refactor(platform)!: replace Harbor with a simple Docker Regisry

https://github.com/distribution/distribution Docker Registry is stateless and easier to automate. The tiny footprint is an added bonus.
2024-12-22 20:44:33 +07:00 · 2023-05-21 13:43:02 +07:00 · 2023-05-21 13:43:02 +07:00 · 4b69ec2dfc
commit 4b69ec2dfc
parent b517985272
7 changed files with 81 additions and 44 deletions
--- a/README.md
+++ b/README.md
@ -128,6 +128,11 @@ They can't capture all the project's features, but they are sufficient to get a
        <td><a href="https://www.docker.com">Docker</a></td>
        <td>Ephemeral PXE server and convenient tools container</td>
    </tr>
+    <tr>
+        <td><img width="32" src="https://github.com/distribution/distribution/raw/main/distribution-logo.svg"></td>
+        <td><a href="https://github.com/distribution/distribution">Docker Registry</a></td>
+        <td>Private container registry</td>
+    </tr>
    <tr>
        <td><img width="32" src="https://github.com/kubernetes-sigs/external-dns/raw/master/docs/img/external-dns.png"></td>
        <td><a href="https://github.com/kubernetes-sigs/external-dns">ExternalDNS</a></td>
@ -198,11 +203,6 @@ They can't capture all the project's features, but they are sufficient to get a
        <td><a href="https://tekton.dev">Tekton</a></td>
        <td>Cloud native solution for building CI/CD systems</td>
    </tr>
-    <tr>
-        <td><img width="32" src="https://trow.io/trow.png"></td>
-        <td><a href="https://trow.io">Trow</a></td>
-        <td>Private container registry</td>
-    </tr>
    <tr>
        <td><img width="32" src="https://simpleicons.org/icons/vault.svg"></td>
        <td><a href="https://www.vaultproject.io">Vault</a></td>
--- a/platform/harbor/Chart.yaml
+++ b/platform/harbor/Chart.yaml
@ -1,7 +0,0 @@
-apiVersion: v2
-name: harbor
-version: 0.0.0
-dependencies:
- name: harbor
-  version: 1.12.0
-  repository: https://helm.goharbor.io
--- a/platform/harbor/values.yaml
+++ b/platform/harbor/values.yaml
@ -1,30 +0,0 @@
-harbor:
-  expose:
-    ingress:
-      hosts:
-        core: registry.khuedoan.com
-      className: nginx
-      annotations:
-        cert-manager.io/cluster-issuer: letsencrypt-prod
-        nginx.ingress.kubernetes.io/ssl-redirect: "true"
-        nginx.ingress.kubernetes.io/proxy-body-size: "0"
-    tls:
-      certSource: secret
-      secret:
-        secretName: harbor-tls-certificate
-  externalURL: https://registry.khuedoan.com
-  trivy:
-    enabled: false
-  notary:
-    enabled: false
-  persistence:
-    enabled: true
-    persistentVolumeClaim:
-      registry:
-        storageClass: longhorn
-      jobservice:
-        storageClass: longhorn
-      database:
-        storageClass: longhorn
-      redis:
-        storageClass: longhorn
--- a/platform/registry/Chart.yaml
+++ b/platform/registry/Chart.yaml
@ -0,0 +1,7 @@
+apiVersion: v2
+name: registry
+version: 0.0.0
+dependencies:
+  - name: docker-registry
+    version: 2.2.2
+    repository: https://helm.twun.io
--- a/platform/registry/templates/admin-secret.yaml
+++ b/platform/registry/templates/admin-secret.yaml
@ -0,0 +1,20 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: registry-admin-secret
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      engineVersion: v2
+      data:
+        username: admin
+        password: {{` "{{ .password }}" `}}
+  data:
+    - secretKey: password
+      remoteRef:
+        key: /registry/admin
+        property: password
--- a/platform/registry/values.yaml
+++ b/platform/registry/values.yaml
@ -0,0 +1,47 @@
+docker-registry:
+  ingress:
+    enabled: true
+    className: nginx
+    hosts:
+      - &host registry.khuedoan.com
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+      nginx.ingress.kubernetes.io/ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    tls:
+      - secretName: registry-tls-certificate
+        hosts:
+          - *host
+  extraVolumes:
+    - name: auth
+      emptyDir: {}
+  extraVolumeMounts:
+    - mountPath: /auth
+      name: auth
+  # TODO uncomment to enable auth
+  # extraEnvVars:
+  #   - name: REGISTRY_AUTH
+  #     value: "htpasswd"
+  #   - name: REGISTRY_AUTH_HTPASSWD_REALM
+  #     value: "Registry Realm"
+  #   - name: REGISTRY_AUTH_HTPASSWD_PATH
+  #     value: "/auth/htpasswd"
+  # initContainers:
+  #   - name: htpasswd
+  #     image: httpd:2-alpine
+  #     command:
+  #       - sh
+  #       - -c
+  #       - htpasswd -Bbn "${username}" "${password}" > /auth/htpasswd
+  #     envFrom:
+  #       - secretRef:
+  #           name: registry-admin-secret
+  #     volumeMounts:
+  #       - mountPath: /auth
+  #         name: auth
+  persistence:
+    enabled: true
+    size: 10Gi
+    storageClass: longhorn
+  garbageCollect:
+    enabled: true
--- a/platform/vault/files/generate-secrets/config.yaml
+++ b/platform/vault/files/generate-secrets/config.yaml
@ -12,8 +12,8 @@
      length: 32
      special: false

-# Trow
- path: trow/admin
+# Registry
+- path: registry/admin
  data:
    - key: password
      length: 32