feat(storage): add gcs support

enix · Oct 18, 2024 · 8cb3993 · 8cb3993
1 parent 0e557f6
commit 8cb3993
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 2 deletions.
diff --git a/docs/high-availability.md b/docs/high-availability.md
@@ -14,6 +14,7 @@ The registry supports various storage solutions, some of which enable high avail
 | PVC           |      No       | `registry.persistence.enabled=true` |
 | MinIO         |      Yes      | `minio.enabled=true`                |
 | S3-compatible |      Yes      | `registry.persistence.s3=...`       |
+| GCS           |      Yes      | `registry.persistence.gcs=...`      |
 
 HA-compatible backends uses a deployment whereas other backends relies on a statefulset.
 
@@ -66,6 +67,27 @@ kubectl create secret generic secret-name \
 
 If you want to use MinIO and self-host MinIO on your Kubernetes cluster, the kuik Helm chart can help with that! Check the next section for details.
 
+## GCS
+
+Google Cloud Storage can also be used as a storage backend for the registry. Here is an example of values to use GCS:
+
+```yaml
+registry:
+  persistence:
+    gcsExistingSecret: secret-name
+    gcs:
+      bucket: registry
+```
+
+Please refer to the [Docker registry documentation](https://distribution.github.io/distribution/about/configuration/) for more details.
+
+Note that you will need to create a Secret holding the associated service account secret:
+
+```
+kubectl create secret generic secret-name \
+        --from-literal=credentials.json=${GCS_KEY}
+```
+
 ## MinIO
 
 The kuik Helm chart has an optional dependency on the [bitnami MinIO chart](https://artifacthub.io/packages/helm/bitnami/minio). The subchart can be enabled by setting `minio.enabled` to `true`, and it can be configured by passing values under the `minio.*` path; for instance, with the following values YAML:

diff --git a/helm/kube-image-keeper/templates/_helpers.tpl b/helm/kube-image-keeper/templates/_helpers.tpl
@@ -110,5 +110,5 @@ Create the name of the service account to use
 {{- end }}
 
 {{- define "kube-image-keeper.registry-stateless-mode" -}}
-{{- ternary "true" "false" (or .Values.minio.enabled (not (empty .Values.registry.persistence.s3))) }}
+{{- ternary "true" "false" (or .Values.minio.enabled (not (empty .Values.registry.persistence.s3)) (not (empty .Values.registry.persistence.gcs))) }}
 {{- end }}
diff --git a/helm/kube-image-keeper/templates/registry-deployment.yaml b/helm/kube-image-keeper/templates/registry-deployment.yaml
@@ -48,8 +48,16 @@ spec:
                   key: secret
             - name: REGISTRY_STORAGE_DELETE_ENABLED
               value: "true"
+            {{- if (not (empty .Values.registry.persistence.s3))}}
             - name: REGISTRY_STORAGE
               value: s3
+            {{- end}}
+            {{- if (not (empty .Values.registry.persistence.gcs))}}
+            - name: REGISTRY_STORAGE
+              value: gcs
+            - name: REGISTRY_STORAGE_GCS_KEYFILE
+              value: "/etc/registry/keys/credentials.json"
+            {{- end}}
             {{- if .Values.registry.serviceMonitor.create }}
             - name: REGISTRY_HTTP_DEBUG_ADDR
               value: 0.0.0.0:5001
@@ -70,11 +78,16 @@ spec:
             - name: {{ printf "%s_%s" "REGISTRY_STORAGE_S3" ($k | upper) }}
               value: {{ $v | quote }}
             {{- end }}
+            {{- range $k, $v := omit .Values.registry.persistence.gcs }}
+            - name: {{ printf "%s_%s" "REGISTRY_STORAGE_GCS" ($k | upper) }}
+              value: {{ $v | quote }}
+            {{- end }}
             {{- if .Values.registry.persistence.disableS3Redirections }}
             - name: REGISTRY_STORAGE_REDIRECT_DISABLE
               value: "true"
             {{- end }}
             {{- end }}
+            {{- if (not (empty .Values.registry.persistence.s3ExistingSecret)) }}
             {{ $s3KeysSecretName := .Values.registry.persistence.s3ExistingSecret | default "kube-image-keeper-s3-registry-keys" }}
             - name: REGISTRY_STORAGE_S3_ACCESSKEY
               valueFrom:
@@ -86,14 +99,27 @@ spec:
                 secretKeyRef:
                   name: {{ $s3KeysSecretName }}
                   key: secretKey
+            {{- end }}
             {{- range .Values.registry.env }}
             - name: {{ .name }}
               value: {{ .value | quote }}
             {{- end }}
+          {{- if .Values.registry.persistence.gcsExistingSecret }}
+          volumeMounts:
+            - name: gcs-key
+              mountPath: /etc/registry/keys
+              readOnly: true
+          {{- end }}
           {{- with .Values.registry.readinessProbe }}
           readinessProbe:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+      {{- with .Values.registry.persistence.gcsExistingSecret }}
+      volumes:
+        - name: gcs-key
+          secret:
+            secretName: {{ . }}
+      {{- end }}
       {{- with .Values.registry.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/helm/kube-image-keeper/values.yaml b/helm/kube-image-keeper/values.yaml
@@ -195,7 +195,7 @@ registry:
     # -- Registry image pull policy
     pullPolicy: IfNotPresent
     # -- Registry image tag
-    tag: "2.8.2"
+    tag: "2.8.3"
   # -- Number of replicas for the registry pod
   replicas: 1
   persistence:
@@ -210,6 +210,10 @@ registry:
     s3ExistingSecret: ""
     # -- Disable blobs redirection to S3 bucket (useful if your S3 instance is not accessible from kubelet)
     disableS3Redirections: false
+    # -- GCS configuration (see https://github.com/distribution/distribution/blob/main/docs/content/storage-drivers/gcs.md)
+    gcs: {}
+    # use service account secret in JSON format
+    gcsExistingSecret: ""
   garbageCollection:
     # -- Garbage collector cron schedule. Use standard crontab format.
     schedule: "0 0 * * 0"