From 5e9563c33187393fd2e1ae4fe43532afc2dfa126 Mon Sep 17 00:00:00 2001 From: Paul Laffitte Date: Wed, 30 Oct 2024 16:23:19 +0100 Subject: [PATCH] feat(storage): add azure support --- docs/high-availability.md | 24 ++++++++++++++++- helm/kube-image-keeper/templates/_helpers.tpl | 2 +- .../templates/registry-deployment.yaml | 27 ++++++++++++++++--- helm/kube-image-keeper/values.yaml | 5 +++- 4 files changed, 52 insertions(+), 6 deletions(-) diff --git a/docs/high-availability.md b/docs/high-availability.md index 61dfb57b..b125ad86 100644 --- a/docs/high-availability.md +++ b/docs/high-availability.md @@ -16,6 +16,7 @@ The registry supports various storage solutions, some of which enable high avail | MinIO | Yes | `minio.enabled=true` | | S3-compatible | Yes | `registry.persistence.s3=...` | | GCS | Yes | `registry.persistence.gcs=...` | +| Azure | Yes | `registry.persistence.azure=...` | HA-compatible backends uses a deployment whereas other backends relies on a statefulset. @@ -95,6 +96,28 @@ kubectl create secret generic secret-name \ --from-literal=credentials.json=${GCS_KEY} ``` +### Azure + +Microsoft Azure can also be used as a storage backend for the registry. Here is an example of values to use Azure: + +```yaml +registry: + persistence: + azureExistingSecret: secret-name + azure: + container: registry +``` + +Please refer to the [Docker registry documentation](https://distribution.github.io/distribution/about/configuration/) for more details. + +Note that you will need to create a Secret holding the associated service account secret: + +``` +kubectl create secret generic secret-name \ + --from-literal=accountname=${ACCOUNTNAME} \ + --from-literal=accountkey=${ACCOUNTKEY} +``` + ## MinIO The kuik Helm chart has an optional dependency on the [bitnami MinIO chart](https://artifacthub.io/packages/helm/bitnami/minio). The subchart can be enabled by setting `minio.enabled` to `true`, and it can be configured by passing values under the `minio.*` path; for instance, with the following values YAML: @@ -126,4 +149,3 @@ kubectl create secret generic minio-root-auth \ It is NOT necessary to set `registry.persistence.enabled` to `true` to enable persistence through MinIO. It is NOT necessary to configure the S3 endpoint when using this solution as it will be configured automatically by the chart. - diff --git a/helm/kube-image-keeper/templates/_helpers.tpl b/helm/kube-image-keeper/templates/_helpers.tpl index 6f0314c2..a67df7b1 100644 --- a/helm/kube-image-keeper/templates/_helpers.tpl +++ b/helm/kube-image-keeper/templates/_helpers.tpl @@ -110,5 +110,5 @@ Create the name of the service account to use {{- end }} {{- define "kube-image-keeper.registry-stateless-mode" -}} -{{- ternary "true" "false" (or .Values.minio.enabled (not (empty .Values.registry.persistence.s3)) (not (empty .Values.registry.persistence.gcs))) }} +{{- ternary "true" "false" (or .Values.minio.enabled (not (empty .Values.registry.persistence.s3)) (not (empty .Values.registry.persistence.gcs)) (not (empty .Values.registry.persistence.azure))) }} {{- end }} diff --git a/helm/kube-image-keeper/templates/registry-deployment.yaml b/helm/kube-image-keeper/templates/registry-deployment.yaml index 11833d62..0be71993 100644 --- a/helm/kube-image-keeper/templates/registry-deployment.yaml +++ b/helm/kube-image-keeper/templates/registry-deployment.yaml @@ -48,16 +48,20 @@ spec: key: secret - name: REGISTRY_STORAGE_DELETE_ENABLED value: "true" - {{- if (not (empty .Values.registry.persistence.s3))}} + {{- if (not (empty .Values.registry.persistence.s3)) }} - name: REGISTRY_STORAGE value: s3 {{- end}} - {{- if (not (empty .Values.registry.persistence.gcs))}} + {{- if (not (empty .Values.registry.persistence.gcs)) }} - name: REGISTRY_STORAGE value: gcs - name: REGISTRY_STORAGE_GCS_KEYFILE value: "/etc/registry/keys/credentials.json" {{- end}} + {{- if (not (empty .Values.registry.persistence.azure)) }} + - name: REGISTRY_STORAGE + value: azure + {{- end}} {{- if .Values.registry.serviceMonitor.create }} - name: REGISTRY_HTTP_DEBUG_ADDR value: 0.0.0.0:5001 @@ -78,10 +82,14 @@ spec: - name: {{ printf "%s_%s" "REGISTRY_STORAGE_S3" ($k | upper) }} value: {{ $v | quote }} {{- end }} - {{- range $k, $v := omit .Values.registry.persistence.gcs }} + {{- range $k, $v := .Values.registry.persistence.gcs }} - name: {{ printf "%s_%s" "REGISTRY_STORAGE_GCS" ($k | upper) }} value: {{ $v | quote }} {{- end }} + {{- range $k, $v := omit .Values.registry.persistence.azure "accountname" "accountkey" }} + - name: {{ printf "%s_%s" "REGISTRY_STORAGE_AZURE" ($k | upper) }} + value: {{ $v | quote }} + {{- end }} {{- if .Values.registry.persistence.disableS3Redirections }} - name: REGISTRY_STORAGE_REDIRECT_DISABLE value: "true" @@ -100,6 +108,19 @@ spec: name: {{ $s3KeysSecretName }} key: secretKey {{- end }} + {{- if (not (empty .Values.registry.persistence.azureExistingSecret)) }} + {{ $azureKeysSecretName := .Values.registry.persistence.azureExistingSecret | default "kube-image-keeper-s3-registry-keys" }} + - name: REGISTRY_STORAGE_AZURE_ACCOUNTNAME + valueFrom: + secretKeyRef: + name: {{ $azureKeysSecretName }} + key: accountname + - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY + valueFrom: + secretKeyRef: + name: {{ $azureKeysSecretName }} + key: accountkey + {{- end }} {{- range .Values.registry.env }} - name: {{ .name }} value: {{ .value | quote }} diff --git a/helm/kube-image-keeper/values.yaml b/helm/kube-image-keeper/values.yaml index e24ad544..15bdc7f2 100644 --- a/helm/kube-image-keeper/values.yaml +++ b/helm/kube-image-keeper/values.yaml @@ -222,7 +222,7 @@ registry: storageClass: null # -- Registry persistent volume size size: 20Gi - # -- External S3 configuration (needed only if you don't enable minio) (see https://github.com/docker/docs/blob/main/registry/storage-drivers/s3.md) + # -- External S3 configuration (needed only if you don't enable minio) (see https://github.com/distribution/distribution/blob/main/docs/content/storage-drivers/s3.md) s3: {} s3ExistingSecret: "" # -- Disable blobs redirection to S3 bucket (useful if your S3 instance is not accessible from kubelet) @@ -231,6 +231,9 @@ registry: gcs: {} # use service account secret in JSON format gcsExistingSecret: "" + # -- Azure configuration (see https://github.com/distribution/distribution/blob/main/docs/content/storage-drivers/azure.md) + azure: {} + azureExistingSecret: "" garbageCollection: # -- Garbage collector cron schedule. Use standard crontab format. schedule: "0 0 * * 0"