chore(registry): add registry proxy

Author: duanhongyi

.gitignore

@@ -1,3 +1,3 @@
-rootfs/opt/
 contrib/ci/tmp/
 .vscode/
+rootfs/opt/registry/sbin

Dockerfile

@@ -5,8 +5,8 @@ ARG LDFLAGS
 ADD . /workspace
 RUN export GO111MODULE=on \
   && cd /workspace \
-  && CGO_ENABLED=0 init-stack go build -ldflags "${LDFLAGS}" -o /bin/boot main.go \
-  && upx -9 --brute /bin/boot
+  && CGO_ENABLED=0 init-stack go build -ldflags "${LDFLAGS}" -o /bin/start-registry main.go \
+  && upx -9 --brute /bin/start-registry
 
 
 FROM registry.drycc.cc/drycc/base:${CODENAME}
@@ -16,18 +16,16 @@ ENV DRYCC_UID=1001 \
   DRYCC_HOME_DIR=/var/lib/registry \
   JQ_VERSION="1.7.1" \
   MC_VERSION="2025.04.03.17.07.56" \
+  NGINX_VERSION="1.25.1" \
   REGISTRY_VERSION="3.0.0"
 
-COPY rootfs/bin/ /bin/
-COPY --from=build /bin/boot /bin/boot
-
 RUN groupadd drycc --gid ${DRYCC_GID} \
   && useradd drycc -u ${DRYCC_UID} -g ${DRYCC_GID} -s /bin/bash -m -d ${DRYCC_HOME_DIR} \
   && install-packages apache2-utils \
   && install-stack jq $JQ_VERSION \
   && install-stack mc $MC_VERSION \
+  && install-stack nginx ${NGINX_VERSION} \
   && install-stack registry $REGISTRY_VERSION \
-  && chmod +x /bin/init_registry \
   && rm -rf \
       /usr/share/doc \
       /usr/share/man \
@@ -42,12 +40,15 @@ RUN groupadd drycc --gid ${DRYCC_GID} \
       /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/IBM* \
       /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/EBC* \
   && mkdir -p /usr/share/man/man{1..8} \
-  && chown -R ${DRYCC_UID}:${DRYCC_GID} ${DRYCC_HOME_DIR}
+  && chown -R ${DRYCC_UID}:${DRYCC_GID} /opt/drycc
 
+COPY --from=build /bin/start-registry /bin/start-registry
+COPY --chown=${DRYCC_UID}:${DRYCC_GID} rootfs/bin/ /bin/
+COPY --chown=${DRYCC_UID}:${DRYCC_GID} rootfs/opt/drycc/nginx /opt/drycc/nginx
 COPY --chown=${DRYCC_UID}:${DRYCC_GID} rootfs/config-example.yml /opt/drycc/registry/etc/config.yml
+
 ENV DRYCC_REGISTRY_CONFIG /opt/drycc/registry/etc/config.yml
 
 USER ${DRYCC_UID}
 VOLUME ["${DRYCC_HOME_DIR}"]
-CMD ["/bin/boot"]
 EXPOSE 5000

README.md

@@ -12,7 +12,15 @@ We welcome your input! If you have feedback, please submit an [issue][issues]. I
 
 # About
 
-The registry is a [Container registry](https://github.com/distribution/distribution) component for use in Kubernetes. While it's intended for use inside of the Drycc open source [PaaS](https://en.wikipedia.org/wiki/Platform_as_a_service), it's flexible enough to be used as a standalone pod on any Kubernetes cluster.
+Registry consists of two components, namely the proxy component and the registry component.
+
+## Proxy
+
+The proxy component is a proxy deployed on every Kubernetes worker node, proxying all requests to the Drycc Workflow [registry][registry]. This allows the worker nodes daemons to communicate to the registry over localhost, bypassing the need for adding the `--insecure-registry` flag to the daemons.
+
+## Registry
+
+The registry component is a [Container registry](https://github.com/distribution/distribution) component for use in Kubernetes. While it's intended for use inside of the Drycc open source [PaaS](https://en.wikipedia.org/wiki/Platform_as_a_service), it's flexible enough to be used as a standalone pod on any Kubernetes cluster.
 
 If you decide to use this component standalone, you can host your own Container registry in your own Kubernetes cluster.
 

charts/registry/templates/registry-deployment.yaml

@@ -44,6 +44,9 @@ spec:
         {{- if .Values.diagnosticMode.enabled }}
         command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 10 }}
         args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 10 }}
+        {{- else }}
+        args:
+        - start-registry
         {{- end }}
         {{- include "registry.limits" . | indent 8 }}
         {{- include "registry.envs" . | indent 8 }}

charts/registry/templates/registry-proxy-daemonset.yaml

@@ -0,0 +1,112 @@
+{{- if eq .Values.global.registryLocation "on-cluster" }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: drycc-registry-proxy
+  labels:
+    heritage: drycc
+  annotations:
+    component.drycc.cc/version: {{ .Values.imageTag }}
+spec:
+  updateStrategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: drycc-registry-proxy
+      heritage: drycc
+  template:
+    metadata:
+      name: drycc-registry-proxy
+      labels:
+        heritage: drycc
+        app: drycc-registry-proxy
+    spec:
+      securityContext:
+        fsGroup: 1001
+        runAsGroup: 1001
+        runAsUser: 1001
+      initContainers:
+      - name: drycc-registry-init
+        image: {{.Values.imageRegistry}}/{{.Values.imageOrg}}/python-dev:latest
+        imagePullPolicy: {{.Values.imagePullPolicy}}
+        args:
+        - netcat
+        - -v
+        - -a
+        - $(DRYCC_REGISTRY_HOST)
+        env:
+        - name: "DRYCC_REGISTRY_HOST"
+          valueFrom:
+            secretKeyRef:
+              name: registry-secret
+              key: host
+      containers:
+      - name: drycc-registry-proxy
+        image: {{.Values.imageRegistry}}/{{.Values.imageOrg}}/registry:{{.Values.imageTag}}
+        imagePullPolicy: {{.Values.imagePullPolicy}}
+        {{- if .Values.diagnosticMode.enabled }}
+        command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 10 }}
+        args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 10 }}
+        {{- else }}
+        args:
+        - start-proxy
+        {{- end }}
+        {{- if or (.Values.limitsCpu) (.Values.limitsMemory)}}
+        resources:
+          limits:
+            {{- if (.Values.limitsCpu) }}
+            cpu: {{.Values.limitsCpu}}
+            {{- end}}
+            {{- if (.Values.limitsMemory) }}
+            memory: {{.Values.limitsMemory}}
+            {{- end}}
+        {{- end}}
+        {{- if not .Values.diagnosticMode.enabled }}
+        startupProbe:
+          httpGet:
+            path: /
+            port: 8080
+          initialDelaySeconds: 30
+          periodSeconds: 5
+          timeoutSeconds: 1
+          successThreshold: 1
+          failureThreshold: 5
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 8080
+          initialDelaySeconds: 30
+          periodSeconds: 5
+          timeoutSeconds: 1
+          successThreshold: 1
+          failureThreshold: 5
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8080
+          initialDelaySeconds: 30
+          periodSeconds: 5
+          timeoutSeconds: 1
+          successThreshold: 1
+          failureThreshold: 5
+        {{- end }}
+        env:
+        - name: "DRYCC_REGISTRY_HOST"
+          valueFrom:
+            secretKeyRef:
+              name: registry-secret
+              key: host
+        - name: "DRYCC_REGISTRY_USERNAME"
+          valueFrom:
+            secretKeyRef:
+              name: registry-secret
+              key: username
+        - name: "DRYCC_REGISTRY_PASSWORD"
+          valueFrom:
+            secretKeyRef:
+              name: registry-secret
+              key: password
+        ports:
+        - containerPort: 8080
+          hostPort: {{.Values.proxyPort}}
+{{- end }}

charts/registry/values.yaml

@@ -40,6 +40,8 @@ podAntiAffinityPreset:
 replicas: 1
 # registry storage redirect
 redirect: "false"
+# host port for the registry proxy in the daemonset
+proxyPort: 5555
 
 concurrencyPolicy: "Replace"
 

contrib/ci/test.sh

@@ -6,7 +6,7 @@ DRYCC_STORAGE_ACCESSKEY=f4c4281665bc11ee8e0400163e04a9cd
 DRYCC_STORAGE_SECRETKEY=f4c4281665bc11ee8e0400163e04a9cd
 
 
-STORAGE_JOB=$(podman run -d --entrypoint init-stack \
+STORAGE_JOB=$(podman run -d --rm --entrypoint init-stack \
   -e MINIO_ROOT_USER="${DRYCC_STORAGE_ACCESSKEY}" \
   -e MINIO_ROOT_PASSWORD="${DRYCC_STORAGE_SECRETKEY}" \
   "${DEV_REGISTRY}"/drycc/storage:canary minio server /data)
@@ -18,7 +18,7 @@ wait-for-port --host="${STORAGE_IP}" 9000
 echo -e "\\033[32m---> S3 service ${STORAGE_IP}:9000 ready...\\033[0m"
 podman logs "${STORAGE_JOB}"
 
-JOB=$(podman run -d \
+REGISTRY_JOB=$(podman run -d --rm \
   -e REGISTRY_HTTP_SECRET=drycc \
   -e DRYCC_REGISTRY_REDIRECT=false \
   -e DRYCC_REGISTRY_USERNAME=admin \
@@ -28,23 +28,48 @@ JOB=$(podman run -d \
   -e DRYCC_STORAGE_ENDPOINT="http://${STORAGE_IP}:9000" \
   -e DRYCC_STORAGE_ACCESSKEY="${DRYCC_STORAGE_ACCESSKEY}" \
   -e DRYCC_STORAGE_SECRETKEY="${DRYCC_STORAGE_SECRETKEY}" \
-  "$1")
+  "$1" start-registry)
 
 # shellcheck disable=SC2317
 function clean_before_exit {
   # delay before exiting, so stdout/stderr flushes through the logging system
-  podman kill "${JOB}"
+  podman kill "${REGISTRY_JOB}"
   podman kill "${STORAGE_JOB}"
-  podman rm -f "${JOB}" "${STORAGE_JOB}"
+  podman kill "${PROXY_JOB}"
 }
 trap clean_before_exit EXIT
 
 # let the registry run for a few seconds
-REGISTRY_IP=$(podman inspect --format "{{ .NetworkSettings.IPAddress }}" "${JOB}")
+REGISTRY_IP=$(podman inspect --format "{{ .NetworkSettings.IPAddress }}" "${REGISTRY_JOB}")
 echo -e "\\033[32m---> Waitting for ${REGISTRY_IP}:5000\\033[0m"
 wait-for-port --host="${REGISTRY_IP}" 5000
 echo -e "\\033[32m---> S3 service ${REGISTRY_IP}:5000 ready...\\033[0m"
+
+# proxy job
+PROXY_JOB=$(podman run -d \
+  -p 15555:8080 \
+  -e DRYCC_REGISTRY_HOST="${REGISTRY_IP}:5000" \
+  -e DRYCC_REGISTRY_USERNAME=admin \
+  -e DRYCC_REGISTRY_PASSWORD=admin \
+  "$1" start-proxy)
+
+# let the registry proxy run for a few seconds
+REGISTRY_PROXY_IP=$(podman inspect --format "{{ .NetworkSettings.IPAddress }}" "${PROXY_JOB}")
+echo -e "\\033[32m---> Waitting for ${REGISTRY_PROXY_IP}:8080\\033[0m"
+wait-for-port --host="${REGISTRY_PROXY_IP}" 8080
+echo -e "\\033[32m---> S3 service ${REGISTRY_PROXY_IP}:8080 ready...\\033[0m"
+
 # check that the registry is still up
-podman tag "$1" "${REGISTRY_IP}:5000/registry:canary"
-echo admin | podman login "${REGISTRY_IP}:5000" --tls-verify=false --username admin --password-stdin > /dev/null 2>&1
-podman push "${REGISTRY_IP}:5000/registry:canary" --tls-verify=false
+http_status_code=$(curl -X GET -s -o /dev/null -w "%{http_code}" "http://${REGISTRY_PROXY_IP}:8080/v2/")
+if [ "$http_status_code" != "200" ]; then
+    echo "Expected http status code: 200, actual: ${http_status_code}"
+    exit 1
+fi
+
+http_status_code=$(curl -X POST -s -o /dev/null -w "%{http_code}" "http://${REGISTRY_PROXY_IP}:8080/v2/")
+if [ "$http_status_code" != "403" ]; then
+    echo "Expected http status code: 403, actual: ${http_status_code}"
+    exit 1
+fi
+
+echo -e "\\033[32m---> All test success...\\033[0m"

main.go

@@ -57,11 +57,11 @@ func main() {
 	os.Setenv("REGISTRY_VALIDATION_DISABLED", "true")
 	os.Setenv("REGISTRY_STORAGE_S3_ROOTDIRECTORY", "/registry")
 
-	// run /bin/init_registry
+	// run /bin/init-registry
 	os.Setenv("REGISTRY_AUTH", "htpasswd")
 	os.Setenv("REGISTRY_AUTH_HTPASSWD_REALM", "basic-realm")
 	os.Setenv("REGISTRY_AUTH_HTPASSWD_PATH", registryHtpasswd)
-	cmd := exec.Command("/bin/init_registry")
+	cmd := exec.Command("/bin/init-registry")
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	if err := cmd.Run(); err != nil {

rootfs/bin/init_registry rootfs/bin/init-registryrootfs/bin/init_registry renamed to rootfs/bin/init-registry

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+REGISTRY_HOST=${DRYCC_REGISTRY_HOST:?no host}
+AUTHORIZATION=$(echo -ne "${DRYCC_REGISTRY_USERNAME:? no username}":"${DRYCC_REGISTRY_PASSWORD:? no password}" | base64 -w 0)
+
+cat /opt/drycc/nginx/conf/registry.conf.tpl > /opt/drycc/nginx/conf/registry.conf
+sed -i "s#%REGISTRY_HOST%#${REGISTRY_HOST}#g" /opt/drycc/nginx/conf/registry.conf
+sed -i "s#%AUTHORIZATION%#${AUTHORIZATION}#g" /opt/drycc/nginx/conf/registry.conf
+
+# wait for registry to come online
+while ! curl -sS "$REGISTRY_HOST" &>/dev/null; do
+	echo "waiting for the registry (%s) to come online..."
+	echo "$REGISTRY_HOST"
+	sleep 1
+done
+
+echo "starting registry-proxy..."
+exec nginx -g "daemon off;"