From 8d1d0716066017a2ca769c163272ed579a0a19c9 Mon Sep 17 00:00:00 2001 From: Aleksei Date: Mon, 18 Dec 2023 19:26:31 +0400 Subject: [PATCH] feat(storage): add gcs support --- docs/high-availability.md | 22 ++++++++++++++++ helm/kube-image-keeper/templates/_helpers.tpl | 2 +- .../templates/registry-deployment.yaml | 26 +++++++++++++++++++ helm/kube-image-keeper/values.yaml | 6 ++++- 4 files changed, 54 insertions(+), 2 deletions(-) diff --git a/docs/high-availability.md b/docs/high-availability.md index fccf0a01..61dfb57b 100644 --- a/docs/high-availability.md +++ b/docs/high-availability.md @@ -15,6 +15,7 @@ The registry supports various storage solutions, some of which enable high avail | PVC (RWX) | Yes | `registry.persistence.enabled=true`, `registry.persistence.accessModes='ReadWriteMany'` | | MinIO | Yes | `minio.enabled=true` | | S3-compatible | Yes | `registry.persistence.s3=...` | +| GCS | Yes | `registry.persistence.gcs=...` | HA-compatible backends uses a deployment whereas other backends relies on a statefulset. @@ -73,6 +74,27 @@ kubectl create secret generic secret-name \ If you want to use MinIO and self-host MinIO on your Kubernetes cluster, the kuik Helm chart can help with that! Check the next section for details. +## GCS + +Google Cloud Storage can also be used as a storage backend for the registry. Here is an example of values to use GCS: + +```yaml +registry: + persistence: + gcsExistingSecret: secret-name + gcs: + bucket: registry +``` + +Please refer to the [Docker registry documentation](https://distribution.github.io/distribution/about/configuration/) for more details. + +Note that you will need to create a Secret holding the associated service account secret: + +``` +kubectl create secret generic secret-name \ + --from-literal=credentials.json=${GCS_KEY} +``` + ## MinIO The kuik Helm chart has an optional dependency on the [bitnami MinIO chart](https://artifacthub.io/packages/helm/bitnami/minio). The subchart can be enabled by setting `minio.enabled` to `true`, and it can be configured by passing values under the `minio.*` path; for instance, with the following values YAML: diff --git a/helm/kube-image-keeper/templates/_helpers.tpl b/helm/kube-image-keeper/templates/_helpers.tpl index 280fcc9e..6f0314c2 100644 --- a/helm/kube-image-keeper/templates/_helpers.tpl +++ b/helm/kube-image-keeper/templates/_helpers.tpl @@ -110,5 +110,5 @@ Create the name of the service account to use {{- end }} {{- define "kube-image-keeper.registry-stateless-mode" -}} -{{- ternary "true" "false" (or .Values.minio.enabled (not (empty .Values.registry.persistence.s3))) }} +{{- ternary "true" "false" (or .Values.minio.enabled (not (empty .Values.registry.persistence.s3)) (not (empty .Values.registry.persistence.gcs))) }} {{- end }} diff --git a/helm/kube-image-keeper/templates/registry-deployment.yaml b/helm/kube-image-keeper/templates/registry-deployment.yaml index 6165e08d..11833d62 100644 --- a/helm/kube-image-keeper/templates/registry-deployment.yaml +++ b/helm/kube-image-keeper/templates/registry-deployment.yaml @@ -48,8 +48,16 @@ spec: key: secret - name: REGISTRY_STORAGE_DELETE_ENABLED value: "true" + {{- if (not (empty .Values.registry.persistence.s3))}} - name: REGISTRY_STORAGE value: s3 + {{- end}} + {{- if (not (empty .Values.registry.persistence.gcs))}} + - name: REGISTRY_STORAGE + value: gcs + - name: REGISTRY_STORAGE_GCS_KEYFILE + value: "/etc/registry/keys/credentials.json" + {{- end}} {{- if .Values.registry.serviceMonitor.create }} - name: REGISTRY_HTTP_DEBUG_ADDR value: 0.0.0.0:5001 @@ -70,11 +78,16 @@ spec: - name: {{ printf "%s_%s" "REGISTRY_STORAGE_S3" ($k | upper) }} value: {{ $v | quote }} {{- end }} + {{- range $k, $v := omit .Values.registry.persistence.gcs }} + - name: {{ printf "%s_%s" "REGISTRY_STORAGE_GCS" ($k | upper) }} + value: {{ $v | quote }} + {{- end }} {{- if .Values.registry.persistence.disableS3Redirections }} - name: REGISTRY_STORAGE_REDIRECT_DISABLE value: "true" {{- end }} {{- end }} + {{- if (not (empty .Values.registry.persistence.s3ExistingSecret)) }} {{ $s3KeysSecretName := .Values.registry.persistence.s3ExistingSecret | default "kube-image-keeper-s3-registry-keys" }} - name: REGISTRY_STORAGE_S3_ACCESSKEY valueFrom: @@ -86,10 +99,17 @@ spec: secretKeyRef: name: {{ $s3KeysSecretName }} key: secretKey + {{- end }} {{- range .Values.registry.env }} - name: {{ .name }} value: {{ .value | quote }} {{- end }} + {{- if .Values.registry.persistence.gcsExistingSecret }} + volumeMounts: + - name: gcs-key + mountPath: /etc/registry/keys + readOnly: true + {{- end }} {{- with .Values.registry.readinessProbe }} readinessProbe: {{- toYaml . | nindent 12 }} @@ -98,6 +118,12 @@ spec: livenessProbe: {{- toYaml . | nindent 12 }} {{- end }} + {{- with .Values.registry.persistence.gcsExistingSecret }} + volumes: + - name: gcs-key + secret: + secretName: {{ . }} + {{- end }} {{- with .Values.registry.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helm/kube-image-keeper/values.yaml b/helm/kube-image-keeper/values.yaml index 5635de55..f82f454e 100644 --- a/helm/kube-image-keeper/values.yaml +++ b/helm/kube-image-keeper/values.yaml @@ -208,7 +208,7 @@ registry: # -- Registry image pull policy pullPolicy: IfNotPresent # -- Registry image tag - tag: "2.8" + tag: "2.8.3" # -- Number of replicas for the registry pod replicas: 1 persistence: @@ -225,6 +225,10 @@ registry: s3ExistingSecret: "" # -- Disable blobs redirection to S3 bucket (useful if your S3 instance is not accessible from kubelet) disableS3Redirections: false + # -- GCS configuration (see https://github.com/distribution/distribution/blob/main/docs/content/storage-drivers/gcs.md) + gcs: {} + # use service account secret in JSON format + gcsExistingSecret: "" garbageCollection: # -- Garbage collector cron schedule. Use standard crontab format. schedule: "0 0 * * 0"