Skip to content

Commit

Permalink
feat(storage): add azure support
Browse files Browse the repository at this point in the history
  • Loading branch information
plaffitt authored and Nicolasgouze committed Oct 31, 2024
1 parent be1c9f6 commit 5e9563c
Show file tree
Hide file tree
Showing 4 changed files with 52 additions and 6 deletions.
24 changes: 23 additions & 1 deletion docs/high-availability.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ The registry supports various storage solutions, some of which enable high avail
| MinIO | Yes | `minio.enabled=true` |
| S3-compatible | Yes | `registry.persistence.s3=...` |
| GCS | Yes | `registry.persistence.gcs=...` |
| Azure | Yes | `registry.persistence.azure=...` |

HA-compatible backends uses a deployment whereas other backends relies on a statefulset.

Expand Down Expand Up @@ -95,6 +96,28 @@ kubectl create secret generic secret-name \
--from-literal=credentials.json=${GCS_KEY}
```

### Azure

Microsoft Azure can also be used as a storage backend for the registry. Here is an example of values to use Azure:

```yaml
registry:
persistence:
azureExistingSecret: secret-name
azure:
container: registry
```

Please refer to the [Docker registry documentation](https://distribution.github.io/distribution/about/configuration/) for more details.

Note that you will need to create a Secret holding the associated service account secret:

```
kubectl create secret generic secret-name \
--from-literal=accountname=${ACCOUNTNAME} \
--from-literal=accountkey=${ACCOUNTKEY}
```

## MinIO

The kuik Helm chart has an optional dependency on the [bitnami MinIO chart](https://artifacthub.io/packages/helm/bitnami/minio). The subchart can be enabled by setting `minio.enabled` to `true`, and it can be configured by passing values under the `minio.*` path; for instance, with the following values YAML:
Expand Down Expand Up @@ -126,4 +149,3 @@ kubectl create secret generic minio-root-auth \
It is NOT necessary to set `registry.persistence.enabled` to `true` to enable persistence through MinIO.

It is NOT necessary to configure the S3 endpoint when using this solution as it will be configured automatically by the chart.

2 changes: 1 addition & 1 deletion helm/kube-image-keeper/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -110,5 +110,5 @@ Create the name of the service account to use
{{- end }}

{{- define "kube-image-keeper.registry-stateless-mode" -}}
{{- ternary "true" "false" (or .Values.minio.enabled (not (empty .Values.registry.persistence.s3)) (not (empty .Values.registry.persistence.gcs))) }}
{{- ternary "true" "false" (or .Values.minio.enabled (not (empty .Values.registry.persistence.s3)) (not (empty .Values.registry.persistence.gcs)) (not (empty .Values.registry.persistence.azure))) }}
{{- end }}
27 changes: 24 additions & 3 deletions helm/kube-image-keeper/templates/registry-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,16 +48,20 @@ spec:
key: secret
- name: REGISTRY_STORAGE_DELETE_ENABLED
value: "true"
{{- if (not (empty .Values.registry.persistence.s3))}}
{{- if (not (empty .Values.registry.persistence.s3)) }}
- name: REGISTRY_STORAGE
value: s3
{{- end}}
{{- if (not (empty .Values.registry.persistence.gcs))}}
{{- if (not (empty .Values.registry.persistence.gcs)) }}
- name: REGISTRY_STORAGE
value: gcs
- name: REGISTRY_STORAGE_GCS_KEYFILE
value: "/etc/registry/keys/credentials.json"
{{- end}}
{{- if (not (empty .Values.registry.persistence.azure)) }}
- name: REGISTRY_STORAGE
value: azure
{{- end}}
{{- if .Values.registry.serviceMonitor.create }}
- name: REGISTRY_HTTP_DEBUG_ADDR
value: 0.0.0.0:5001
Expand All @@ -78,10 +82,14 @@ spec:
- name: {{ printf "%s_%s" "REGISTRY_STORAGE_S3" ($k | upper) }}
value: {{ $v | quote }}
{{- end }}
{{- range $k, $v := omit .Values.registry.persistence.gcs }}
{{- range $k, $v := .Values.registry.persistence.gcs }}
- name: {{ printf "%s_%s" "REGISTRY_STORAGE_GCS" ($k | upper) }}
value: {{ $v | quote }}
{{- end }}
{{- range $k, $v := omit .Values.registry.persistence.azure "accountname" "accountkey" }}
- name: {{ printf "%s_%s" "REGISTRY_STORAGE_AZURE" ($k | upper) }}
value: {{ $v | quote }}
{{- end }}
{{- if .Values.registry.persistence.disableS3Redirections }}
- name: REGISTRY_STORAGE_REDIRECT_DISABLE
value: "true"
Expand All @@ -100,6 +108,19 @@ spec:
name: {{ $s3KeysSecretName }}
key: secretKey
{{- end }}
{{- if (not (empty .Values.registry.persistence.azureExistingSecret)) }}
{{ $azureKeysSecretName := .Values.registry.persistence.azureExistingSecret | default "kube-image-keeper-s3-registry-keys" }}
- name: REGISTRY_STORAGE_AZURE_ACCOUNTNAME
valueFrom:
secretKeyRef:
name: {{ $azureKeysSecretName }}
key: accountname
- name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY
valueFrom:
secretKeyRef:
name: {{ $azureKeysSecretName }}
key: accountkey
{{- end }}
{{- range .Values.registry.env }}
- name: {{ .name }}
value: {{ .value | quote }}
Expand Down
5 changes: 4 additions & 1 deletion helm/kube-image-keeper/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -222,7 +222,7 @@ registry:
storageClass: null
# -- Registry persistent volume size
size: 20Gi
# -- External S3 configuration (needed only if you don't enable minio) (see https://github.com/docker/docs/blob/main/registry/storage-drivers/s3.md)
# -- External S3 configuration (needed only if you don't enable minio) (see https://github.com/distribution/distribution/blob/main/docs/content/storage-drivers/s3.md)
s3: {}
s3ExistingSecret: ""
# -- Disable blobs redirection to S3 bucket (useful if your S3 instance is not accessible from kubelet)
Expand All @@ -231,6 +231,9 @@ registry:
gcs: {}
# use service account secret in JSON format
gcsExistingSecret: ""
# -- Azure configuration (see https://github.com/distribution/distribution/blob/main/docs/content/storage-drivers/azure.md)
azure: {}
azureExistingSecret: ""
garbageCollection:
# -- Garbage collector cron schedule. Use standard crontab format.
schedule: "0 0 * * 0"
Expand Down

0 comments on commit 5e9563c

Please sign in to comment.