chore(registry): use env replace creds volume

Author: duanhongyi

Dockerfile

@@ -17,15 +17,15 @@ ENV DRYCC_UID=1001 \
   REGISTRY_VERSION="2.8.0"
 
 COPY rootfs/bin/ /bin/
-COPY rootfs/config-example.yml /etc/docker/registry/config.yml
 COPY --from=build /usr/local/bin/registry /opt/registry/bin/registry
 
 RUN groupadd drycc --gid ${DRYCC_GID} \
   && useradd drycc -u ${DRYCC_UID} -g ${DRYCC_GID} -s /bin/bash -m -d ${DRYCC_HOME_DIR} \
+  && install-packages apache2-utils \
   && install-stack jq $JQ_VERSION \
   && install-stack mc $MC_VERSION \
   && install-stack registry $REGISTRY_VERSION \
-  && chmod +x /bin/create_bucket /bin/normalize_storage \
+  && chmod +x /bin/init_registry \
   && rm -rf \
       /usr/share/doc \
       /usr/share/man \
@@ -42,6 +42,8 @@ RUN groupadd drycc --gid ${DRYCC_GID} \
   && mkdir -p /usr/share/man/man{1..8} \
   && chown -R ${DRYCC_GID}:${DRYCC_UID} ${DRYCC_HOME_DIR}
 
+COPY --chown=${DRYCC_GID}:${DRYCC_UID} rootfs/config-example.yml /opt/drycc/registry/etc/config.yml
+
 USER ${DRYCC_UID}
 VOLUME ["${DRYCC_HOME_DIR}"]
 CMD ["/opt/registry/bin/registry"]

charts/registry/templates/_helper.tpl

@@ -1,11 +1,53 @@
 {{- define "registry.envs" -}}
-{{- if eq .Values.global.minioLocation "on-cluster" }}
+- name: REGISTRY_STORAGE_DELETE_ENABLED
+  value: "true"
+- name: REGISTRY_LOG_LEVEL
+  value: info
+- name: "REGISTRY_HTTP_SECRET"
+  valueFrom:
+    secretKeyRef:
+      name: registry-secret
+      key: secret
+- name: "DRYCC_REGISTRY_REDIRECT"
+  valueFrom:
+    secretKeyRef:
+      name: registry-secret
+      key: redirect
+- name: "DRYCC_REGISTRY_USERNAME"
+  valueFrom:
+    secretKeyRef:
+      name: registry-secret
+      key: username
+- name: "DRYCC_REGISTRY_PASSWORD"
+  valueFrom:
+    secretKeyRef:
+      name: registry-secret
+      key: password
+- name: "DRYCC_MINIO_LOOKUP"
+  valueFrom:
+    secretKeyRef:
+      name: minio-creds
+      key: lookup
+- name: "DRYCC_MINIO_BUCKET"
+  valueFrom:
+    secretKeyRef:
+      name: minio-creds
+      key: registry-bucket
 - name: "DRYCC_MINIO_ENDPOINT"
-  value: http://${DRYCC_MINIO_SERVICE_HOST}:${DRYCC_MINIO_SERVICE_PORT}
-{{- else }}
-- name: "DRYCC_MINIO_ENDPOINT"
-  value: "{{ .Values.minio.endpoint }}"
-{{- end }}
+  valueFrom:
+    secretKeyRef:
+      name: minio-creds
+      key: endpoint
+- name: "DRYCC_MINIO_ACCESSKEY"
+  valueFrom:
+    secretKeyRef:
+      name: minio-creds
+      key: accesskey
+- name: "DRYCC_MINIO_SECRETKEY"
+  valueFrom:
+    secretKeyRef:
+      name: minio-creds
+      key: secretkey
 {{- end }}
 
 {{/* Generate registry deployment limits */}}

charts/registry/templates/registry-deployment.yaml

@@ -52,26 +52,16 @@ spec:
             port: 5000
           initialDelaySeconds: 1
           timeoutSeconds: 1
-        env:
-          - name: REGISTRY_STORAGE_DELETE_ENABLED
-            value: "true"
-          - name: REGISTRY_LOG_LEVEL
-            value: info
         ports:
           - containerPort: 5000
         volumeMounts:
           - name: registry-storage
             mountPath: /var/lib/registry
-          - name: minio-creds
-            mountPath: /var/run/secrets/drycc/minio/creds
       securityContext:
         fsGroup: 1001
         runAsGroup: 1001
         runAsUser: 1001
       volumes:
         - name: registry-storage
           emptyDir: {}
-        - name: minio-creds
-          secret:
-            secretName: minio-creds
 {{- end }}

charts/registry/templates/registry-secret.yaml

@@ -1,4 +1,4 @@
-{{- if ne .Values.global.registryLocation "off-cluster" }}
+
 apiVersion: v1
 kind: Secret
 metadata:
@@ -9,8 +9,13 @@ metadata:
     drycc.cc/registry-location: "{{ .Values.global.registryLocation }}"
 type: Opaque
 data:
-  hostname: {{ .Values.registry.hostname | b64enc }}
-  organization: {{ .Values.registry.organization | b64enc }}
-  username: {{ .Values.registry.username | b64enc }}
-  password: {{ .Values.registry.password | b64enc }}
-{{- end }}
+  {{- if ne .Values.global.registryLocation "on-cluster" }}
+  host: {{ print "drycc-registry" .Release.Namespace  ".svc." .Values.global.clusterDomain | b64enc }}
+  secret: {{ randAlphaNum 32 | b64enc }}
+  {{- else }}
+  host: {{ .Values.host | b64enc }}
+  organization: {{ .Values.organization | b64enc }}
+  {{- end }}
+  username: {{ if .Values.username | default "" | ne "" }}{{ .Values.username | b64enc }}{{ else }}{{ randAlphaNum 32 | b64enc }}{{ end }}
+  password: {{ if .Values.password | default "" | ne "" }}{{ .Values.password | b64enc }}{{ else }}{{ randAlphaNum 32 | b64enc }}{{ end }}
+  redirect: {{ .Values.redirect | b64enc }}

contrib/ci/test.sh

@@ -2,16 +2,12 @@
 
 set -eoxf pipefail
 
-CURRENT_DIR=$(cd "$(dirname "$0")"; pwd)
-
-mkdir -p "${CURRENT_DIR}"/tmp/aws-user
-echo "us-east-1" > "${CURRENT_DIR}"/tmp/aws-user/region
-echo "registry-bucket" > "${CURRENT_DIR}"/tmp/aws-user/registry-bucket
-echo "1234567890123456789012345678901234567890" > "${CURRENT_DIR}"/tmp/aws-user/accesskey
-echo "1234567890123456789012345678901234567890" > "${CURRENT_DIR}"/tmp/aws-user/secretkey
+s3Accesskey=drycc
+s3Secretkey=123456789
 
 MINIO_JOB=$(docker run -d --name minio \
-  -v "${CURRENT_DIR}"/tmp/aws-user:/var/run/secrets/drycc/minio/creds \
+  -e DRYCC_MINIO_ACCESSKEY=$s3Accesskey \
+  -e DRYCC_MINIO_SECRETKEY=$s3Secretkey \
   "${DEV_REGISTRY}"/drycc/minio:canary server /data/minio/ --console-address :9001)
 
 sleep 5
@@ -21,8 +17,16 @@ MINIO_IP=$(docker inspect --format "{{ .NetworkSettings.IPAddress }}" "${MINIO_J
 
 JOB=$(docker run --add-host minio:"${MINIO_IP}" \
   -d \
+  -p 5000:5000 \
+  -e REGISTRY_HTTP_SECRET=drycc \
+  -e DRYCC_REGISTRY_REDIRECT=false \
+  -e DRYCC_REGISTRY_USERNAME=admin \
+  -e DRYCC_REGISTRY_PASSWORD=admin \
+  -e DRYCC_MINIO_LOOKUP=path \
+  -e DRYCC_MINIO_BUCKET=registry \
   -e DRYCC_MINIO_ENDPOINT=http://minio:9000 \
-  -v "${CURRENT_DIR}"/tmp/aws-user:/var/run/secrets/drycc/minio/creds \
+  -e DRYCC_MINIO_ACCESSKEY=$s3Accesskey \
+  -e DRYCC_MINIO_SECRETKEY=$s3Secretkey \
   "$1")
 
 # let the registry run for a few seconds

main.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"io/ioutil"
 	"log"
 	"net"
 	"net/url"
@@ -11,17 +10,24 @@ import (
 )
 
 const (
-	registryBinary      = "/opt/drycc/registry/bin/registry"
-	registryConfig      = "/etc/docker/registry/config.yml"
-	minioEndpointEnvVar = "DRYCC_MINIO_ENDPOINT"
-	command             = "serve"
+	registryBinary         = "/opt/drycc/registry/bin/registry"
+	registryConfig         = "/opt/drycc/registry/etc/config.yml"
+	registryHtpasswd       = "/opt/drycc/registry/etc/htpasswd"
+	registryRedirectEnvVar = "DRYCC_REGISTRY_REDIRECT"
+	minioLookupEnvVar      = "DRYCC_MINIO_LOOKUP"
+	minioBucketEnvVar      = "DRYCC_MINIO_BUCKET"
+	minioEndpointEnvVar    = "DRYCC_MINIO_ENDPOINT"
+	minioAccesskeyEnvVar   = "DRYCC_MINIO_ACCESSKEY"
+	minioSecretkeyEnvVar   = "DRYCC_MINIO_SECRETKEY"
+	command                = "serve"
 )
 
 func main() {
 	log.Println("INFO: Starting registry...")
 	os.Setenv("REGISTRY_STORAGE", "s3")
 	mEndpoint := os.Getenv(minioEndpointEnvVar)
 	os.Setenv("REGISTRY_STORAGE_S3_REGIONENDPOINT", mEndpoint)
+
 	region := "us-east-1" //region is required in distribution
 	if endpointURL, err := url.Parse(mEndpoint); err == nil {
 		if endpointURL.Hostname() != "" && net.ParseIP(endpointURL.Hostname()) == nil {
@@ -30,31 +36,26 @@ func main() {
 	}
 	os.Setenv("REGISTRY_STORAGE_S3_REGION", region)
 
-	if accesskey, err := ioutil.ReadFile("/var/run/secrets/drycc/minio/creds/accesskey"); err != nil {
-		log.Fatal(err)
-	} else {
-		os.Setenv("REGISTRY_STORAGE_S3_ACCESSKEY", string(accesskey))
-	}
+	os.Setenv("REGISTRY_STORAGE_S3_ACCESSKEY", os.Getenv(minioAccesskeyEnvVar))
+	os.Setenv("REGISTRY_STORAGE_S3_SECRETKEY", os.Getenv(minioSecretkeyEnvVar))
+	os.Setenv("REGISTRY_STORAGE_S3_BUCKET", os.Getenv(minioBucketEnvVar))
+	os.Setenv("REGISTRY_STORAGE_S3_ROOTDIRECTORY", "/registry")
 
-	if secretkey, err := ioutil.ReadFile("/var/run/secrets/drycc/minio/creds/secretkey"); err != nil {
-		log.Fatal(err)
-	} else {
-		os.Setenv("REGISTRY_STORAGE_S3_SECRETKEY", string(secretkey))
+	if os.Getenv(minioLookupEnvVar) == "path" {
+		os.Setenv("REGISTRY_STORAGE_S3_FORCEPATHSTYLE", "true")
 	}
 
-	bucketNameFile := "/var/run/secrets/drycc/minio/creds/registry-bucket"
-	if _, err := os.Stat(bucketNameFile); os.IsNotExist(err) {
-		if bucket, err := ioutil.ReadFile(bucketNameFile); err != nil {
-			log.Fatal(err)
-		} else {
-			os.Setenv("REGISTRY_STORAGE_S3_BUCKET", string(bucket))
-		}
+	if os.Getenv(registryRedirectEnvVar) == "true" {
+		os.Setenv("REGISTRY_STORAGE_REDIRECT_DISABLE", "false")
 	} else {
-		os.Setenv("REGISTRY_STORAGE_S3_BUCKET", "registry") // default bucket
+		os.Setenv("REGISTRY_STORAGE_REDIRECT_DISABLE", "true")
 	}
 
-	// run /bin/create_bucket
-	cmd := exec.Command("/bin/create_bucket")
+	// run /bin/init_registry
+	os.Setenv("REGISTRY_AUTH", "htpasswd")
+	os.Setenv("REGISTRY_AUTH_HTPASSWD_REALM", "basic-realm")
+	os.Setenv("REGISTRY_AUTH_HTPASSWD_PATH", registryHtpasswd)
+	cmd := exec.Command("/bin/init_registry")
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	if err := cmd.Run(); err != nil {
@@ -69,11 +70,3 @@ func main() {
 	}
 	log.Println("INFO: registry started.")
 }
-
-func getenv(name, dfault string) string {
-	value := os.Getenv(name)
-	if value == "" {
-		value = dfault
-	}
-	return value
-}

rootfs/bin/create_bucket

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+set -e
+
+mc config host add minio \
+  "${DRYCC_MINIO_ENDPOINT}" \
+  "${DRYCC_MINIO_ACCESSKEY}" \
+  "${DRYCC_MINIO_SECRETKEY}" \
+  --lookup "${DRYCC_MINIO_LOOKUP}" \
+  --api s3v4
+
+has_bucket(){
+    mc ls minio -json|jq -r '.key'|grep -w "${DRYCC_MINIO_BUCKET}"
+}
+
+if  [ -z "$(has_bucket)" ] ;then
+    mc mb minio/"${DRYCC_MINIO_BUCKET}"
+    if  [ -z "$(has_bucket)" ] ;then
+        echo "create bucket ${DRYCC_MINIO_BUCKET} error"
+        exit 1
+    fi
+fi
+echo "create bucket ${DRYCC_MINIO_BUCKET} success"
+
+htpasswd -Bbn "${DRYCC_REGISTRY_USERNAME}" "${DRYCC_REGISTRY_PASSWORD}" > "${REGISTRY_AUTH_HTPASSWD_PATH}"
+echo "create ${REGISTRY_AUTH_HTPASSWD_PATH} success"