ghp/helm-charts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cleanup

Browse Source
This commit is contained in:
ace 2023-06-10 06:22:04 +03:00
parent 3703becaa9
commit b40cec7573
Signed by: ace
GPG Key ID: 2C08973DD37A76FD
43 changed files with 1 additions and 3085 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,2 +1,3 @@
/*.yaml
/*.yml
/*.tgz

23
chartmuseum/.helmignore
View File

@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
# OWNERS file for Kubernetes
OWNERS

12
chartmuseum/Chart.yaml
View File

@ -1,12 +0,0 @@
apiVersion: v1
appVersion: 0.12.0
deprecated: true
description: DEPRECATED Host your own Helm Chart Repository
home: https://github.com/helm/chartmuseum
icon: https://raw.githubusercontent.com/helm/chartmuseum/master/logo2.png
keywords:
- chartmuseum
- helm
- charts repo
name: chartmuseum
version: 2.14.2

749
chartmuseum/README.md
View File

@ -1,749 +0,0 @@
# ⚠️ Repo Archive Notice
As of Nov 13, 2020, charts in this repo will no longer be updated.
For more information, see the Helm Charts [Deprecation and Archive Notice](https://github.com/helm/charts#%EF%B8%8F-deprecation-and-archive-notice), and [Update](https://helm.sh/blog/charts-repo-deprecation/).
# ChartMuseum Helm Chart
Deploy your own private ChartMuseum.
Please also see https://github.com/kubernetes-helm/chartmuseum
## DEPRECATION NOTICE
This chart is deprecated and no longer supported.
## Table of Content
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
- [ChartMuseum Helm Chart](#chartmuseum-helm-chart)
- [Table of Content](#table-of-content)
- [Prerequisites](#prerequisites)
- [Configuration](#configuration)
- [Installation](#installation)
- [Using with Amazon S3](#using-with-amazon-s3)
- [permissions grant with access keys](#permissions-grant-with-access-keys)
- [permissions grant with IAM instance profile](#permissions-grant-with-iam-instance-profile)
- [permissions grant with IAM assumed role](#permissions-grant-with-iam-assumed-role)
- [permissions grant with IAM Roles for Service Accounts](#permissions-grant-with-iam-roles-for-service-accounts)
- [Using with Google Cloud Storage](#using-with-google-cloud-storage)
- [Using with Google Cloud Storage and a Google Service Account](#using-with-google-cloud-storage-and-a-google-service-account)
- [Using with Microsoft Azure Blob Storage](#using-with-microsoft-azure-blob-storage)
- [Using with Alibaba Cloud OSS Storage](#using-with-alibaba-cloud-oss-storage)
- [Using with Openstack Object Storage](#using-with-openstack-object-storage)
- [Using with Oracle Object Storage](#using-with-oracle-object-storage)
- [Using an existing secret](#using-an-existing-secret)
- [Using with local filesystem storage](#using-with-local-filesystem-storage)
- [Setting local storage permissions with initContainers](#setting-local-storage-permissions-with-initcontainers)
- [Example storage class](#example-storage-class)
- [Authentication](#authentication)
- [Basic Authentication](#basic-authentication)
- [Bearer/Token auth](#bearertoken-auth)
- [Ingress](#ingress)
- [Hosts](#hosts)
- [Extra Paths](#extra-paths)
- [Annotations](#annotations)
- [Example Ingress configuration](#example-ingress-configuration)
- [Uninstall](#uninstall)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
## Prerequisites
* [If enabled] A persistent storage resource and RW access to it
* [If enabled] Kubernetes StorageClass for dynamic provisioning
## Configuration
By default this chart will not have persistent storage, and the API service
will be *DISABLED*. This protects against unauthorized access to the API
with default configuration values.
In addition, by default, pod `securityContext.fsGroup` is set to `1000`. This
is the user/group that the ChartMuseum container runs as, and is used to
enable local persitant storage. If your cluster has DenySecurityContext enabled,
you can set `securityContext` to `{}` and still use this chart with one of
the cloud storage options.
For a more robust solution supply helm install with a custom values.yaml
You are also required to create the StorageClass resource ahead of time:
```
kubectl create -f /path/to/storage_class.yaml
```
The following table lists common configurable parameters of the chart and
their default values. See values.yaml for all available options.
| Parameter | Description | Default |
| --------------------------------------- | --------------------------------------------------------------------------- | ------------------------------------ |
| `image.pullPolicy` | Container pull policy | `IfNotPresent` |
| `image.repository` | Container image to use | `chartmuseum/chartmuseum` |
| `image.tag` | Container image tag to deploy | `v0.12.0` |
| `persistence.accessMode` | Access mode to use for PVC | `ReadWriteOnce` |
| `persistence.enabled` | Whether to use a PVC for persistent storage | `false` |
| `persistence.path` | PV mount path | `/storage` |
| `persistence.size` | Amount of space to claim for PVC | `8Gi` |
| `persistence.labels` | Additional labels for PVC | `{}` |
| `persistence.storageClass` | Storage Class to use for PVC | `-` |
| `persistence.volumeName` | Volume to use for PVC | `` |
| `persistence.pv.enabled` | Whether to use a PV for persistent storage | `false` |
| `persistence.pv.capacity.storage` | Storage size to use for PV | `8Gi` |
| `persistence.pv.accessMode` | Access mode to use for PV | `ReadWriteOnce` |
| `persistence.pv.nfs.server` | NFS server for PV | `` |
| `persistence.pv.nfs.path` | Storage Path | `` |
| `persistence.pv.pvname` | Custom name for private volume | `` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` |
| `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` |
| `replicaCount` | k8s replicas | `1` |
| `resources.limits.cpu` | Container maximum CPU | `100m` |
| `resources.limits.memory` | Container maximum memory | `128Mi` |
| `resources.requests.cpu` | Container requested CPU | `80m` |
| `resources.requests.memory` | Container requested memory | `64Mi` |
| `secret.labels` | Additional labels for secret | `false` |
| `serviceAccount.create` | If true, create the service account | `false` |
| `serviceAccount.name` | Name of the serviceAccount to create or use | `{{ chartmuseum.fullname }}` |
| `serviceAccount.annotations` | Additional Service Account annotations | `{}` |
| `securityContext.enabled` | Enable securityContext | `true` |
| `securityContext.fsGroup` | Group ID for the container | `1000` |
| `securityContext.runAsNonRoot` | Running Pods as non-root | `` |
| `securityContext.supplementalGroups` | Control which group IDs containers add | `` |
| `containerSecurityContext` | Additional Container securityContext (ex. allowPrivilegeEscalation) | `{}` |
| `priorityClassName ` | priorityClassName | `""` |
| `nodeSelector` | Map of node labels for pod assignment | `{}` |
| `tolerations` | List of node taints to tolerate | `[]` |
| `affinity` | Map of node/pod affinities | `{}` |
| `schedulerName` | Kubernetes scheduler to use | `default` |
| `env.open.STORAGE` | Storage Backend to use | `local` |
| `env.open.STORAGE_ALIBABA_BUCKET` | Bucket to store charts in for Alibaba | `` |
| `env.open.STORAGE_ALIBABA_PREFIX` | Prefix to store charts under for Alibaba | `` |
| `env.open.STORAGE_ALIBABA_ENDPOINT` | Alternative Alibaba endpoint | `` |
| `env.open.STORAGE_ALIBABA_SSE` | Server side encryption algorithm to use | `` |
| `env.open.STORAGE_AMAZON_BUCKET` | Bucket to store charts in for AWS | `` |
| `env.open.STORAGE_AMAZON_ENDPOINT` | Alternative AWS endpoint | `` |
| `env.open.STORAGE_AMAZON_PREFIX` | Prefix to store charts under for AWS | `` |
| `env.open.STORAGE_AMAZON_REGION` | Region to use for bucket access for AWS | `` |
| `env.open.STORAGE_AMAZON_SSE` | Server side encryption algorithm to use | `` |
| `env.open.STORAGE_GOOGLE_BUCKET` | Bucket to store charts in for GCP | `` |
| `env.open.STORAGE_GOOGLE_PREFIX` | Prefix to store charts under for GCP | `` |
| `env.open.STORAGE_MICROSOFT_CONTAINER` | Container to store charts under for MS | `` |
| `env.open.STORAGE_MICROSOFT_PREFIX` | Prefix to store charts under for MS | `` |
| `env.open.STORAGE_OPENSTACK_CONTAINER` | Container to store charts for openstack | `` |
| `env.open.STORAGE_OPENSTACK_PREFIX` | Prefix to store charts for openstack | `` |
| `env.open.STORAGE_OPENSTACK_REGION` | Region of openstack container | `` |
| `env.open.STORAGE_OPENSTACK_CACERT` | Path to a CA cert bundle for openstack | `` |
| `env.open.STORAGE_ORACLE_COMPARTMENTID` | Compartment ID for Oracle Object Store | `` |
| `env.open.STORAGE_ORACLE_BUCKET` | Bucket to store charts in Oracle Object Store | `` |
| `env.open.STORAGE_ORACLE_PREFIX` | Prefix to store charts for Oracle object Store | `` |
| `env.open.CHART_POST_FORM_FIELD_NAME` | Form field to query for chart file content | `` |
| `env.open.PROV_POST_FORM_FIELD_NAME` | Form field to query for chart provenance | `` |
| `env.open.DEPTH` | levels of nested repos for multitenancy. | `0` |
| `env.open.DEBUG` | Show debug messages | `false` |
| `env.open.LOG_JSON` | Output structured logs in JSON | `true` |
| `env.open.DISABLE_STATEFILES` | Disable use of index-cache.yaml | `false` |
| `env.open.DISABLE_METRICS` | Disable Prometheus metrics | `true` |
| `env.open.DISABLE_API` | Disable all routes prefixed with /api | `true` |
| `env.open.ALLOW_OVERWRITE` | Allow chart versions to be re-uploaded | `false` |
| `env.open.CHART_URL` | Absolute url for .tgzs in index.yaml | `` |
| `env.open.AUTH_ANONYMOUS_GET` | Allow anon GET operations when auth is used | `false` |
| `env.open.CONTEXT_PATH` | Set the base context path | `` |
| `env.open.INDEX_LIMIT` | Parallel scan limit for the repo indexer | `` |
| `env.open.CACHE` | Cache store, can be one of: redis | `` |
| `env.open.CACHE_REDIS_ADDR` | Address of Redis service (host:port) | `` |
| `env.open.CACHE_REDIS_DB` | Redis database to be selected after connect | `0` |
| `env.open.BEARER_AUTH` | Enable bearer auth | `false` |
| `env.open.AUTH_REALM` | Realm used for bearer authentication | `` |
| `env.open.AUTH_SERVICE` | Service used for bearer authentication | `` |
| `env.field` | Expose pod information to containers through environment variables | `` |
| `env.existingSecret` | Name of the existing secret use values | `` |
| `env.existingSecret.BASIC_AUTH_USER` | Key name in the secret for the Username | `` |
| `env.existingSecret.BASIC_AUTH_PASS` | Key name in the secret for the Password | `` |
| `env.secret.BASIC_AUTH_USER` | Username for basic HTTP authentication | `` |
| `env.secret.BASIC_AUTH_PASS` | Password for basic HTTP authentication | `` |
| `env.secret.CACHE_REDIS_PASSWORD` | Redis requirepass server configuration | `` |
| `extraArgs` | Pass extra arguments to the chartmuseum binary | `` |
| `gcp.secret.enabled` | Flag for the GCP service account | `false` |
| `gcp.secret.name` | Secret name for the GCP json file | `` |
| `gcp.secret.key` | Secret key for te GCP json file | `credentials.json` |
| `oracle.secret.enabled` | Flag for Oracle OCI account | `false` |
| `oracle.secret.name` | Secret name for OCI config and key | `` |
| `oracle.secret.config` | Secret key that holds the OCI config | `config` |
| `oracle.secret.key_file` | Secret key that holds the OCI private key | `key_file` |
| `bearerAuth.secret.enabled` | Flag for bearer auth public key secret | `` |
| `bearerAuth.secret.publicKey` | The name of the secret with the public key | `` |
| `service.type` | Kubernetes Service type | `ClusterIP` |
| `service.clusterIP` | Static clusterIP or None for headless services | `nil` |
| `service.externalTrafficPolicy` | Source IP preservation (only for Service type NodePort and LoadBalancer) | `Local` |
| `service.loadBalancerSourceRanges` | Restricts access for LoadBalancer (only for Service type LoadBalancer) | `[]` |
| `service.servicename` | Custom name for service | `` |
| `service.labels` | Additional labels for service | `{}` |
| `serviceMonitor.enabled` | Enable the ServiceMontor resource to be deployed | `false` |
| `serviceMonitor.labels` | Labels for the servicemonitor used by the Prometheus Operator | `{}` |
| `serviceMonitor.namespace` | Namespace of the ServiceMonitor resource | `{{ .Release.Namespace }}` |
| `serviceMonitor.metricsPath` | Path to the Chartmuseum metrics path | `/metrics` |
| `serviceMonitor.interval` | Scrape interval, If not set, the Prometheus default scrape interval is used | `nil` |
| `serviceMonitor.timeout` | Scrape request timeout. If not set, the Prometheus default timeout is used | `nil` |
| `deployment.labels` | Additional labels for deployment | `{}` |
| `deployment.matchlabes` | Match labels for deployment selector | `{}` |
| `ingress.enabled` | Enable ingress controller resource | `false` |
| `ingress.annotations` | Ingress annotations | `[]` |
| `ingress.labels` | Ingress labels | `[]` |
| `ingress.hosts[0].name` | Hostname for the ingress | `` |
| `ingress.hosts[0].path` | Path within the url structure | `` |
| `ingress.hosts[0].tls ` | Enable TLS on the ingress host | `false` |
| `ingress.hosts[0].tlsSecret` | TLS secret to use (must be manually created) | `` |
| `ingress.hosts[0].serviceName` | The name of the service to route traffic to. | `{{ .Values.service.externalPort }}` |
| `ingress.hosts[0].servicePort` | The port of the service to route traffic to. | `{{ .chartmuseum. }}` |
| `ingress.extraPaths[0].path` | Path within the url structure. | `` |
| `ingress.extraPaths[0].service` | The name of the service to route traffic to. | `` |
| `ingress.extraPaths[0].port` | The port of the service to route traffic to. | `` |
Specify each parameter using the `--set key=value[,key=value]` argument to
`helm install`.
## Installation
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
### Using with Amazon S3
Make sure your environment is properly setup to access `my-s3-bucket`
You need at least the following permissions inside your IAM Policy
```yaml
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListObjects",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::my-s3-bucket"
},
{
"Sid": "AllowObjectsCRUD",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-s3-bucket/*"
}
]
}
```
You can grant it to `chartmuseum` by several ways:
#### permissions grant with access keys
Grant permissions to `special user` and us it's access keys for auth on aws
Specify `custom.yaml` with such values
```yaml
env:
open:
STORAGE: amazon
STORAGE_AMAZON_BUCKET: my-s3-bucket
STORAGE_AMAZON_PREFIX:
STORAGE_AMAZON_REGION: us-east-1
secret:
AWS_ACCESS_KEY_ID: "********" ## aws access key id value
AWS_SECRET_ACCESS_KEY: "********" ## aws access key secret value
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
#### permissions grant with IAM instance profile
You can grant permissions to k8s node IAM instance profile.
For more information read this [article](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html)
Specify `custom.yaml` with such values
```yaml
env:
open:
STORAGE: amazon
STORAGE_AMAZON_BUCKET: my-s3-bucket
STORAGE_AMAZON_PREFIX:
STORAGE_AMAZON_REGION: us-east-1
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
#### permissions grant with IAM assumed role
To provide access with assumed role you need to install [kube2iam](https://github.com/kubernetes/charts/tree/master/stable/kube2iam)
and create role with granded permissions.
Specify `custom.yaml` with such values
```yaml
env:
open:
STORAGE: amazon
STORAGE_AMAZON_BUCKET: my-s3-bucket
STORAGE_AMAZON_PREFIX:
STORAGE_AMAZON_REGION: us-east-1
replica:
annotations:
iam.amazonaws.com/role: "{assumed role name}"
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
#### permissions grant with IAM Roles for Service Accounts
For Amazon EKS clusters, access can be provided with a service account using [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
Specify `custom.yaml` with such values
```yaml
env:
open:
STORAGE: amazon
STORAGE_AMAZON_BUCKET: my-s3-bucket
STORAGE_AMAZON_PREFIX:
STORAGE_AMAZON_REGION: us-east-1
serviceAccount:
create: true
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::{aws account ID}:role/{assumed role name}"
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
### Using with Google Cloud Storage
Make sure your environment is properly setup to access `my-gcs-bucket`
Specify `custom.yaml` with such values
```yaml
env:
open:
STORAGE: google
STORAGE_GOOGLE_BUCKET: my-gcs-bucket
STORAGE_GOOGLE_PREFIX:
```
### Using with Google Cloud Storage and a Google Service Account
A Google service account credentials are stored in a json file. There are two approaches here. Ideally you don't want to send your secrets to tiller. In that case, before installing this chart, you should create a secret with those credentials:
```shell
kubectl create secret generic chartmuseum-secret --from-file=credentials.json="my-project-45e35d85a593.json"
```
Then you can either use a `VALUES` yaml with your values or set those values in the command line:
```shell
helm install stable/chartmuseum --debug --set gcp.secret.enabled=true,env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcp-chartmuseum,gcp.secret.name=chartmuseum-secret
```
If you prefer to use a yaml file:
```yaml
env:
open:
STORAGE: google
STORAGE_GOOGLE_BUCKET: my-gcs-bucket
STORAGE_GOOGLE_PREFIX:
gcp:
secret:
enabled: true
name: chartmuseum-secret
key: credentials.json
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
In case that you don't mind adding your secret to tiller (you shouldn't do it), this are the commands
```yaml
env:
open:
STORAGE: google
STORAGE_GOOGLE_BUCKET: my-gcs-bucket
STORAGE_GOOGLE_PREFIX:
secret:
GOOGLE_CREDENTIALS_JSON: my-json-file-base64-encoded
gcp:
secret:
enabled: true
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
To set the values directly in the command line, use the following command. Note that we have to base64 encode the json file because we cannot pass a multi-line text as a value.
```shell
export JSONKEY=$(cat my-project-77e35d85a593.json | base64)
helm install stable/chartmuseum --debug --set gcp.secret.enabled=true,env.secret.GOOGLE_CREDENTIALS_JSON=${JSONKEY},env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcp-chartmuseum
```
### Using with Microsoft Azure Blob Storage
Make sure your environment is properly setup to access `mycontainer`.
To do so, you must set the following env vars:
- `AZURE_STORAGE_ACCOUNT`
- `AZURE_STORAGE_ACCESS_KEY`
Specify `custom.yaml` with such values
```yaml
env:
open:
STORAGE: microsoft
STORAGE_MICROSOFT_CONTAINER: mycontainer
# prefix to store charts for microsoft storage backend
STORAGE_MICROSOFT_PREFIX:
secret:
AZURE_STORAGE_ACCOUNT: "********" ## azure storage account
AZURE_STORAGE_ACCESS_KEY: "********" ## azure storage account access key
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
### Using with Alibaba Cloud OSS Storage
Make sure your environment is properly setup to access `my-oss-bucket`.
To do so, you must set the following env vars:
- `ALIBABA_CLOUD_ACCESS_KEY_ID`
- `ALIBABA_CLOUD_ACCESS_KEY_SECRET`
Specify `custom.yaml` with such values
```yaml
env:
open:
STORAGE: alibaba
STORAGE_ALIBABA_BUCKET: my-oss-bucket
STORAGE_ALIBABA_PREFIX:
STORAGE_ALIBABA_ENDPOINT: oss-cn-beijing.aliyuncs.com
secret:
ALIBABA_CLOUD_ACCESS_KEY_ID: "********" ## alibaba OSS access key id
ALIBABA_CLOUD_ACCESS_KEY_SECRET: "********" ## alibaba OSS access key secret
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
### Using with Openstack Object Storage
Make sure your environment is properly setup to access `mycontainer`.
To do so, you must set the following env vars (depending on your openstack version):
- `OS_AUTH_URL`
- either `OS_PROJECT_NAME` or `OS_TENANT_NAME` or `OS_PROJECT_ID` or `OS_TENANT_ID`
- either `OS_DOMAIN_NAME` or `OS_DOMAIN_ID`
- either `OS_USERNAME` or `OS_USERID`
- `OS_PASSWORD`
Specify `custom.yaml` with such values
```yaml
env:
open:
STORAGE: openstack
STORAGE_OPENSTACK_CONTAINER: mycontainer
STORAGE_OPENSTACK_PREFIX:
STORAGE_OPENSTACK_REGION: YOURREGION
secret:
OS_AUTH_URL: https://myauth.url.com/v2.0/
OS_TENANT_ID: yourtenantid
OS_USERNAME: yourusername
OS_PASSWORD: yourpassword
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
### Using with Oracle Object Storage
Oracle (OCI) configuration and private key need to be added to a secret and are mounted at /home/chartmuseum/.oci. Your OCI config needs to be under [DEFAULT] and your `key_file` needs to be /home/chartmuseum/.oci/oci.key. See https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm
```shell
kubectl create secret generic chartmuseum-secret --from-file=config=".oci/config" --from-file=key_file=".oci/oci.key"
```
Then you can either use a `VALUES` yaml with your values or set those values in the command line:
```shell
helm install stable/chartmuseum --debug --set env.open.STORAGE=oracle,env.open.STORAGE_ORACLE_COMPARTMENTID=ocid1.compartment.oc1..abc123,env.open.STORAGE_ORACLE_BUCKET=myocibucket,env.open.STORAGE_ORACLE_PREFIX=chartmuseum,oracle.secret.enabled=true,oracle.secret.name=chartmuseum-secret
```
If you prefer to use a yaml file:
```yaml
env:
open:
STORAGE: oracle
STORAGE_ORACLE_COMPARTMENTID: ocid1.compartment.oc1..abc123
STORAGE_ORACLE_BUCKET: myocibucket
STORAGE_ORACLE_PREFIX: chartmuseum
oracle:
secret:
enabled: enabled
name: chartmuseum-secret
config: config
key_file: key_file
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
### Using an existing secret
It is possible to pre-create a secret in kubernetes and get this chart to use that
Given you are for example using the above AWS example
You could create a Secret like this
```shell
kubectl create secret generic chartmuseum-secret --from-literal="aws-access-key=myaccesskey" --from-literal="aws-secret-access-key=mysecretaccesskey" --from-literal="basic-auth-user=curator" --from-literal="basic-auth-pass=mypassword"
```
Specify `custom.yaml` with such values
```yaml
env:
open:
STORAGE: amazonexistingSecret
STORAGE_AMAZON_BUCKET: my-s3-bucket
STORAGE_AMAZON_PREFIX:
STORAGE_AMAZON_REGION: us-east-1
existingSecret: chartmuseum-secret
existingSecretMappings:
AWS_ACCESS_KEY_ID: aws-access-key
AWS_SECRET_ACCESS_KEY: aws-secret-access-key
BASIC_AUTH_USER: basic-auth-user
BASIC_AUTH_PASS: basic-auth-pass
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
### Using with local filesystem storage
By default chartmuseum uses local filesystem storage.
But on pod recreation it will lose all charts, to prevent that enable persistent storage.
```yaml
env:
open:
STORAGE: local
persistence:
enabled: true
accessMode: ReadWriteOnce
size: 8Gi
## A manually managed Persistent Volume and Claim
## Requires persistence.enabled: true
## If defined, PVC must be created manually before volume will be bound
# existingClaim:
## Chartmuseum data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
### Setting local storage permissions with initContainers
Some clusters do not allow using securityContext to set permissions for persistent volumes. Instead, an initContainer can be created to run `chown` on the mounted volume. To enable it, set `securityContext.enabled` to `false`.
#### Example storage class
Example storage-class.yaml provided here for use with a Ceph cluster.
```
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: storage-volume
provisioner: kubernetes.io/rbd
parameters:
monitors: "10.11.12.13:4567,10.11.12.14:4567"
adminId: admin
adminSecretName: thesecret
adminSecretNamespace: default
pool: chartstore
userId: user
userSecretName: thesecret
```
### Authentication
By default this chart does not have any authentication configured and allows anyone to fetch or upload (assuming the API is enabled) charts there are two supported methods of authentication
#### Basic Authentication
This allows all API routes to be protected by HTTP basic auth, this is configured either as plain text in the values that gets stored as a secret in the kubernetes cluster by setting:
```yaml
env:
secret:
BASIC_AUTH_USER: curator
BASIC_AUTH_PASS: mypassword
```
Or by using values from an existing secret in the cluster that can be created using:
```shell
kubectl create secret generic chartmuseum-secret --from-literal="basic-auth-user=curator" --from-literal="basic-auth-pass=mypassword"
```
This secret can be used in the values file as follows:
```yaml
env:
existingSecret: chartmuseum-secret
existingSecretMappings:
BASIC_AUTH_USER: basic-auth-user
BASIC_AUTH_PASS: basic-auth-pass
```
#### Bearer/Token auth
When using this ChartMuseum is configured with a public key, and will accept RS256 JWT tokens signed by the associated private key, passed in the Authorization header. You can use the [chartmuseum/auth](https://github.com/chartmuseum/auth) Go library to generate valid JWT tokens. For more information about how this works, please see [chartmuseum/auth-server-example](https://github.com/chartmuseum/auth-server-example)
To use this the public key should be stored in a secret this can be done with
```shell
kubectl create secret generic chartmuseum-public-key --from-file=public-key.pem
```
And Bearer/Token auth can be configured using the following values
```yaml
env:
open:
BEARER_AUTH: true
AUTH_REALM: <realm>
AUTH_SERVICE: <service>
bearerAuth:
secret:
enabled: true
publicKeySecret: chartmuseum-public-key
```
### Ingress
This chart provides support for ingress resources. If you have an ingress controller installed on your cluster, such as [nginx-ingress](https://hub.kubeapps.com/charts/stable/nginx-ingress) or [traefik](https://hub.kubeapps.com/charts/stable/traefik) you can utilize the ingress controller to expose Kubeapps.
To enable ingress integration, please set `ingress.enabled` to `true`
#### Hosts
Most likely you will only want to have one hostname that maps to this Chartmuseum installation, however, it is possible to have more than one host. To facilitate this, the `ingress.hosts` object is an array. TLS secrets referenced in the ingress host configuration must be manually created in the namespace.
In most cases, you should not specify values for `ingress.hosts[0].serviceName` and `ingress.hosts[0].servicePort`. However, some ingress controllers support advanced scenarios requiring you to specify these values. For example, [setting up an SSL redirect using the AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/tasks/ssl_redirect/).
#### Extra Paths
Specifying extra paths to prepend to every host configuration is especially useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions).
```shell
helm install --name my-chartmuseum stable/chartmuseum \
--set ingress.enabled=true \
--set ingress.hosts[0].name=chartmuseum.domain.com \
--set ingress.extraPaths[0].service=ssl-redirect \
--set ingress.extraPaths[0].port=use-annotation \
```
#### Annotations
For annotations, please see [this document for nginx](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md) and [this document for Traefik](https://docs.traefik.io/configuration/backends/kubernetes/#general-annotations). Not all annotations are supported by all ingress controllers, but this document does a good job of indicating which annotation is supported by many popular ingress controllers. Annotations can be set using `ingress.annotations`.
#### Example Ingress configuration
```shell
helm install --name my-chartmuseum stable/chartmuseum \
--set ingress.enabled=true \
--set ingress.hosts[0].name=chartmuseum.domain.com \
--set ingress.hosts[0].path=/
--set ingress.hosts[0].tls=true
--set ingress.hosts[0].tlsSecret=chartmuseum.tls-secret
```
## Uninstall
By default, a deliberate uninstall will result in the persistent volume
claim being deleted.
```shell
helm delete my-chartmuseum
```
To delete the deployment and its history:
```shell
helm delete --purge my-chartmuseum
```

9
chartmuseum/ci/ingress-values.yaml
View File

@ -1,9 +0,0 @@
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
hosts:
- name: chartmuseum.domain1.com
path: /
tls: false

30
chartmuseum/templates/NOTES.txt
View File

@ -1,30 +0,0 @@
** Please be patient while the chart is being deployed **
Get the ChartMuseum URL by running:
{{- if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "chartmuseum.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT{{ .Values.env.open.CONTEXT_PATH }}/
{{- else if contains "LoadBalancer" .Values.service.type }}
** Please ensure an external IP is associated to the {{ template "chartmuseum.fullname" . }} service before proceeding **
** Watch the status using: kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "chartmuseum.fullname" . }} **
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "chartmuseum.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.service.externalPort }}{{ .Values.env.open.CONTEXT_PATH }}/
OR
export SERVICE_HOST=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "chartmuseum.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
echo http://$SERVICE_HOST:{{ .Values.service.externalPort }}{{ .Values.env.open.CONTEXT_PATH }}/
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "chartmuseum.name" . }}" -l "release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo http://127.0.0.1:8080{{ .Values.env.open.CONTEXT_PATH }}/
kubectl port-forward $POD_NAME 8080:8080 --namespace {{ .Release.Namespace }}
{{- end }}

142
chartmuseum/templates/_helpers.tpl
View File

@ -1,142 +0,0 @@
{{- /*
name defines a template for the name of the chartmuseum chart.
The prevailing wisdom is that names should only contain a-z, 0-9 plus dot (.) and dash (-), and should
not exceed 63 characters.
Parameters:
- .Values.nameOverride: Replaces the computed name with this given name
- .Values.namePrefix: Prefix
- .Values.global.namePrefix: Global prefix
- .Values.nameSuffix: Suffix
- .Values.global.nameSuffix: Global suffix
The applied order is: "global prefix + prefix + name + suffix + global suffix"
Usage: 'name: "{{- template "chartmuseum.name" . -}}"'
*/ -}}
{{- define "chartmuseum.name"}}
{{- $global := default (dict) .Values.global -}}
{{- $base := default .Chart.Name .Values.nameOverride -}}
{{- $gpre := default "" $global.namePrefix -}}
{{- $pre := default "" .Values.namePrefix -}}
{{- $suf := default "" .Values.nameSuffix -}}
{{- $gsuf := default "" $global.nameSuffix -}}
{{- $name := print $gpre $pre $base $suf $gsuf -}}
{{- $name | lower | trunc 54 | trimSuffix "-" -}}
{{- end -}}
{{- /*
fullname defines a suitably unique name for a resource by combining
the release name and the chartmuseum chart name.
The prevailing wisdom is that names should only contain a-z, 0-9 plus dot (.) and dash (-), and should
not exceed 63 characters.
Parameters:
- .Values.fullnameOverride: Replaces the computed name with this given name
- .Values.fullnamePrefix: Prefix
- .Values.global.fullnamePrefix: Global prefix
- .Values.fullnameSuffix: Suffix
- .Values.global.fullnameSuffix: Global suffix
The applied order is: "global prefix + prefix + name + suffix + global suffix"
Usage: 'name: "{{- template "chartmuseum.fullname" . -}}"'
*/ -}}
{{- define "chartmuseum.fullname"}}
{{- $global := default (dict) .Values.global -}}
{{- $base := default (printf "%s-%s" .Release.Name .Chart.Name) .Values.fullnameOverride -}}
{{- $gpre := default "" $global.fullnamePrefix -}}
{{- $pre := default "" .Values.fullnamePrefix -}}
{{- $suf := default "" .Values.fullnameSuffix -}}
{{- $gsuf := default "" $global.fullnameSuffix -}}
{{- $name := print $gpre $pre $base $suf $gsuf -}}
{{- $name | lower | trunc 54 | trimSuffix "-" -}}
{{- end -}}
{{- /*
chartmuseum.labels.standard prints the standard chartmuseum Helm labels.
The standard labels are frequently used in metadata.
*/ -}}
{{- define "chartmuseum.labels.standard" -}}
app: {{ template "chartmuseum.name" . }}
chart: {{ template "chartmuseum.chartref" . }}
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
{{- end -}}
{{- /*
chartmuseum.chartref prints a chart name and version.
It does minimal escaping for use in Kubernetes labels.
Example output:
chartmuseum-0.4.5
*/ -}}
{{- define "chartmuseum.chartref" -}}
{{- replace "+" "_" .Chart.Version | printf "%s-%s" .Chart.Name -}}
{{- end -}}
{{/*
Return the proper image name to change the volume permissions
*/}}
{{- define "chartmuseum.volumePermissions.image" -}}
{{- $registryName := .Values.volumePermissions.image.registry -}}
{{- $repositoryName := .Values.volumePermissions.image.repository -}}
{{- $tag := .Values.volumePermissions.image.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "chartmuseum.imagePullSecrets" -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
Also, we can not use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- else if or .Values.image.pullSecrets .Values.volumePermissions.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.volumePermissions.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end -}}
{{- else if or .Values.image.pullSecrets .Values.volumePermissions.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.volumePermissions.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end -}}
{{- end -}}

220
chartmuseum/templates/deployment.yaml
View File

@ -1,220 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "chartmuseum.fullname" . }}
annotations:
{{ toYaml .Values.deployment.annotations | indent 4 }}
labels:
{{ include "chartmuseum.labels.standard" . | indent 4 }}
{{- if .Values.deployment.labels }}
{{ toYaml .Values.deployment.labels | indent 4 }}
{{- end }}
spec:
selector:
matchLabels:
app: {{ template "chartmuseum.name" . }}
release: {{ .Release.Name | quote }}
{{- if .Values.deployment.labels }}
{{ toYaml .Values.deployment.labels | indent 6 }}
{{- end }}
replicas: {{ .Values.replicaCount }}
strategy:
{{ toYaml .Values.strategy | indent 4 }}
revisionHistoryLimit: 10
{{- if .Values.deployment.matchlabes }}
selector:
matchLabels:
{{ toYaml .Values.deployment.matchlabels | indent 6 }}
{{- end }}
template:
metadata:
name: {{ include "chartmuseum.fullname" . }}
annotations:
{{ toYaml .Values.replica.annotations | indent 8 }}
labels:
app: {{ template "chartmuseum.name" . }}
release: {{ .Release.Name | quote }}
{{- if .Values.deployment.labels }}
{{ toYaml .Values.deployment.labels | indent 8 }}
{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- if .Values.securityContext.runAsNonRoot }}
runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }}
{{- end }}
{{- if .Values.securityContext.supplementalGroups }}
supplementalGroups: {{ .Values.securityContext.supplementalGroups }}
{{- end }}
{{- else if .Values.persistence.enabled }}
initContainers:
- name: volume-permissions
image: {{ template "chartmuseum.volumePermissions.image" . }}
imagePullPolicy: "{{ .Values.volumePermissions.image.pullPolicy }}"
securityContext:
{{- toYaml .Values.containerSecurityContext | nindent 10 }}
command: ['sh', '-c', 'chown -R {{ .Values.securityContext.fsGroup }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.path }}']
volumeMounts:
- mountPath: {{ .Values.persistence.path }}
name: storage-volume
{{- end }}
{{- include "chartmuseum.imagePullSecrets" . | indent 6 }}
containers:
- name: {{ .Chart.Name }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{- toYaml .Values.containerSecurityContext | nindent 10 }}
env:
{{- range $name, $value := .Values.env.open }}
{{- if not (empty $value) }}
- name: {{ $name | quote }}
value: {{ $value | quote }}
{{- end }}
{{- end }}
{{- range $name, $value := .Values.env.field }}
{{- if not ( empty $value) }}
- name: {{ $name | quote }}
valueFrom:
fieldRef:
fieldPath: {{ $value | quote }}
{{- end }}
{{- end }}
{{- if .Values.gcp.secret.enabled }}
- name: GOOGLE_APPLICATION_CREDENTIALS
value: "/etc/secrets/google/credentials.json"
{{- end }}
{{- if .Values.env.existingSecret }}
{{- $secret_name := .Values.env.existingSecret }}
{{- range $name, $key := .Values.env.existingSecretMappings }}
{{- if not ( empty $key) }}
- name: {{ $name | quote }}
valueFrom:
secretKeyRef:
name: {{ $secret_name | quote }}
key: {{ $key | quote }}
{{- end }}
{{- end }}
{{- else }}
{{- $secret_name := include "chartmuseum.fullname" . }}
{{- range $name, $value := .Values.env.secret }}
{{- if not ( empty $value) }}
- name: {{ $name | quote }}
valueFrom:
secretKeyRef:
name: {{ $secret_name }}
key: {{ $name | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.bearerAuth.secret.enabled }}
- name: AUTH_CERT_PATH
value: /var/keys/public-key.pem
{{ end }}
args:
- --port=8080
{{- if eq .Values.env.open.STORAGE "local" }}
- --storage-local-rootdir={{ .Values.persistence.path }}
{{- end }}
{{- if .Values.extraArgs }}
{{ toYaml .Values.extraArgs | indent 8 }}
{{- end }}
ports:
- name: http
containerPort: 8080
livenessProbe:
httpGet:
path: {{ .Values.env.open.CONTEXT_PATH }}/health
port: http
{{ toYaml .Values.probes.liveness | indent 10 }}
readinessProbe:
httpGet:
path: {{ .Values.env.open.CONTEXT_PATH }}/health
port: http
{{ toYaml .Values.probes.readiness | indent 10 }}
volumeMounts:
{{- if eq .Values.env.open.STORAGE "local" }}
- mountPath: {{ .Values.persistence.path }}
name: storage-volume
{{- end }}
{{- if .Values.gcp.secret.enabled }}
- mountPath: /etc/secrets/google
name: {{ include "chartmuseum.fullname" . }}-gcp
{{- end }}
{{- if .Values.oracle.secret.enabled }}
- mountPath: /home/chartmuseum/.oci
name: {{ include "chartmuseum.fullname" . }}-oracle
{{- end }}
{{- if .Values.bearerAuth.secret.enabled }}
- name: public-key
mountPath: /var/keys
readOnly: true
{{- end }}
{{- with .Values.resources }}
resources:
{{ toYaml . | indent 10 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- if .Values.deployment.schedulerName }}
schedulerName: {{ .Values.deployment.schedulerName }}
{{- end -}}
{{- if and .Values.serviceAccount.create .Values.serviceAccount.name }}
serviceAccountName: {{ .Values.serviceAccount.name }}
{{- else if .Values.serviceAccount.create }}
serviceAccountName: {{ include "chartmuseum.fullname" . }}
{{- else if .Values.serviceAccount.name }}
serviceAccountName: {{ .Values.serviceAccount.name }}
{{- end }}
volumes:
- name: storage-volume
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim | default (include "chartmuseum.fullname" .) }}
{{- else }}
emptyDir: {}
{{- end -}}
{{ if .Values.gcp.secret.enabled }}
- name: {{ include "chartmuseum.fullname" . }}-gcp
secret:
{{ if .Values.env.secret.GOOGLE_CREDENTIALS_JSON }}
secretName: {{ include "chartmuseum.fullname" . }}
items:
- key: GOOGLE_CREDENTIALS_JSON
path: credentials.json
{{ else }}
secretName: {{ .Values.gcp.secret.name }}
items:
- key: {{ .Values.gcp.secret.key }}
path: credentials.json
{{ end }}
{{ end }}
{{ if .Values.oracle.secret.enabled }}
- name: {{ include "chartmuseum.fullname" . }}-oracle
secret:
secretName: {{ .Values.oracle.secret.name }}
items:
- key: {{ .Values.oracle.secret.config }}
path: config
- key: {{ .Values.oracle.secret.key_file }}
path: oci.key
{{ end }}
{{- if .Values.bearerAuth.secret.enabled }}
- name: public-key
secret:
secretName: {{ .Values.bearerAuth.secret.publicKeySecret }}
{{- end }}

54
chartmuseum/templates/ingress.yaml
View File

@ -1,54 +0,0 @@
{{- if .Values.ingress.enabled }}
{{- $servicePort := .Values.service.externalPort -}}
{{- $serviceName := include "chartmuseum.fullname" . -}}
{{- $ingressExtraPaths := .Values.ingress.extraPaths -}}
---
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion }}
apiVersion: networking.k8s.io/v1beta1
{{- else }}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ include "chartmuseum.fullname" . }}
annotations:
{{ toYaml .Values.ingress.annotations | indent 4 }}
labels:
{{- if .Values.ingress.labels }}
{{ toYaml .Values.ingress.labels | indent 4 }}
{{- end }}
{{ include "chartmuseum.labels.standard" . | indent 4 }}
spec:
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .name }}
http:
paths:
{{- range $ingressExtraPaths }}
- path: {{ default "/" .path | quote }}
backend:
{{- if $.Values.service.servicename }}
serviceName: {{ $.Values.service.servicename }}
{{- else }}
serviceName: {{ default $serviceName .service }}
{{- end }}
servicePort: {{ default $servicePort .port }}
{{- end }}
- path: {{ default "/" .path | quote }}
backend:
{{- if $.Values.service.servicename }}
serviceName: {{ $.Values.service.servicename }}
{{- else }}
serviceName: {{ default $serviceName .service }}
{{- end }}
servicePort: {{ default $servicePort .servicePort }}
{{- end }}
tls:
{{- range .Values.ingress.hosts }}
{{- if .tls }}
- hosts:
- {{ .name }}
secretName: {{ .tlsSecret }}
{{- end }}
{{- end }}
{{- end -}}

21
chartmuseum/templates/pv.yaml
View File

@ -1,21 +0,0 @@
{{- if .Values.persistence.pv.enabled -}}
apiVersion: v1
kind: PersistentVolume
metadata:
{{- if .Values.persistence.pv.pvname }}
name: {{ .Values.persistence.pv.pvname }}
{{- else }}
name: {{ include "chartmuseum.fullname" . }}
{{- end }}
labels:
app: {{ include "chartmuseum.fullname" . }}
release: {{ .Release.Name | quote }}
spec:
capacity:
storage: {{ .Values.persistence.pv.capacity.storage }}
accessModes:
- {{ .Values.persistence.pv.accessMode | quote }}
nfs:
server: {{ .Values.persistence.pv.nfs.server }}
path: {{ .Values.persistence.pv.nfs.path | quote }}
{{- end }}

27
chartmuseum/templates/pvc.yaml
View File

@ -1,27 +0,0 @@
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ include "chartmuseum.fullname" . }}
labels:
app: {{ include "chartmuseum.fullname" . }}
release: {{ .Release.Name | quote }}
{{- if .Values.persistence.labels }}
{{ toYaml .Values.persistence.labels | indent 4 }}
{{- end }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- else if and .Values.persistence.volumeName (.Values.persistence.pv.enabled) }}
volumeName: "{{ .Values.persistence.volumeName }}"
{{- end }}
{{- end }}

22
chartmuseum/templates/secret.yaml
View File

@ -1,22 +0,0 @@
{{- if not .Values.env.existingSecret -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "chartmuseum.fullname" . }}
labels:
{{- if .Values.secret.labels }}
{{ toYaml .Values.secret.labels | indent 4 }}
{{- end }}
{{ include "chartmuseum.labels.standard" . | indent 4 }}
type: Opaque
data:
{{- range $name, $value := .Values.env.secret }}
{{- if not (empty $value) }}
{{- if eq $name "GOOGLE_CREDENTIALS_JSON" }}
{{ $name }}: {{ $value }}
{{- else }}
{{ $name }}: {{ $value | b64enc }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

45
chartmuseum/templates/service.yaml
View File

@ -1,45 +0,0 @@
apiVersion: v1
kind: Service
metadata:
{{- if .Values.service.servicename }}
name: {{ .Values.service.servicename }}
{{- else }}
name: {{ include "chartmuseum.fullname" . }}
{{- end }}
labels:
{{ include "chartmuseum.labels.standard" . | indent 4 }}
{{- if .Values.service.labels }}
{{ toYaml .Values.service.labels | indent 4 }}
{{- end }}
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if (or (eq .Values.service.type "LoadBalancer") (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort)))) }}
externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
{{- end }}
{{- if (and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges) }}
loadBalancerSourceRanges:
{{- with .Values.service.loadBalancerSourceRanges }}
{{ toYaml . | indent 2 }}
{{- end }}
{{- end }}
{{- if eq .Values.service.type "ClusterIP" }}
{{- if .Values.service.clusterIP }}
clusterIP: {{ .Values.service.clusterIP }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.externalPort }}
{{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }}
nodePort: {{.Values.service.nodePort}}
{{- else }}
targetPort: http
{{- end }}
protocol: TCP
name: http
selector:
app: {{ template "chartmuseum.name" . }}
release: {{ .Release.Name | quote }}

17
chartmuseum/templates/serviceaccount.yaml
View File

@ -1,17 +0,0 @@
{{- if .Values.serviceAccount.create -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
{{- if .Values.serviceAccount.name }}
name: {{ .Values.serviceAccount.name }}
{{- else }}
name: {{ include "chartmuseum.fullname" . }}
{{- end }}
labels:
{{ include "chartmuseum.labels.standard" . | indent 4 }}
{{- if .Values.serviceAccount.annotations }}
annotations:
{{ toYaml .Values.serviceAccount.annotations | nindent 4 }}
{{- end }}
{{- end -}}

34
chartmuseum/templates/servicemonitor.yaml
View File

@ -1,34 +0,0 @@
{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) ( .Values.serviceMonitor.enabled ) }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
{{- if .Values.serviceMonitor.labels }}
labels:
{{ toYaml .Values.serviceMonitor.labels | indent 4 }}
{{- end }}
name: {{ template "chartmuseum.fullname" . }}
namespace: {{ .Release.Namespace }}
{{- if .Values.serviceMonitor.namespace }}
namespace: {{ .Values.serviceMonitor.namespace }}
{{- end }}
spec:
endpoints:
- targetPort: 8080
{{- if .Values.serviceMonitor.interval }}
interval: {{ .Values.serviceMonitor.interval }}
{{- end }}
{{- if .Values.serviceMonitor.metricsPath }}
path: {{ .Values.serviceMonitor.metricsPath }}
{{- end }}
{{- if .Values.serviceMonitor.timeout }}
scrapeTimeout: {{ .Values.serviceMonitor.timeout }}
{{- end }}
jobLabel: {{ template "chartmuseum.fullname" . }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels:
app: {{ template "chartmuseum.name" . }}
release: {{ .Release.Name }}
{{- end }}

306
chartmuseum/values.yaml
View File

@ -1,306 +0,0 @@
extraArgs:
# - --storage-timestamp-tolerance 1s
replicaCount: 1
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 0
image:
repository: chartmuseum/chartmuseum
tag: v0.12.0
pullPolicy: IfNotPresent
secret:
labels: {}
env:
open:
# storage backend, can be one of: local, alibaba, amazon, google, microsoft, oracle
STORAGE: local
# oss bucket to store charts for alibaba storage backend
STORAGE_ALIBABA_BUCKET:
# prefix to store charts for alibaba storage backend
STORAGE_ALIBABA_PREFIX:
# oss endpoint to store charts for alibaba storage backend
STORAGE_ALIBABA_ENDPOINT:
# server side encryption algorithm for alibaba storage backend, can be one
# of: AES256 or KMS
STORAGE_ALIBABA_SSE:
# s3 bucket to store charts for amazon storage backend
STORAGE_AMAZON_BUCKET:
# prefix to store charts for amazon storage backend
STORAGE_AMAZON_PREFIX:
# region of s3 bucket to store charts
STORAGE_AMAZON_REGION:
# alternative s3 endpoint
STORAGE_AMAZON_ENDPOINT:
# server side encryption algorithm
STORAGE_AMAZON_SSE:
# gcs bucket to store charts for google storage backend
STORAGE_GOOGLE_BUCKET:
# prefix to store charts for google storage backend
STORAGE_GOOGLE_PREFIX:
# container to store charts for microsoft storage backend
STORAGE_MICROSOFT_CONTAINER:
# prefix to store charts for microsoft storage backend
STORAGE_MICROSOFT_PREFIX:
# container to store charts for openstack storage backend
STORAGE_OPENSTACK_CONTAINER:
# prefix to store charts for openstack storage backend
STORAGE_OPENSTACK_PREFIX:
# region of openstack container
STORAGE_OPENSTACK_REGION:
# path to a CA cert bundle for your openstack endpoint
STORAGE_OPENSTACK_CACERT:
# compartment id for for oracle storage backend
STORAGE_ORACLE_COMPARTMENTID:
# oci bucket to store charts for oracle storage backend
STORAGE_ORACLE_BUCKET:
# prefix to store charts for oracle storage backend
STORAGE_ORACLE_PREFIX:
# form field which will be queried for the chart file content
CHART_POST_FORM_FIELD_NAME: chart
# form field which will be queried for the provenance file content
PROV_POST_FORM_FIELD_NAME: prov
# levels of nested repos for multitenancy. The default depth is 0 (singletenant server)
DEPTH: 0
# show debug messages
DEBUG: false
# output structured logs as json
LOG_JSON: true
# disable use of index-cache.yaml
DISABLE_STATEFILES: false
# disable Prometheus metrics
DISABLE_METRICS: true
# disable all routes prefixed with /api
DISABLE_API: true
# allow chart versions to be re-uploaded
ALLOW_OVERWRITE: false
# absolute url for .tgzs in index.yaml
CHART_URL:
# allow anonymous GET operations when auth is used
AUTH_ANONYMOUS_GET: false
# sets the base context path
CONTEXT_PATH:
# parallel scan limit for the repo indexer
INDEX_LIMIT: 0
# cache store, can be one of: redis (leave blank for inmemory cache)
CACHE:
# address of Redis service (host:port)
CACHE_REDIS_ADDR:
# Redis database to be selected after connect
CACHE_REDIS_DB: 0
# enable bearer auth
BEARER_AUTH: false
# auth realm used for bearer auth
AUTH_REALM:
# auth service used for bearer auth
AUTH_SERVICE:
field:
# POD_IP: status.podIP
secret:
# username for basic http authentication
BASIC_AUTH_USER:
# password for basic http authentication
BASIC_AUTH_PASS:
# GCP service account json file
GOOGLE_CREDENTIALS_JSON:
# Redis requirepass server configuration
CACHE_REDIS_PASSWORD:
# Name of an existing secret to get the secret values ftom
existingSecret:
# Stores Enviromnt Variable to secret key name mappings
existingSecretMappings:
# username for basic http authentication
BASIC_AUTH_USER:
# password for basic http authentication
BASIC_AUTH_PASS:
# GCP service account json file
GOOGLE_CREDENTIALS_JSON:
# Redis requirepass server configuration
CACHE_REDIS_PASSWORD:
deployment:
# Define scheduler name. Use of 'default' if empty
schedulerName: ""
## Chartmuseum Deployment annotations
annotations: {}
# name: value
labels: {}
# name: value
matchlabels: {}
# name: value
replica:
## Chartmuseum Replicas annotations
annotations: {}
## Read more about kube2iam to provide access to s3 https://github.com/jtblin/kube2iam
# iam.amazonaws.com/role: role-arn
service:
servicename:
type: ClusterIP
externalTrafficPolicy: Local
## Limits which cidr blocks can connect to service's load balancer
## Only valid if service.type: LoadBalancer
loadBalancerSourceRanges: []
# clusterIP: None
externalPort: 8080
nodePort:
annotations: {}
labels: {}
serviceMonitor:
enabled: false
# namespace: prometheus
labels: {}
metricsPath: "/metrics"
# timeout: 60
# interval: 60
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 80m
# memory: 64Mi
probes:
liveness:
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
readiness:
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
serviceAccount:
create: false
# name:
## Annotations for the Service Account
annotations: {}
# UID/GID 1000 is the default user "chartmuseum" used in
# the container image starting in v0.8.0 and above. This
# is required for local persistent storage. If your cluster
# does not allow this, try setting securityContext: {}
securityContext:
enabled: true
fsGroup: 1000
## Optionally, specify supplementalGroups and/or
## runAsNonRoot for security purposes
# runAsNonRoot: true
# supplementalGroups: [1000]
containerSecurityContext: {}
priorityClassName: ""
nodeSelector: {}
tolerations: []
affinity: {}
persistence:
enabled: false
accessMode: ReadWriteOnce
size: 8Gi
labels: {}
path: /storage
# name: value
## A manually managed Persistent Volume and Claim
## Requires persistence.enabled: true
## If defined, PVC must be created manually before volume will be bound
# existingClaim:
## Chartmuseum data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
# volumeName:
pv:
enabled: false
pvname:
capacity:
storage: 8Gi
accessMode: ReadWriteOnce
nfs:
server:
path:
## Init containers parameters:
## volumePermissions: Change the owner of the persistent volume mountpoint to RunAsUser:fsGroup
##
volumePermissions:
image:
registry: docker.io
repository: bitnami/minideb
tag: buster
pullPolicy: Always
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Ingress for load balancer
ingress:
enabled: false
## Chartmuseum Ingress labels
##
# labels:
# dns: "route53"
## Chartmuseum Ingress annotations
##
# annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
## Chartmuseum Ingress hostnames
## Must be provided if Ingress is enabled
##
# hosts:
# - name: chartmuseum.domain1.com
# path: /
# tls: false
# - name: chartmuseum.domain2.com
# path: /
#
# ## Set this to true in order to enable TLS on the ingress record
# tls: true
#
# ## If TLS is set to true, you must declare what secret will store the key/certificate for TLS
# ## Secrets must be added manually to the namespace
# tlsSecret: chartmuseum.domain2-tls
# Adding secrets to tiller is not a great option, so If you want to use an existing
# secret that contains the json file, you can use the following entries
gcp:
secret:
enabled: false
# Name of the secret that contains the encoded json
name:
# Secret key that holds the json value.
key: credentials.json
oracle:
secret:
enabled: false
# Name of the secret that contains the encoded config and key
name:
# Secret key that holds the oci config
config: config
# Secret key that holds the oci private key
key_file: key_file
bearerAuth:
secret:
enabled: false
publicKeySecret: chartmuseum-public-key

22
docker-registry-ui/.helmignore
View File

@ -1,22 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

11
docker-registry-ui/Chart.yaml
View File

@ -1,11 +0,0 @@
apiVersion: v1
appVersion: "1.2.1"
description: The simplest and most complete UI for your private registry
name: docker-registry-ui
home: https://github.com/Joxit/docker-registry-ui
keywords:
- docker
- registry
sources:
- https://github.com/Joxit/docker-registry-ui
version: 0.1.0

97
docker-registry-ui/README.md
View File

@ -1,97 +0,0 @@
# docker-registry-ui
[docker-registry-ui](https://joxit.dev/docker-registry-ui/) is the simplest and most complete UI for your private registry!
## TL;DR;
```bash
$ helm install .
```
## Introduction
This chart bootstraps a [docker-registry-ui](https://joxit.dev/docker-registry-ui/) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
It also may deploy the [docker registry](https://docs.docker.com/registry/) if you havent have one already.
## Prerequisites
- Kubernetes 1.9+ with Beta APIs enabled
- PV provisioner support in the underlying infrastructure
## Installing the Chart
To install the chart with the release name `my-release`:
```bash
$ helm update --install my-release .
```
The command deploys docker-registry-ui on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```bash
$ helm delete my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Configuration
The following table lists the configurable parameters of the Redmine chart and their default values.
| Parameter | Description | Default |
| --------------------------------- | ---------------------------------------- | ------------------------------------------------------- |
| `ui.title` | Title of the managed repository | `Docker registry UI` |
| `ui.delete_images` | Allow to delete image from the front-end | `false` |
| `ui.proxy` | The UI service act as a proxy of the registry | `true` |
| `ui.replicaCount` | Number of replicas to start | `1` |
| `ui.image.registry` | registry to pull the docker-registry-ui image from | `docker.io` |
| `ui.image.repository` | docker-registry-ui image name | `joxit/docker-registry-ui` |
| `ui.image.tag` | docker-registry-ui image tag (change to latest to have multi registry support) | `static` |
| `ui.image.pullPolicy` | docker-registry-ui image pull policy | `Always` |
| `ui.probe.liveness` | Ask kubernetes to check the service port for liveness | `true` |
| `ui.probe.readyness ` | Ask kubernetes to check the service port for readyness | `true` |
| `ui.service.type` | Desired service type | `ClusterIP` |
| `ui.service.port` | Service exposed port | `80` |
| `ui.ingress.enabled` | Create an ingress for docker-regstry-ui | `false` |
| `registry.external` | Use an already available registry | `false` |
| `registry.url` | URL of the existing registry | `http://localhost:5000` |
| `registry.replicaCount` | Number of replicas to start | `1` |
| `registry.image.registry` | registry to pull the docker-registry image from | `docker.io` |
| `registry.image.repository` | docker-registry-ui image name | `registry` |
| `registry.image.tag` | docker-registry-ui image tag | `2.6.2` |
| `registry.image.pullPolicy` | docker-registry-ui image pull policy | `Always` |
| `registry.probe.liveness` | Ask kubernetes to check the service port for liveness | `true` |
| `registry.probe.readyness ` | Ask kubernetes to check the service port for readyness | `true` |
| `registry.persistence.enabled` | Enable persistence using PVC for the registry | `false` |
| `registry.persistence.storageClass` | PVC Storage Class | `-` |
| `registry.persistence.size` | PVC Storage Request size | `1Gi` |
| `registry.service.type` | Desired service type | `ClusterIP` |
| `registry.service.port` | Service exposed port | `5000` |
| `registry.ingress.enabled` | Create an ingress for the regstry | `false` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```bash
$ helm upgrade --install my-release \
--set registry.external=true \
--set registry.url=http://registry.example.com:5000 \
.
```
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
```bash
$ helm upgrade --install my-release -f values.yaml .
```
> **Tip**: You can use the default [values.yaml](values.yaml)

0
docker-registry-ui/templates/NOTES.txt
View File

147
docker-registry-ui/templates/_helpers.tpl
View File

@ -1,147 +0,0 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "docker-registry-ui.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "docker-registry-ui.fullname" -}}
{{- if .Values.ui.fullnameOverride -}}
{{- .Values.ui.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- printf "%s-ui" .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-ui-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "docker-registry.fullname" -}}
{{- if .Values.registry.fullnameOverride -}}
{{- .Values.registry.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- printf "%s-registry" .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-registry-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "docker-registry-ui.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "docker-registry-ui.labels" -}}
app: registry-ui
chart: {{ include "docker-registry-ui.chart" . }}
release: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app/version: {{ .Chart.AppVersion | quote }}
{{- end }}
{{- end -}}
{{- define "docker-registry-ui.matchLabels" -}}
app: registry-ui
release: {{ .Release.Name }}
{{- end -}}
{{- define "docker-registry.labels" -}}
app: registry
chart: {{ include "docker-registry-ui.chart" . }}
release: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app/version: {{ .Chart.AppVersion | quote }}
{{- end }}
{{- end -}}
{{- define "docker-registry.matchLabels" -}}
app: registry
release: {{ .Release.Name }}
{{- end -}}
{{- define "docker-registry-ui.probes" -}}
{{- if and .Values.ui.probe.liveness (eq .Values.ui.probe.liveness true) -}}
livenessProbe:
httpGet:
path: /
port: http
{{- end -}}
{{- if and .Values.ui.probe.readiness (eq .Values.ui.probe.readiness true) }}
readinessProbe:
httpGet:
path: /
port: http
{{- end -}}
{{- end -}}
{{- define "docker-registry.probes" -}}
{{- if and .Values.registry.probe.liveness (eq .Values.registry.probe.liveness true) -}}
livenessProbe:
httpGet:
path: /v2/
port: registry
{{- end -}}
{{- if and .Values.registry.probe.readiness (eq .Values.registry.probe.readiness true) }}
readinessProbe:
httpGet:
path: /v2/
port: registry
{{- end -}}
{{- end -}}
{{- define "docker-registry-ui.url-name" -}}
{{- if eq .Values.ui.proxy true -}}
REGISTRY_URL
{{- else -}}
URL
{{- end -}}
{{- end -}}
{{- define "docker-registry-ui.url-value" -}}
{{- if eq .Values.registry.external true -}}
{{ .Values.registry.url }}
{{- else -}}
{{- $fullName := include "docker-registry.fullname" . -}}
{{ printf "http://%s.%s:%.0f" $fullName .Release.Namespace .Values.registry.service.port }}
{{- end -}}
{{- end -}}
{{- define "docker-registry-ui.pull" -}}
{{- if eq .Values.registry.external true -}}
{{ .Values.registry.url }}
{{- else -}}
{{- if eq .Values.ui.proxy true -}}
{{- if eq .Values.ui.ingress.enabled true -}}
{{- $host := index .Values.ui.ingress.hosts 0 -}}
{{ $host.host }}
{{- else -}}
{{- $fullName := include "docker-registry-ui.fullname" . -}}
{{ printf "%s.%s:%.0f" $fullName .Release.Namespace .Values.ui.service.port }}
{{- end -}}
{{- else -}}
{{- if eq .Values.registry.ingress.enabled true -}}
{{- $host := index .Values.registry.ingress.hosts 0 -}}
{{ $host.host }}
{{- else -}}
{{- $fullName := include "docker-registry.fullname" . -}}
{{ printf "%s.%s:%.0f" $fullName .Release.Namespace .Values.registry.service.port }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}

31
docker-registry-ui/templates/reg-configmap.yaml
View File

@ -1,31 +0,0 @@
{{- if eq .Values.registry.external false -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "docker-registry.fullname" . }}
labels:
{{ include "docker-registry.labels" . | indent 4 }}
data:
config.yml: |-
version: 0.1
log:
fields:
service: registry
storage:
delete:
enabled: true
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
Access-Control-Allow-Origin: ['*']
Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
Access-Control-Allow-Headers: ['Authorization']
Access-Control-Max-Age: [1728000]
Access-Control-Allow-Credentials: [true]
Access-Control-Expose-Headers: ['Docker-Content-Digest']
{{- end -}}

62
docker-registry-ui/templates/reg-deployment.yaml
View File

@ -1,62 +0,0 @@
{{- if eq .Values.registry.external false -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "docker-registry.fullname" . }}
labels:
{{ include "docker-registry.labels" . | indent 4 }}
spec:
replicas: {{ .Values.registry.replicaCount }}
selector:
matchLabels:
{{ include "docker-registry.matchLabels" . | indent 6 }}
template:
metadata:
labels:
{{ include "docker-registry.matchLabels" . | indent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: config
configMap:
defaultMode: 420
name: {{ include "docker-registry.fullname" . }}
- name: data
{{- if .Values.registry.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ include "docker-registry.fullname" . }}
{{- else }}
emptyDir: {}
{{- end }}
containers:
- name: registry
image: "{{ .Values.registry.image.registry }}/{{ .Values.registry.image.repository }}:{{ .Values.registry.image.tag }}"
imagePullPolicy: {{ .Values.registry.image.pullPolicy }}
ports:
- name: registry
containerPort: 5000
protocol: TCP
volumeMounts:
- mountPath: "/var/lib/registry"
name: "data"
- mountPath: "/etc/docker/registry"
name: "config"
{{ include "docker-registry.probes" . | indent 10 }}
resources:
{{- toYaml .Values.registry.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end -}}

34
docker-registry-ui/templates/reg-ingress.yaml
View File

@ -1,34 +0,0 @@
{{- if and (eq .Values.registry.external false) (and (eq .Values.ui.proxy false) .Values.registry.ingress.enabled) -}}
{{- $fullName := include "docker-registry.fullname" . -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{ include "docker-registry.labels" . | indent 4 }}
{{- with .Values.registry.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.registry.ingress.tls }}
tls:
{{- range .Values.registry.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.registry.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
- path: /
backend:
serviceName: {{ $fullName }}
servicePort: registry
{{- end }}
{{- end -}}

23
docker-registry-ui/templates/reg-pvc.yaml
View File

@ -1,23 +0,0 @@
{{- if and (eq .Values.registry.external false) .Values.registry.persistence.enabled -}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
{{ include "docker-registry.labels" . | indent 4 }}
name: {{ include "docker-registry.fullname" . }}
spec:
accessModes:
{{- range .Values.registry.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.registry.persistence.size }}
{{- if .Values.registry.persistence.storageClass }}
{{- if (eq "-" .Values.registry.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: {{ .Values.registry.persistence.storageClass | quote }}
{{- end }}
{{- end }}
{{- end -}}

17
docker-registry-ui/templates/reg-service.yaml
View File

@ -1,17 +0,0 @@
{{- if eq .Values.registry.external false -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "docker-registry.fullname" . }}
labels:
{{ include "docker-registry.labels" . | indent 4 }}
spec:
type: {{ .Values.registry.service.type }}
ports:
- port: {{ .Values.registry.service.port }}
targetPort: registry
protocol: TCP
name: registry
selector:
{{ include "docker-registry.matchLabels" . | indent 6 }}
{{- end -}}

52
docker-registry-ui/templates/ui-deployment.yaml
View File

@ -1,52 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "docker-registry-ui.fullname" . }}
labels:
{{ include "docker-registry-ui.labels" . | indent 4 }}
spec:
replicas: {{ .Values.ui.replicaCount }}
selector:
matchLabels:
{{ include "docker-registry-ui.matchLabels" . | indent 6 }}
template:
metadata:
labels:
{{ include "docker-registry-ui.matchLabels" . | indent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: registry-ui
image: "{{ .Values.ui.image.registry }}/{{ .Values.ui.image.repository }}:{{ .Values.ui.image.tag }}"
imagePullPolicy: {{ .Values.ui.image.pullPolicy }}
env:
- name: REGISTRY_TITLE
value: {{ .Values.ui.title| quote }}
- name: DELETE_IMAGES
value: {{ .Values.ui.delete_images| quote }}
- name: {{ include "docker-registry-ui.url-name" . }}
value: {{ include "docker-registry-ui.url-value" . | quote }}
- name: PULL_URL
value: {{ include "docker-registry-ui.pull" . | quote }}
ports:
- name: http
containerPort: 80
protocol: TCP
{{ include "docker-registry-ui.probes" . | indent 10 }}
resources:
{{- toYaml .Values.ui.resources | nindent 12 }}
{{- with .Values.ui.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.ui.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.ui.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

34
docker-registry-ui/templates/ui-ingress.yaml
View File

@ -1,34 +0,0 @@
{{- if .Values.ui.ingress.enabled -}}
{{- $fullName := include "docker-registry-ui.fullname" . -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{ include "docker-registry-ui.labels" . | indent 4 }}
{{- with .Values.ui.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ui.ingress.tls }}
tls:
{{- range .Values.ui.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ui.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
- path: /
backend:
serviceName: {{ $fullName }}
servicePort: http
{{- end }}
{{- end }}

15
docker-registry-ui/templates/ui-service.yaml
View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "docker-registry-ui.fullname" . }}
labels:
{{ include "docker-registry-ui.labels" . | indent 4 }}
spec:
type: {{ .Values.ui.service.type }}
ports:
- port: {{ .Values.ui.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
{{ include "docker-registry-ui.matchLabels" . | indent 6 }}

129
docker-registry-ui/values.yaml
View File

@ -1,129 +0,0 @@
# Default values for docker-registry-ui.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
ui:
# title of the registry
title: "Docker registry UI"
# allow delete of images
delete_images: false
# UI behave as a proxy of the registry
proxy: true
replicaCount: 1
image:
registry: docker.io
repository: joxit/docker-registry-ui
tag: static
pullPolicy: Always
probe:
liveness: true
readiness: true
resources: {}
# If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
fullnameOverride: ""
service:
type: ClusterIP
port: 80
ingress:
enabled: false
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: docker-registry-ui.local
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
registry:
external: false
# URL of the registry (requiered. Note: this wont work as localhost is inside the container. Only used if the registry is external)
url: http://localhost:5000
replicaCount: 1
# Image definition for the registry (Only used if the registry is not external)
image:
registry: docker.io
repository: registry
tag: 2.7.1
pullPolicy: Always
probe:
liveness: true
readiness: true
resources: {}
# If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
fullnameOverride: ""
persistence:
## If true, use a Persistent Volume Claim, If false, use emptyDir
##
enabled: false
## Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
## Persistent Volume Claim annotations
##
annotations:
## Persistent Volume Access Mode
##
accessModes:
# This have to be ReadWriteMany if replicaCount>1
- ReadWriteOnce
## Persistent Volume size
##
size: 1Gi
##
service:
type: ClusterIP
port: 5000
ingress:
enabled: false
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: docker-registry.local
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
imagePullSecrets: []
nameOverride: ""

21
docker-registry/.helmignore
View File

@ -1,21 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

10
docker-registry/Chart.yaml
View File

@ -1,10 +0,0 @@
apiVersion: v1
description: DEPRECATED A Helm chart for Docker Registry
name: docker-registry
version: 1.9.6
appVersion: 2.7.1
home: https://hub.docker.com/_/registry/
icon: https://hub.docker.com/public/images/logos/mini-logo.svg
sources:
- https://github.com/docker/distribution-library-image
deprecated: true

95
docker-registry/README.md
View File

@ -1,95 +0,0 @@
# ⚠️ Repo Archive Notice
As of Nov 13, 2020, charts in this repo will no longer be updated.
For more information, see the Helm Charts [Deprecation and Archive Notice](https://github.com/helm/charts#%EF%B8%8F-deprecation-and-archive-notice), and [Update](https://helm.sh/blog/charts-repo-deprecation/).
# Docker Registry Helm Chart
This directory contains a Kubernetes chart to deploy a private Docker Registry.
## DEPRECATION NOTICE
This chart is deprecated and no longer supported.
## Prerequisites Details
* PV support on underlying infrastructure (if persistence is required)
## Chart Details
This chart will do the following:
* Implement a Docker registry deployment
## Installing the Chart
To install the chart, use the following:
```console
$ helm install stable/docker-registry
```
## Configuration
The following table lists the configurable parameters of the docker-registry chart and
their default values.
| Parameter | Description | Default |
|:----------------------------|:-------------------------------------------------------------------------------------------|:----------------|
| `image.pullPolicy` | Container pull policy | `IfNotPresent` |
| `image.repository` | Container image to use | `registry` |
| `image.tag` | Container image tag to deploy | `2.7.1` |
| `imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) |
| `persistence.accessMode` | Access mode to use for PVC | `ReadWriteOnce` |
| `persistence.enabled` | Whether to use a PVC for the Docker storage | `false` |
| `persistence.deleteEnabled` | Enable the deletion of image blobs and manifests by digest | `nil` |
| `persistence.size` | Amount of space to claim for PVC | `10Gi` |
| `persistence.storageClass` | Storage Class to use for PVC | `-` |
| `persistence.existingClaim` | Name of an existing PVC to use for config | `nil` |
| `service.port` | TCP port on which the service is exposed | `5000` |
| `service.type` | service type | `ClusterIP` |
| `service.clusterIP` | if `service.type` is `ClusterIP` and this is non-empty, sets the cluster IP of the service | `nil` |
| `service.nodePort` | if `service.type` is `NodePort` and this is non-empty, sets the node port of the service | `nil` |
| `service.loadBalancerIP | if `service.type` is `LoadBalancer` and this is non-empty, sets the loadBalancerIP of the service | `nil` |
| `service.loadBalancerSourceRanges`| if `service.type` is `LoadBalancer` and this is non-empty, sets the loadBalancerSourceRanges of the service | `nil` |
| `replicaCount` | k8s replicas | `1` |
| `updateStrategy` | update strategy for deployment | `{}` |
| `podAnnotations` | Annotations for pod | `{}` |
| `podLabels` | Labels for pod | `{}` |
| `podDisruptionBudget` | Pod disruption budget | `{}` |
| `resources.limits.cpu` | Container requested CPU | `nil` |
| `resources.limits.memory` | Container requested memory | `nil` |
| `priorityClassName ` | priorityClassName | `""` |
| `storage` | Storage system to use | `filesystem` |
| `tlsSecretName` | Name of secret for TLS certs | `nil` |
| `secrets.htpasswd` | Htpasswd authentication | `nil` |
| `secrets.s3.accessKey` | Access Key for S3 configuration | `nil` |
| `secrets.s3.secretKey` | Secret Key for S3 configuration | `nil` |
| `secrets.swift.username` | Username for Swift configuration | `nil` |
| `secrets.swift.password` | Password for Swift configuration | `nil` |
| `haSharedSecret` | Shared secret for Registry | `nil` |
| `configData` | Configuration hash for docker | `nil` |
| `s3.region` | S3 region | `nil` |
| `s3.regionEndpoint` | S3 region endpoint | `nil` |
| `s3.bucket` | S3 bucket name | `nil` |
| `s3.encrypt` | Store images in encrypted format | `nil` |
| `s3.secure` | Use HTTPS | `nil` |
| `swift.authurl` | Swift authurl | `nil` |
| `swift.container` | Swift container | `nil` |
| `nodeSelector` | node labels for pod assignment | `{}` |
| `affinity` | affinity settings | `{}` |
| `tolerations` | pod tolerations | `[]` |
| `ingress.enabled` | If true, Ingress will be created | `false` |
| `ingress.annotations` | Ingress annotations | `{}` |
| `ingress.labels` | Ingress labels | `{}` |
| `ingress.path` | Ingress service path | `/` |
| `ingress.hosts` | Ingress hostnames | `[]` |
| `ingress.tls` | Ingress TLS configuration (YAML) | `[]` |
| `extraVolumeMounts` | Additional volumeMounts to the registry container | `[]` |
| `extraVolumes` | Additional volumes to the pod | `[]` |
Specify each parameter using the `--set key=value[,key=value]` argument to
`helm install`.
To generate htpasswd file, run this docker command:
`docker run --entrypoint htpasswd registry:2 -Bbn user password > ./htpasswd`.

19
docker-registry/templates/NOTES.txt
View File

@ -1,19 +0,0 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.hosts }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "docker-registry.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc -w {{ template "docker-registry.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "docker-registry.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.service.externalPort }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "docker-registry.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl -n {{ .Release.Namespace }} port-forward $POD_NAME 8080:5000
{{- end }}

24
docker-registry/templates/_helpers.tpl
View File

@ -1,24 +0,0 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "docker-registry.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "docker-registry.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

12
docker-registry/templates/configmap.yaml
View File

@ -1,12 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "docker-registry.fullname" . }}-config
labels:
app: {{ template "docker-registry.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
config.yml: |-
{{ toYaml .Values.configData | indent 4 }}

221
docker-registry/templates/deployment.yaml
View File

@ -1,221 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "docker-registry.fullname" . }}
labels:
app: {{ template "docker-registry.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
selector:
matchLabels:
app: {{ template "docker-registry.name" . }}
release: {{ .Release.Name }}
replicas: {{ .Values.replicaCount }}
{{- if .Values.updateStrategy }}
strategy:
{{ toYaml .Values.updateStrategy | indent 4 }}
{{- end }}
minReadySeconds: 5
template:
metadata:
labels:
app: {{ template "docker-registry.name" . }}
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- if $.Values.podAnnotations }}
{{ toYaml $.Values.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- /bin/registry
- serve
- /etc/docker/registry/config.yml
ports:
- containerPort: 5000
livenessProbe:
httpGet:
{{- if .Values.tlsSecretName }}
scheme: HTTPS
{{- end }}
path: /
port: 5000
readinessProbe:
httpGet:
{{- if .Values.tlsSecretName }}
scheme: HTTPS
{{- end }}
path: /
port: 5000
resources:
{{ toYaml .Values.resources | indent 12 }}
env:
{{- if .Values.secrets.htpasswd }}
- name: REGISTRY_AUTH
value: "htpasswd"
- name: REGISTRY_AUTH_HTPASSWD_REALM
value: "Registry Realm"
- name: REGISTRY_AUTH_HTPASSWD_PATH
value: "/auth/htpasswd"
{{- end }}
- name: REGISTRY_HTTP_SECRET
valueFrom:
secretKeyRef:
name: {{ template "docker-registry.fullname" . }}-secret
key: haSharedSecret
{{- if .Values.tlsSecretName }}
- name: REGISTRY_HTTP_TLS_CERTIFICATE
value: /etc/ssl/docker/tls.crt
- name: REGISTRY_HTTP_TLS_KEY
value: /etc/ssl/docker/tls.key
{{- end }}
{{- if eq .Values.storage "filesystem" }}
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
value: "/var/lib/registry"
{{- else if eq .Values.storage "azure" }}
- name: REGISTRY_STORAGE_AZURE_ACCOUNTNAME
valueFrom:
secretKeyRef:
name: {{ template "docker-registry.fullname" . }}-secret
key: azureAccountName
- name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY
valueFrom:
secretKeyRef:
name: {{ template "docker-registry.fullname" . }}-secret
key: azureAccountKey
- name: REGISTRY_STORAGE_AZURE_CONTAINER
valueFrom:
secretKeyRef:
name: {{ template "docker-registry.fullname" . }}-secret
key: azureContainer
{{- else if eq .Values.storage "s3" }}
{{- if and .Values.secrets.s3.secretKey .Values.secrets.s3.accessKey }}
- name: REGISTRY_STORAGE_S3_ACCESSKEY
valueFrom:
secretKeyRef:
name: {{ template "docker-registry.fullname" . }}-secret
key: s3AccessKey
- name: REGISTRY_STORAGE_S3_SECRETKEY
valueFrom:
secretKeyRef:
name: {{ template "docker-registry.fullname" . }}-secret
key: s3SecretKey
{{- end }}
- name: REGISTRY_STORAGE_S3_REGION
value: {{ required ".Values.s3.region is required" .Values.s3.region }}
{{- if .Values.s3.regionEndpoint }}
- name: REGISTRY_STORAGE_S3_REGIONENDPOINT
value: {{ .Values.s3.regionEndpoint }}
{{- end }}
- name: REGISTRY_STORAGE_S3_BUCKET
value: {{ required ".Values.s3.bucket is required" .Values.s3.bucket }}
{{- if .Values.s3.encrypt }}
- name: REGISTRY_STORAGE_S3_ENCRYPT
value: {{ .Values.s3.encrypt | quote }}
{{- end }}
{{- if .Values.s3.secure }}
- name: REGISTRY_STORAGE_S3_SECURE
value: {{ .Values.s3.secure | quote }}
{{- end }}
{{- else if eq .Values.storage "swift" }}
- name: REGISTRY_STORAGE_SWIFT_AUTHURL
value: {{ required ".Values.swift.authurl is required" .Values.swift.authurl }}
- name: REGISTRY_STORAGE_SWIFT_USERNAME
valueFrom:
secretKeyRef:
name: {{ template "docker-registry.fullname" . }}-secret
key: swiftUsername
- name: REGISTRY_STORAGE_SWIFT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "docker-registry.fullname" . }}-secret
key: swiftPassword
- name: REGISTRY_STORAGE_SWIFT_CONTAINER
value: {{ required ".Values.swift.container is required" .Values.swift.container }}
{{- end }}
{{- if .Values.persistence.deleteEnabled }}
- name: REGISTRY_STORAGE_DELETE_ENABLED
value: "true"
{{- end }}
volumeMounts:
{{- if .Values.secrets.htpasswd }}
- name: auth
mountPath: /auth
readOnly: true
{{- end }}
{{- if eq .Values.storage "filesystem" }}
- name: data
mountPath: /var/lib/registry/
{{- end }}
- name: "{{ template "docker-registry.fullname" . }}-config"
mountPath: "/etc/docker/registry"
{{- if .Values.tlsSecretName }}
- mountPath: /etc/ssl/docker
name: tls-cert
readOnly: true
{{- end }}
{{- with .Values.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
volumes:
{{- if .Values.secrets.htpasswd }}
- name: auth
secret:
secretName: {{ template "docker-registry.fullname" . }}-secret
items:
- key: htpasswd
path: htpasswd
{{- end }}
{{- if eq .Values.storage "filesystem" }}
- name: data
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ template "docker-registry.fullname" . }}{{- end }}
{{- else }}
emptyDir: {}
{{- end -}}
{{- end }}
- name: {{ template "docker-registry.fullname" . }}-config
configMap:
name: {{ template "docker-registry.fullname" . }}-config
{{- if .Values.tlsSecretName }}
- name: tls-cert
secret:
secretName: {{ .Values.tlsSecretName }}
{{- end }}
{{- with .Values.extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}

36
docker-registry/templates/ingress.yaml
View File

@ -1,36 +0,0 @@
{{- if .Values.ingress.enabled -}}
{{- $serviceName := include "docker-registry.fullname" . -}}
{{- $servicePort := .Values.service.port -}}
{{- $path := .Values.ingress.path -}}
apiVersion: {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} networking.k8s.io/v1beta1 {{- else }} extensions/v1beta1 {{- end }}
kind: Ingress
metadata:
name: {{ template "docker-registry.fullname" . }}
labels:
app: {{ template "docker-registry.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.ingress.labels }}
{{ toYaml .Values.ingress.labels | indent 4 }}
{{- end }}
annotations:
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host }}
http:
paths:
- path: {{ $path }}
backend:
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{- end -}}
{{- if .Values.ingress.tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}

17
docker-registry/templates/poddisruptionbudget.yaml
View File

@ -1,17 +0,0 @@
{{- if .Values.podDisruptionBudget -}}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ template "docker-registry.fullname" . }}
labels:
app: {{ template "docker-registry.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
selector:
matchLabels:
app: {{ template "docker-registry.name" . }}
release: {{ .Release.Name }}
{{ toYaml .Values.podDisruptionBudget | indent 2 }}
{{- end -}}

26
docker-registry/templates/pvc.yaml
View File

@ -1,26 +0,0 @@
{{- if .Values.persistence.enabled }}
{{- if not .Values.persistence.existingClaim -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "docker-registry.fullname" . }}
labels:
app: {{ template "docker-registry.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- end }}
{{- end }}
{{- end -}}

37
docker-registry/templates/secret.yaml
View File

@ -1,37 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ template "docker-registry.fullname" . }}-secret
labels:
app: {{ template "docker-registry.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
type: Opaque
data:
{{- if .Values.secrets.htpasswd }}
htpasswd: {{ .Values.secrets.htpasswd | b64enc }}
{{- end }}
{{- if .Values.secrets.haSharedSecret }}
haSharedSecret: {{ .Values.secrets.haSharedSecret | b64enc | quote }}
{{- else }}
haSharedSecret: {{ randAlphaNum 16 | b64enc | quote }}
{{- end }}
{{- if eq .Values.storage "azure" }}
{{- if and .Values.secrets.azure.accountName .Values.secrets.azure.accountKey .Values.secrets.azure.container }}
azureAccountName: {{ .Values.secrets.azure.accountName | b64enc | quote }}
azureAccountKey: {{ .Values.secrets.azure.accountKey | b64enc | quote }}
azureContainer: {{ .Values.secrets.azure.container | b64enc | quote }}
{{- end }}
{{- else if eq .Values.storage "s3" }}
{{- if and .Values.secrets.s3.secretKey .Values.secrets.s3.accessKey }}
s3AccessKey: {{ .Values.secrets.s3.accessKey | b64enc | quote }}
s3SecretKey: {{ .Values.secrets.s3.secretKey | b64enc | quote }}
{{- end }}
{{- else if eq .Values.storage "swift" }}
{{- if and .Values.secrets.swift.username .Values.secrets.swift.password }}
swiftUsername: {{ .Values.secrets.swift.username | b64enc | quote }}
swiftPassword: {{ .Values.secrets.swift.password | b64enc | quote }}
{{- end }}
{{- end }}

35
docker-registry/templates/service.yaml
View File

@ -1,35 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "docker-registry.fullname" . }}
labels:
app: {{ template "docker-registry.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if (and (eq .Values.service.type "ClusterIP") (not (empty .Values.service.clusterIP))) }}
clusterIP: {{ .Values.service.clusterIP }}
{{- end }}
{{- if (and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP))) }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
{{- if (and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerSourceRanges))) }}
loadBalancerSourceRanges: {{ .Values.service.loadBalancerSourceRanges }}
{{- end }}
ports:
- port: {{ .Values.service.port }}
protocol: TCP
name: {{ .Values.service.name }}
targetPort: 5000
{{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }}
nodePort: {{ .Values.service.nodePort }}
{{- end }}
selector:
app: {{ template "docker-registry.name" . }}
release: {{ .Release.Name }}

147
docker-registry/values.yaml
View File

@ -1,147 +0,0 @@
# Default values for docker-registry.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
updateStrategy:
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 1
# maxUnavailable: 0
podAnnotations: {}
podLabels: {}
image:
repository: registry
tag: 2.7.1
pullPolicy: IfNotPresent
# imagePullSecrets:
# - name: docker
service:
name: registry
type: ClusterIP
# clusterIP:
port: 5000
# nodePort:
# loadBalancerIP:
# loadBalancerSourceRanges:
annotations: {}
# foo.io/bar: "true"
ingress:
enabled: false
path: /
# Used to create an Ingress record.
hosts:
- chart-example.local
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
labels: {}
tls:
# Secrets must be manually created in the namespace.
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
persistence:
accessMode: 'ReadWriteOnce'
enabled: false
size: 10Gi
# storageClass: '-'
# set the type of filesystem to use: filesystem, s3
storage: filesystem
# Set this to name of secret for tls certs
# tlsSecretName: registry.docker.example.com
secrets:
haSharedSecret: ""
htpasswd: ""
# Secrets for Azure
# azure:
# accountName: ""
# accountKey: ""
# container: ""
# Secrets for S3 access and secret keys
# s3:
# accessKey: ""
# secretKey: ""
# Secrets for Swift username and password
# swift:
# username: ""
# password: ""
# Options for s3 storage type:
# s3:
# region: us-east-1
# regionEndpoint: s3.us-east-1.amazonaws.com
# bucket: my-bucket
# encrypt: false
# secure: true
# Options for swift storage type:
# swift:
# authurl: http://swift.example.com/
# container: my-container
configData:
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
securityContext:
enabled: true
runAsUser: 1000
fsGroup: 1000
priorityClassName: ""
podDisruptionBudget: {}
# maxUnavailable: 1
# minAvailable: 2
nodeSelector: {}
affinity: {}
tolerations: []
extraVolumeMounts: []
## Additional volumeMounts to the registry container.
# - mountPath: /secret-data
# name: cloudfront-pem-secret
# readOnly: true
extraVolumes: []
## Additional volumes to the pod.
# - name: cloudfront-pem-secret
# secret:
# secretName: cloudfront-credentials
# items:
# - key: cloudfront.pem
# path: cloudfront.pem
# mode: 511