Merge pull request opencloud-eu#50 from ferenc-hechler/feature/registry-split-11-38

feat: Add registry/repository split and global image overrides

Author: butonic

README.md

@@ -158,6 +158,24 @@ You can list available versions with:
 helm search repo oci://ghcr.io/opencloud-eu/helm-charts --versions
 ```
 
+## 🔒 Private Registry Support
+
+The **production chart** (`charts/opencloud`) supports using private container registries for all images. This is useful for:
+- Air-gapped environments  
+- Corporate registry mirrors
+- Pull-through caches
+
+Simply use the global override:
+```bash
+helm install opencloud ./charts/opencloud \
+  --set global.image.registry=my-registry.com \
+  --set global.image.pullPolicy=Always
+```
+
+See the [production chart documentation](./charts/opencloud/README.md#using-private-registries) for detailed configuration.
+
+**Note:** This feature is currently only available in the production chart.
+
 ## Architecture
 
 The production chart (`charts/opencloud`) deploys the following components:

charts/opencloud/README.md

@@ -191,6 +191,25 @@ Key interactions:
 
 The following table lists the configurable parameters of the OpenCloud chart and their default values.
 
+### Using Private Registries
+
+The chart supports using private container registries through global overrides. This is useful for:
+- Air-gapped environments
+- Corporate registry mirrors
+- Pull-through caches
+
+To use a private registry for all images:
+
+```bash
+helm install opencloud ./charts/opencloud \
+  --set global.image.registry=my-registry.com \
+  --set global.image.pullPolicy=Always
+```
+
+This will prepend `my-registry.com/` to all image references in the chart. For example:
+- `keycloak/keycloak:26.1.4` becomes `my-registry.com/keycloak/keycloak:26.1.4`
+- `opencloudeu/opencloud-rolling:latest` becomes `my-registry.com/opencloudeu/opencloud-rolling:latest`
+
 ### Global Settings
 
 | Parameter | Description | Default |
@@ -205,11 +224,14 @@ The following table lists the configurable parameters of the OpenCloud chart and
 | `global.tls.enabled` | Enable TLS (set to false when using gateway TLS termination externally) | `false` |
 | `global.tls.secretName` | secretName for TLS certificate | `""` |
 | `global.storage.storageClass` | Storage class for persistent volumes | `""` |
+| `global.image.registry` | Global registry override for all images (e.g., `my-registry.com`) | `""` |
+| `global.image.pullPolicy` | Global pull policy override for all images (`Always`, `IfNotPresent`, `Never`) | `""` |
 
 ### Image Settings
 
 | Parameter | Description | Default |
 | --------- | ----------- | ------- |
+| `image.registry` | OpenCloud image registry | `docker.io` |
 | `image.repository` | OpenCloud image repository | `opencloudeu/opencloud-rolling` |
 | `image.tag` | OpenCloud image tag | `latest` |
 | `image.pullPolicy` | Image pull policy | `IfNotPresent` |

charts/opencloud/templates/_helpers/tpl.yaml

@@ -148,6 +148,32 @@ Create a fully qualified Tika name.
 
 {{/* namespace helper removed - use .Release.Namespace directly */}}
 
+{{/*
+Return the image registry, using global override if set
+*/}}
+{{- define "opencloud.image.registry" -}}
+{{- coalesce .global.image.registry .registry -}}
+{{- end -}}
+
+{{/*
+Return the image pull policy, using global override if set
+*/}}
+{{- define "opencloud.image.pullPolicy" -}}
+{{- coalesce .global.image.pullPolicy .pullPolicy -}}
+{{- end -}}
+
+{{/*
+Return the full image name with registry
+*/}}
+{{- define "opencloud.image" -}}
+{{- $registry := include "opencloud.image.registry" (dict "registry" .imageValues.registry "global" .global) -}}
+{{- if $registry -}}
+{{- printf "%s/%s:%s" $registry .imageValues.repository .imageValues.tag -}}
+{{- else -}}
+{{- printf "%s:%s" .imageValues.repository .imageValues.tag -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return the appropriate apiVersion for ingress
 */}}

charts/opencloud/templates/collabora/deployment.yaml

@@ -20,8 +20,8 @@ spec:
     spec:
       containers:
         - name: collabora
-          image: {{ .Values.collabora.image.repository }}:{{ .Values.collabora.image.tag }}
-          imagePullPolicy: {{ .Values.collabora.image.pullPolicy | default "IfNotPresent" }}
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.collabora.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.collabora.image.pullPolicy "global" .Values.global) }}
           command: ['/bin/bash', '-c']
           args:
             - 'coolconfig generate-proof-key && /start-collabora-online.sh'

charts/opencloud/templates/collaboration/deployment.yaml

@@ -26,13 +26,15 @@ spec:
       initContainers:
         # Wait for OpenCloud to be ready
         - name: wait-for-opencloud
-          image: busybox
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.busybox.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.busybox.image.pullPolicy "global" .Values.global) | quote }}
           command: ['sh', '-c', 'until wget -q -O- http://{{ include "opencloud.opencloud.fullname" . }}:9200/health; do echo waiting for opencloud; sleep 5; done;']
 
         {{- if not .Values.opencloud.persistence.enabled }}
         # Copy config from OpenCloud API if persistence is disabled
         - name: copy-config
-          image: busybox
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.busybox.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.busybox.image.pullPolicy "global" .Values.global) | quote }}
           command: ['sh', '-c', 'mkdir -p /etc/opencloud && wget -q -O /etc/opencloud/config.json http://{{ include "opencloud.opencloud.fullname" . }}:9200/api/v1/config/secrets || echo "Failed to get config from OpenCloud"']
           volumeMounts:
             - name: etc-opencloud
@@ -42,19 +44,21 @@ spec:
         {{- if .Values.onlyoffice.enabled }}
         # Wait for OnlyOffice to be ready
         - name: wait-for-onlyoffice
-          image: busybox
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.busybox.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.busybox.image.pullPolicy "global" .Values.global) | quote }}
           command: ['sh', '-c', 'until wget -q -O- http://{{ include "opencloud.fullname" . }}-onlyoffice:80/hosting/discovery; do echo waiting for onlyoffice; sleep 2; done;']
         {{- end }}
         {{- if .Values.collabora.enabled }}
         # Wait for Collabora to be ready
         - name: wait-for-collabora
-          image: busybox
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.busybox.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.busybox.image.pullPolicy "global" .Values.global) | quote }}
           command: ['sh', '-c', 'until wget -q -O- http://{{ include "opencloud.fullname" . }}-collabora:9980/hosting/discovery; do echo waiting for collabora; sleep 2; done;']
         {{- end }}
       containers:
         - name: collaboration
-          image: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.image.pullPolicy "global" .Values.global) }}
           command: ["/bin/sh"]
           args: ["-c", "opencloud collaboration server"]
           env:

charts/opencloud/templates/keycloak/deployment.yaml

@@ -24,8 +24,8 @@ spec:
         fsGroup: 1000
       containers:
         - name: keycloak
-          image: {{ .Values.keycloak.image.repository }}:{{ .Values.keycloak.image.tag }}
-          imagePullPolicy: {{ .Values.keycloak.image.pullPolicy }}
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.keycloak.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.keycloak.image.pullPolicy "global" .Values.global) }}
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:

charts/opencloud/templates/minio/deployment.yaml

@@ -24,7 +24,8 @@ spec:
         fsGroup: 1000
       initContainers:
         - name: init-minio-bucket
-          image: busybox
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.busybox.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.busybox.image.pullPolicy "global" .Values.global) | quote }}
           securityContext:
             runAsUser: 1000
             runAsGroup: 1000
@@ -37,7 +38,8 @@ spec:
               mountPath: /data
       containers:
         - name: minio
-          image: minio/minio:latest
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.opencloud.storage.s3.internal.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.opencloud.storage.s3.internal.image.pullPolicy "global" .Values.global) }}
           securityContext:
             runAsUser: 1000
             runAsGroup: 1000

charts/opencloud/templates/onlyoffice/deployment.yaml

@@ -20,8 +20,8 @@ spec:
     spec:
       containers:
         - name: onlyoffice
-          image: {{ .Values.onlyoffice.repository }}:{{ .Values.onlyoffice.tag | default "8.2.2" }}
-          imagePullPolicy: {{ .Values.onlyoffice.pullPolicy | default "IfNotPresent" }}
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.onlyoffice.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.onlyoffice.image.pullPolicy "global" .Values.global) }}
           command: ["/bin/sh", "/entrypoint-override.sh"]
           env:
             - name: WOPI_ENABLED

charts/opencloud/templates/opencloud/deployment.yaml

@@ -39,7 +39,8 @@ spec:
         fsGroup: 1000
       initContainers:
         - name: init-config
-          image: busybox
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.busybox.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.busybox.image.pullPolicy "global" .Values.global) | quote }}
           command: ['sh', '-c', 'mkdir -p /etc/opencloud /var/lib/opencloud']
           volumeMounts:
             - name: config
@@ -50,55 +51,56 @@ spec:
         # Web extensions init containers
         {{- if .Values.webExtensions.extensions.drawio.enabled }}
         - name: init-drawio
-          image: {{ .Values.webExtensions.extensions.drawio.repository }}:{{ .Values.webExtensions.extensions.drawio.tag }}
+          image: {{ include "opencloud.image" (dict "imageValues" (merge (dict "tag" .Values.webExtensions.extensions.drawio.tag) .Values.webExtensions.image) "global" .Values.global) | quote }}
           command: ['sh', '-c', 'mkdir -p /extensions/draw-io && cp -R /usr/share/nginx/html/draw-io/ /extensions/']
           volumeMounts:
             - name: extensions
               mountPath: /extensions
         {{- end }}
         {{- if .Values.webExtensions.extensions.externalsites.enabled }}
         - name: init-externalsites
-          image: {{ .Values.webExtensions.extensions.externalsites.repository }}:{{ .Values.webExtensions.extensions.externalsites.tag }}
+          image: {{ include "opencloud.image" (dict "imageValues" (merge (dict "tag" .Values.webExtensions.extensions.externalsites.tag) .Values.webExtensions.image) "global" .Values.global) | quote }}
           command: ['sh', '-c', 'mkdir -p /extensions/external-sites && cp -R /usr/share/nginx/html/external-sites/ /extensions/']
           volumeMounts:
             - name: extensions
               mountPath: /extensions
         {{- end }}
         {{- if .Values.webExtensions.extensions.importer.enabled }}
         - name: init-importer
-          image: {{ .Values.webExtensions.extensions.importer.repository }}:{{ .Values.webExtensions.extensions.importer.tag }}
+          image: {{ include "opencloud.image" (dict "imageValues" (merge (dict "tag" .Values.webExtensions.extensions.importer.tag) .Values.webExtensions.image) "global" .Values.global) | quote }}
           command: ['sh', '-c', 'mkdir -p /extensions/importer && cp -R /usr/share/nginx/html/importer/ /extensions/']
           volumeMounts:
             - name: extensions
               mountPath: /extensions
         {{- end }}
         {{- if .Values.webExtensions.extensions.jsonviewer.enabled }}
         - name: init-jsonviewer
-          image: {{ .Values.webExtensions.extensions.jsonviewer.repository }}:{{ .Values.webExtensions.extensions.jsonviewer.tag }}
+          image: {{ include "opencloud.image" (dict "imageValues" (merge (dict "tag" .Values.webExtensions.extensions.jsonviewer.tag) .Values.webExtensions.image) "global" .Values.global) | quote }}
           command: ['sh', '-c', 'mkdir -p /extensions/json-viewer && cp -R /usr/share/nginx/html/json-viewer/ /extensions/']
           volumeMounts:
             - name: extensions
               mountPath: /extensions
         {{- end }}
         {{- if .Values.webExtensions.extensions.progressbars.enabled }}
         - name: init-progressbars
-          image: {{ .Values.webExtensions.extensions.progressbars.repository }}:{{ .Values.webExtensions.extensions.progressbars.tag }}
+          image: {{ include "opencloud.image" (dict "imageValues" (merge (dict "tag" .Values.webExtensions.extensions.progressbars.tag) .Values.webExtensions.image) "global" .Values.global) | quote }}
           command: ['sh', '-c', 'mkdir -p /extensions/progress-bars && cp -R /usr/share/nginx/html/progress-bars/ /extensions/']
           volumeMounts:
             - name: extensions
               mountPath: /extensions
         {{- end }}
         {{- if .Values.webExtensions.extensions.unzip.enabled }}
         - name: init-unzip
-          image: {{ .Values.webExtensions.extensions.unzip.repository }}:{{ .Values.webExtensions.extensions.unzip.tag }}
+          image: {{ include "opencloud.image" (dict "imageValues" (merge (dict "tag" .Values.webExtensions.extensions.unzip.tag) .Values.webExtensions.image) "global" .Values.global) | quote }}
           command: ['sh', '-c', 'mkdir -p /extensions/unzip && cp -R /usr/share/nginx/html/unzip/ /extensions/']
           volumeMounts:
             - name: extensions
               mountPath: /extensions
         {{- end }}
         # Final init container to copy all extensions to the apps directory
         - name: init-web-extensions
-          image: busybox
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.busybox.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.busybox.image.pullPolicy "global" .Values.global) | quote }}
           command: ['sh', '/scripts/init-web-extensions.sh']
           volumeMounts:
             - name: extensions
@@ -110,7 +112,7 @@ spec:
         {{- end }}
       containers:
         - name: opencloud
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.image "global" .Values.global) | quote }}
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
@@ -119,7 +121,7 @@ spec:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.image.pullPolicy "global" .Values.global) }}
           command: ["/bin/sh"]
           args: ["-c", "opencloud init || true; opencloud server"]
           {{- with .Values.opencloud.envFrom }}

charts/opencloud/templates/postgres/deployment.yaml

@@ -24,8 +24,8 @@ spec:
         fsGroup: 999  # Default PostgreSQL group ID
       containers:
         - name: postgres
-          image: {{ .Values.postgres.image.repository }}:{{ .Values.postgres.image.tag }}
-          imagePullPolicy: {{ .Values.postgres.image.pullPolicy }}
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.postgres.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.postgres.image.pullPolicy "global" .Values.global) }}
           env:
             - name: POSTGRES_DB
               value: {{ .Values.postgres.database | quote }}