diff --git a/helm-charts/kubero/templates/registry.yaml b/helm-charts/kubero/templates/registry.yaml index f088900..662358a 100644 --- a/helm-charts/kubero/templates/registry.yaml +++ b/helm-charts/kubero/templates/registry.yaml @@ -9,20 +9,8 @@ type: Opaque data: auth: {{ $basicAuth | b64enc }} --- -{{- $dockerAuth := (printf "%s:%s" .Values.registry.account.username .Values.registry.account.password) | b64enc -}} -{{- $dockerconfigjson := printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"auth\":\"%s\"}}}" .Values.registry.host .Values.registry.account.username .Values.registry.account.password $dockerAuth -}} -# copied to pipeline namespace for kpack, nixpack, dockerfile and to pull images -apiVersion: v1 -kind: Secret -metadata: - name: registry-login -type: Opaque -data: - username: {{ .Values.registry.account.username | b64enc }} - password: {{ .Values.registry.account.password | b64enc }} - .dockerconfigjson: {{ $dockerconfigjson | b64enc }} ---- {{- if .Values.registry.create -}} +{{- $kuberoUiHost := (index .Values.ingress.hosts 0) }} apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -53,20 +41,40 @@ spec: spec: containers: - name: registry - image: registry:2 + image: registry:3 ports: - containerPort: 5000 env: - name: REGISTRY_HTTP_ADDR value: 0.0.0.0:5000 + - name: REGISTRY_AUTH + value: token + - name: REGISTRY_AUTH_TOKEN_REALM + value: http{{ if .Values.ingress.tls }}s{{ end }}://{{ $kuberoUiHost.host }}{{ $kuberoUiHost.path }}/api/registry/token + - name: REGISTRY_AUTH_TOKEN_SERVICE + value: {{ .Values.registry.host }} + - name: REGISTRY_AUTH_TOKEN_ISSUER + value: todo.kubero.dev # TODO + - name: REGISTRY_AUTH_TOKEN_JWKS + value: /auth/jwk + - name: OTEL_TRACES_EXPORTER + value: "none" volumeMounts: - name: registry-data mountPath: /var/lib/registry subPath: registry + - name: jwt-pubkey + mountPath: /auth + readOnly: true volumes: - name: registry-data persistentVolumeClaim: claimName: kubero-registry-data-pvc + - name: jwt-pubkey + secret: + defaultMode: 0o640 + # created by UI on startup + secretName: registry-jwt-pubkey --- apiVersion: v1 kind: Service @@ -95,9 +103,6 @@ metadata: nginx.ingress.kubernetes.io/ssl-redirect: "false" cert-manager.io/cluster-issuer: letsencrypt-prod kubernetes.io/tls-acme: "true" - nginx.ingress.kubernetes.io/auth-type: basic - nginx.ingress.kubernetes.io/auth-secret: registry-basic-auth - nginx.ingress.kubernetes.io/auth-realm: 'Kubero Registry' nginx.ingress.kubernetes.io/proxy-body-size: '0' {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4}} diff --git a/helm-charts/kuberopipeline/secrets-pull-secret.yaml b/helm-charts/kuberopipeline/secrets-pull-secret.yaml deleted file mode 100644 index dc13df2..0000000 --- a/helm-charts/kuberopipeline/secrets-pull-secret.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- $mainnamespace := .Values.mainnamespace | default "kubero" -}} -{{- $secretObj := (lookup "v1" "Secret" $mainnamespace "registry-login") | default dict }} -{{- $secretData := (get $secretObj "data") | default dict }} -{{- $dockerconfigjson := (get $secretData ".dockerconfigjson") | default "" }} -{{- $registryUsername := (get $secretData "username") | default "" }} -{{- $registryPassword := (get $secretData "password") | default "" }} - -{{- $name := .Values.name -}} -{{- $deploymentstrategy := .Values.deploymentstrategy -}} - -{{- range .Values.phases }} -{{- if .enabled }} -{{- if and (eq $deploymentstrategy "git") (ne $registryUsername "") }} -apiVersion: v1 -kind: Secret -metadata: - name: kubero-pull-secret - namespace: {{ $name }}-{{ .name }} -type: kubernetes.io/dockerconfigjson -data: - .dockerconfigjson: {{ $dockerconfigjson | quote }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: registry-credentials - namespace: {{ $name }}-{{ .name }} - annotations: - app.kubernetes.io/comment: "required by trivy to scan the image" -type: Opaque -data: - username: {{ $registryUsername | quote }} - password: {{ $registryPassword | quote }} ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/helm-charts/kuberopipeline/templates/secret-pull-secret-copy.yaml b/helm-charts/kuberopipeline/templates/secret-pull-secret-copy.yaml deleted file mode 100644 index 92768bb..0000000 --- a/helm-charts/kuberopipeline/templates/secret-pull-secret-copy.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- $name := .Values.name -}} - -{{- if and (eq .Values.deploymentstrategy "git") (eq .Values.registry.createSecret "copy") }} - -{{- $mainnamespace := .Values.mainnamespace | default "kubero" -}} -{{- $secretObj := (lookup "v1" "Secret" $mainnamespace "registry-login") | default dict }} -{{- $secretData := (get $secretObj "data") | default dict }} -{{- $dockerconfigjson := (get $secretData ".dockerconfigjson") | default "ZW1wdHk=" }} -{{- $registryUsername := (get $secretData "username") | default "ZW1wdHk=" }} -{{- $registryPassword := (get $secretData "password") | default "ZW1wdHk=" }} - - -{{- range .Values.phases }} -{{- if .enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: kubero-pull-secret - namespace: {{ $name }}-{{ .name }} -type: kubernetes.io/dockerconfigjson -data: - .dockerconfigjson: {{ $dockerconfigjson | quote }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: registry-credentials - namespace: {{ $name }}-{{ .name }} - annotations: - app.kubernetes.io/comment: "required by trivy to scan the image" -type: Opaque -data: - username: {{ $registryUsername | quote }} - password: {{ $registryPassword | quote }} -{{- end }}{{/* if .enabled */}} -{{- end }}{{/* end range .Values.phases */}} -{{- end }}{{/* if and (eq .Values.deploymentstrategy "git") (eq .Values.registry.createSecret "copy") */}} \ No newline at end of file diff --git a/helm-charts/kuberopipeline/templates/secret-pull-secret-create.yaml b/helm-charts/kuberopipeline/templates/secret-pull-secret-create.yaml deleted file mode 100644 index 03c0118..0000000 --- a/helm-charts/kuberopipeline/templates/secret-pull-secret-create.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- $name := .Values.name -}} - -{{- if and (eq .Values.deploymentstrategy "git") (eq .Values.registry.createSecret "create") }} -{{- $dockerAuth := (printf "%s:%s" .Values.registry.username .Values.registry.password) | b64enc -}} -{{- $dockerconfigjson := (printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"auth\":\"%s\"}}}" .Values.registry.host .Values.registry.username .Values.registry.password $dockerAuth) | b64enc -}} -{{- $registryUsername := .Values.registry.username | b64enc -}} -{{- $registryPassword := .Values.registry.password | b64enc -}} - -{{- range .Values.phases }} -{{- if .enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: kubero-pull-secret - namespace: {{ $name }}-{{ .name }} -type: kubernetes.io/dockerconfigjson -data: - .dockerconfigjson: {{ $dockerconfigjson | quote }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: registry-credentials - namespace: {{ $name }}-{{ .name }} - annotations: - app.kubernetes.io/comment: "required by trivy to scan the image" -type: Opaque -data: - username: {{ $registryUsername | quote }} - password: {{ $registryPassword | quote }} -{{- end }}{{/* if .enabled */}} -{{- end }}{{/* end range .Values.phases */}} -{{- end }}{{/* if and (eq .Values.deploymentstrategy "git") (eq .Values.registry.createSecret "copy") */}} \ No newline at end of file