLY" = "1" ]; then + log "IPV6 is in usage" + server="registry.kurl.svc.cluster.local" + fi + + kubectl -n default create secret docker-registry registry-creds \ + --docker-server="$server" \ + --docker-username="$user" \ + --docker-password="$password" + kubectl -n default patch secret registry-creds -p '{"metadata":{"labels":{"kots.io/kotsadm":"true", "kots.io/backup":"velero"}}}' + + log "Secrets configured successfully" +} + +function registry_docker_ca() { + if [ -n "$DOCKER_VERSION" ]; then + if [ -z "$DOCKER_REGISTRY_IP" ]; then + bail "Docker registry address required" + fi + + log "Gathering CA from server to configure Docker" + local ca_crt="$(${K8S_DISTRO}_get_server_ca)" + + mkdir -p /etc/docker/certs.d/$DOCKER_REGISTRY_IP + ln -s --force "${ca_crt}" /etc/docker/certs.d/$DOCKER_REGISTRY_IP/ca.crt + fi +} + +function registry_pki_secret() { + log "Checking Docker Registry: $DOCKER_REGISTRY_IP" + if [ -z "$DOCKER_REGISTRY_IP" ]; then + bail "Docker registry address required" + fi + + local tmp="$DIR/addons/registry/3.1.1/tmp" + rm -rf "$tmp" + mkdir -p "$tmp" + pushd "$tmp" + + cat > registry.cnf <> registry.cnf + + if [ -n "$PUBLIC_ADDRESS" ]; then + log "Publish Address: $PUBLIC_ADDRESS" + echo "IP.3 = $PUBLIC_ADDRESS" >> registry.cnf + fi + fi + + log "Gathering CA from server" + local ca_crt="$(${K8S_DISTRO}_get_server_ca)" + local ca_key="$(${K8S_DISTRO}_get_server_ca_key)" + + log "Generating a private key and a corresponding Certificate Signing Request (CSR) using OpenSSL" + openssl req -newkey rsa:2048 -nodes -keyout registry.key -out registry.csr -sha256 -config registry.cnf + + log "Generating a self-signed X.509 certificate using OpenSSL" + openssl x509 -req -days 365 -in registry.csr -CA "${ca_crt}" -CAkey "${ca_key}" -CAcreateserial -out registry.crt -extensions v3_ext -extfile registry.cnf -sha256 + + # rotate the cert and restart the pod every time + kubectl -n kurl delete secret registry-pki &>/dev/null || true + kubectl -n kurl create secret generic registry-pki --from-file=registry.key --from-file=registry.crt + kubectl -n kurl delete pod -l app=registry &>/dev/null || true + + popd + rm -r "$tmp" +} + +function registry_object_store_bucket() { + try_1m object_store_create_bucket "docker-registry" +} + +function registry_pvc_exists() { + kubectl -n kurl get pvc registry-pvc &>/dev/null +} + +# if the PVC size has already been set we should not reduce it +function determine_registry_pvc_size() { + local registry_pvc_size="50Gi" + if registry_pvc_exists; then + registry_pvc_size=$( kubectl get pvc -n kurl registry-pvc -o jsonpath='{.spec.resources.requests.storage}') + fi + log "PVC size used is $registry_pvc_size" + export REGISTRY_PVC_SIZE=$registry_pvc_size +} + +function registry_is_pvc_migrating() { + registry_pod=$( kubectl get pods -n kurl -l app=registry -o jsonpath='{.items[0].metadata.name}') + kubectl -n kurl logs $registry_pod -c migrate-s3 &>/dev/null +} + +function registry_pvc_migrated() { + registry_pod=$( kubectl get pods -n kurl -l app=registry -o jsonpath='{.items[0].metadata.name}') + if kubectl -n kurl logs $registry_pod -c migrate-s3 | grep -q "migration ran successfully" &>/dev/null; then + return 0 + fi + if kubectl -n kurl logs $registry_pod -c migrate-s3 | grep -q "migration has already run" &>/dev/null; then + return 0 + fi + return 1 +} + +function registry_healthy() { + logSubstep "Checking if registry is healthy" + echo "waiting for the registry to start" + spinner_until 120 deployment_fully_updated kurl registry + logSuccess "Registry is healthy" +} diff --git a/addons/registry/3.1.1/kustomization.yaml b/addons/registry/3.1.1/kustomization.yaml new file mode 100644 index 0000000000..2ac2324be8 --- /dev/null +++ b/addons/registry/3.1.1/kustomization.yaml @@ -0,0 +1,3 @@ +namespace: kurl + +resources: diff --git a/addons/registry/3.1.1/patch-deployment-migrate-s3.yaml b/addons/registry/3.1.1/patch-deployment-migrate-s3.yaml new file mode 100644 index 0000000000..76dd2acf98 --- /dev/null +++ b/addons/registry/3.1.1/patch-deployment-migrate-s3.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: registry + labels: + app: registry +spec: + template: + spec: + initContainers: + - name: migrate-s3 + image: kurlsh/s3cmd:20260224-0d00dd0 + imagePullPolicy: IfNotPresent + command: + - /migrate-s3.sh + volumeMounts: + - mountPath: /var/lib/registry + name: registry-data + - name: registry-migrate-s3-config + mountPath: /migrate-s3.sh + subPath: migrate-s3.sh + env: + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: access-key-id + name: registry-s3-secret + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: secret-access-key + name: registry-s3-secret + - name: OBJECT_STORE_CLUSTER_IP + valueFrom: + secretKeyRef: + key: object-store-hostname + name: registry-s3-secret + volumes: + - name: registry-migrate-s3-config + configMap: + name: registry-migrate-s3-config + defaultMode: 0777 diff --git a/addons/registry/3.1.1/patch-deployment-velero.yaml b/addons/registry/3.1.1/patch-deployment-velero.yaml new file mode 100644 index 0000000000..2ebf2a1ceb --- /dev/null +++ b/addons/registry/3.1.1/patch-deployment-velero.yaml @@ -0,0 +1,85 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: registry + labels: + kots.io/kotsadm: 'true' + kots.io/backup: velero +spec: + template: + metadata: + labels: + kots.io/kotsadm: 'true' + kots.io/backup: velero + annotations: + backup.velero.io/backup-volumes: "backup" + pre.hook.backup.velero.io/command: '["/backup.sh"]' + pre.hook.backup.velero.io/container: "registry-backup" + pre.hook.backup.velero.io/timeout: "30m" + spec: + initContainers: + - name: restore + image: kurlsh/s3cmd:20260224-0d00dd0 + imagePullPolicy: IfNotPresent + command: + - /restore.sh + volumeMounts: + - mountPath: /backup + name: backup + - name: registry-velero-config + mountPath: /restore.sh + subPath: restore.sh + env: + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: access-key-id + name: registry-s3-secret + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: secret-access-key + name: registry-s3-secret + - name: OBJECT_STORE_HOSTNAME + valueFrom: + secretKeyRef: + key: object-store-hostname + name: registry-s3-secret + containers: + - name: registry-backup + image: kurlsh/s3cmd:20260224-0d00dd0 + imagePullPolicy: IfNotPresent + command: + - /bin/sh + - -c + - "trap : TERM INT; tail -f /dev/null & wait" + env: + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: access-key-id + name: registry-s3-secret + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: secret-access-key + name: registry-s3-secret + - name: OBJECT_STORE_HOSTNAME + valueFrom: + secretKeyRef: + key: object-store-hostname + name: registry-s3-secret + volumeMounts: + - name: registry-velero-config + mountPath: /backup.sh + subPath: backup.sh + - name: backup + mountPath: /backup + volumes: + - name: registry-velero-config + configMap: + name: registry-velero-config + defaultMode: 0777 + - name: backup + emptyDir: {} diff --git a/addons/registry/3.1.1/service.yaml b/addons/registry/3.1.1/service.yaml new file mode 100644 index 0000000000..3d53f268b3 --- /dev/null +++ b/addons/registry/3.1.1/service.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: registry + labels: + app: registry +spec: + type: ClusterIP + ports: + - port: 443 + name: registry + targetPort: 443 + protocol: TCP + selector: + app: registry diff --git a/addons/registry/3.1.1/tmpl-cluster-ip-patch.yaml b/addons/registry/3.1.1/tmpl-cluster-ip-patch.yaml new file mode 100644 index 0000000000..8c38ec26f3 --- /dev/null +++ b/addons/registry/3.1.1/tmpl-cluster-ip-patch.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: registry + labels: + app: registry +spec: + clusterIP: $KURL_REGISTRY_IP diff --git a/addons/registry/3.1.1/tmpl-configmap-migrate-s3.yaml b/addons/registry/3.1.1/tmpl-configmap-migrate-s3.yaml new file mode 100644 index 0000000000..502a1f77c4 --- /dev/null +++ b/addons/registry/3.1.1/tmpl-configmap-migrate-s3.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: registry-migrate-s3-config + labels: + app: registry +data: + migrate-s3.sh: |- + #!/bin/sh + set -euo pipefail + export S3_BUCKET_NAME=docker-registry + export S3_HOST=\$OBJECT_STORE_CLUSTER_IP + echo 'migration starting ...' + + export ARCHIVES_DIR=/var/lib/registry + export MIGRATION_FILE=\$ARCHIVES_DIR/s3-migration.txt + if [ -f \$MIGRATION_FILE ]; then + echo 'migration has already run. no-op.' + exit 0 + fi + + export S3CMD_FLAGS=\"--access_key=\$AWS_ACCESS_KEY_ID --secret_key=\$AWS_SECRET_ACCESS_KEY --host=\$S3_HOST --no-ssl --host-bucket=\$S3_BUCKET_NAME.\$S3_HOST\" + + if s3cmd \$S3CMD_FLAGS ls s3://\$S3_BUCKET_NAME 2>&1 | grep -q 'NoSuchBucket' + then + echo "bucket \$S3_BUCKET_NAME bucket not found, skipping migration ..." + exit 0 + fi + + echo 'object store detected, running migration ...' + s3cmd \$S3CMD_FLAGS sync s3://\$S3_BUCKET_NAME \$ARCHIVES_DIR + echo 'migration ran successfully ...' + echo 'recording that the migration ran ...' + echo 'migration completed successfully $(date)' > \$MIGRATION_FILE diff --git a/addons/registry/3.1.1/tmpl-configmap-velero.yaml b/addons/registry/3.1.1/tmpl-configmap-velero.yaml new file mode 100644 index 0000000000..e2ee412699 --- /dev/null +++ b/addons/registry/3.1.1/tmpl-configmap-velero.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: registry-velero-config + labels: + app: registry +data: + backup.sh: |- + #!/bin/sh + set -eu + echo 'backup starting ...' + if [ -z "\${OBJECT_STORE_HOSTNAME-}" ]; then + export OBJECT_STORE_HOSTNAME=\$OBJECT_STORE_CLUSTER_IP # included for backwards compatibility for snapshot restores with pre-ipv6 snapshot restores + fi + export S3_DIR=/backup/s3/ + export S3_BUCKET_NAME=docker-registry + export S3_HOST=\$OBJECT_STORE_HOSTNAME + rm -rf \$S3_DIR + mkdir -p \$S3_DIR + s3cmd --access_key=\$AWS_ACCESS_KEY_ID --secret_key=\$AWS_SECRET_ACCESS_KEY --host=\$S3_HOST --no-ssl --host-bucket=\$S3_BUCKET_NAME.\$S3_HOST sync s3://\$S3_BUCKET_NAME \$S3_DIR + echo 'backup completed successfully' + + restore.sh: |- + #!/bin/sh + set -eu + + if [ -z "\${OBJECT_STORE_HOSTNAME-}" ]; then + export OBJECT_STORE_HOSTNAME=\$OBJECT_STORE_CLUSTER_IP # included for backwards compatibility for snapshot restores with pre-ipv6 snapshot restores + fi + + export S3_DIR=/backup/s3/ + export S3_BUCKET_NAME=docker-registry + export S3_HOST=\$OBJECT_STORE_HOSTNAME + echo 'restore starting ...' + + if [ ! -d \$S3_DIR ]; then + exit 0 + fi + + export S3CMD_FLAGS=\"--access_key=\$AWS_ACCESS_KEY_ID --secret_key=\$AWS_SECRET_ACCESS_KEY --host=\$S3_HOST --no-ssl --host-bucket=\$S3_BUCKET_NAME.\$S3_HOST\" + + if s3cmd \$S3CMD_FLAGS ls s3://\$S3_BUCKET_NAME 2>&1 | grep -q 'NoSuchBucket' + then + echo "bucket \$S3_BUCKET_NAME does not exist, creating ..." + s3cmd \$S3CMD_FLAGS mb s3://\$S3_BUCKET_NAME + fi + + s3cmd \$S3CMD_FLAGS sync \$S3_DIR s3://\$S3_BUCKET_NAME + rm -rf \$S3_DIR + echo 'restore completed successfully' diff --git a/addons/registry/3.1.1/tmpl-deployment-objectstore.yaml b/addons/registry/3.1.1/tmpl-deployment-objectstore.yaml new file mode 100644 index 0000000000..c6752fa14d --- /dev/null +++ b/addons/registry/3.1.1/tmpl-deployment-objectstore.yaml @@ -0,0 +1,140 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: registry-config + labels: + app: registry +data: + config.yml: |- + health: + storagedriver: + enabled: true + interval: 10s + threshold: 3 + auth: + htpasswd: + realm: basic-realm + path: /auth/htpasswd + http: + addr: :443 + headers: + X-Content-Type-Options: + - nosniff + tls: + certificate: /etc/pki/registry.crt + key: /etc/pki/registry.key + log: + fields: + service: registry + accesslog: + disabled: true + storage: + delete: + enabled: true + redirect: + disable: true + s3: + region: "us-east-1" + regionendpoint: http://$objectStoreIP + bucket: docker-registry + forcepathstyle: true + cache: + blobdescriptor: inmemory + maintenance: + uploadpurging: + enabled: false + version: 0.1 +--- +apiVersion: v1 +kind: Secret +metadata: + name: registry-s3-secret + labels: + app: registry +type: Opaque +stringData: + access-key-id: ${OBJECT_STORE_ACCESS_KEY} + secret-access-key: ${OBJECT_STORE_SECRET_KEY} + object-store-hostname: ${objectStoreHostname} + object-store-cluster-ip: ${objectStoreHostname} # included for backwards compatibility for snapshot restores with pre-ipv6 snapshot restores +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: registry + labels: + app: registry +spec: + selector: + matchLabels: + app: registry + replicas: 2 + strategy: + type: + Recreate + template: + metadata: + labels: + app: registry + spec: + terminationGracePeriodSeconds: 30 + containers: + - name: registry + image: registry:3.1.1 + imagePullPolicy: IfNotPresent + command: + - /bin/registry + - serve + - /etc/docker/registry/config.yml + ports: + - containerPort: 443 + protocol: TCP + volumeMounts: + - name: registry-config + mountPath: /etc/docker/registry + - name: registry-pki + mountPath: /etc/pki + - name: registry-htpasswd + mountPath: /auth + env: + - name: REGISTRY_HTTP_SECRET + valueFrom: + secretKeyRef: + key: haSharedSecret + name: registry-session-secret + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: access-key-id + name: registry-s3-secret + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: secret-access-key + name: registry-s3-secret + - name: OTEL_TRACES_EXPORTER + value: "none" + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 1 + successThreshold: 2 + timeoutSeconds: 1 + httpGet: + path: / + port: 443 + scheme: HTTPS + resources: + requests: + ephemeral-storage: 10Mi + volumes: + - name: registry-config + configMap: + name: registry-config + - name: registry-pki + secret: + secretName: registry-pki + - name: registry-htpasswd + secret: + secretName: registry-htpasswd diff --git a/addons/registry/3.1.1/tmpl-node-port-patch.yaml b/addons/registry/3.1.1/tmpl-node-port-patch.yaml new file mode 100644 index 0000000000..13da8dbf69 --- /dev/null +++ b/addons/registry/3.1.1/tmpl-node-port-patch.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: registry + labels: + app: registry +spec: + type: NodePort + ports: + - port: 443 + nodePort: $REGISTRY_PUBLISH_PORT + name: registry + targetPort: 443 + protocol: TCP diff --git a/addons/registry/3.1.1/tmpl-persistentvolumeclaim.yaml b/addons/registry/3.1.1/tmpl-persistentvolumeclaim.yaml new file mode 100644 index 0000000000..14b2590b4f --- /dev/null +++ b/addons/registry/3.1.1/tmpl-persistentvolumeclaim.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: registry-pvc + labels: + app: registry +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: $REGISTRY_PVC_SIZE diff --git a/addons/registry/3.1.1/tmpl-secret.yaml b/addons/registry/3.1.1/tmpl-secret.yaml new file mode 100644 index 0000000000..a70e276878 --- /dev/null +++ b/addons/registry/3.1.1/tmpl-secret.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: registry-session-secret + labels: + app: registry +type: Opaque +stringData: + haSharedSecret: ${HA_SHARED_SECRET} diff --git a/addons/registry/3.1.1/tmpl-troubleshoot.yaml b/addons/registry/3.1.1/tmpl-troubleshoot.yaml new file mode 100644 index 0000000000..54db0b2603 --- /dev/null +++ b/addons/registry/3.1.1/tmpl-troubleshoot.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: kurl-registry-supportbundle-spec + labels: + troubleshoot.io/kind: support-bundle +data: + support-bundle-spec: | + apiVersion: troubleshoot.sh/v1beta2 + kind: SupportBundle + spec: + collectors: + - configMap: + collectorName: registry-config + name: registry-config + namespace: kurl + includeAllData: true + - configMap: + collectorName: registry-velero-config + name: registry-velero-config + namespace: kurl + includeAllData: true + - configMap: + collectorName: registry-migrate-s3-config + name: registry-migrate-s3-config + namespace: kurl + includeAllData: true + - secret: + collectorName: registry-pki + namespace: kurl + name: registry-pki + includeValue: true + key: registry.crt + - logs: + name: kurl/registry/logs + namespace: kurl + selector: + - app=registry diff --git a/web/src/installers/versions.js b/web/src/installers/versions.js index b169e6fcfd..1c5ca9c6f2 100644 --- a/web/src/installers/versions.js +++ b/web/src/installers/versions.js @@ -353,6 +353,7 @@ module.exports.InstallerVersions = { contour: ["1.32.1", "1.32.0", "1.30.0", "1.29.0", "1.28.3", "1.28.2", "1.27.0", "1.26.1", "1.26.0", "1.25.2", "1.25.0", "1.24.4", "1.24.3", "1.24.2", "1.24.1", "1.24.0", "1.23.2", "1.23.1", "1.23.0", "1.22.1", "1.22.0", "1.21.1", "1.21.0", "1.20.1", "1.20.0", "1.19.1", "1.18.0", "1.16.0", "1.15.1", "1.14.1", "1.14.0", "1.13.1", "1.13.0", "1.12.0", "1.11.0", "1.10.1", "1.7.0", "1.0.1"], // cron-contour-update registry: [ // cron-registry-update + "3.1.1", "3.1.0", "3.0.0", "2.8.3",