Build registry with apko

.github/workflows/image-deps-updater.yaml

@@ -20,6 +20,9 @@ on:
       kubectl_version:
         description: 'Kubectl version for discovering image versions'
         required: false
+      registry_version:
+        description: 'Registry version for discovering image versions'
+        required: false
       seaweedfs_version:
         description: 'SeaweedFS version for discovering image versions'
         required: false
@@ -57,6 +60,7 @@ jobs:
           - openebs
           - velero
           - embeddedclusteroperator
+          - registry
           - seaweedfs
     steps:
     - name: Checkout
@@ -78,6 +82,7 @@ jobs:
         INPUT_VELERO_VERSION: ${{ github.event.inputs.velero_version }}
         INPUT_VELERO_AWS_PLUGIN_VERSION: ${{ github.event.inputs.velero_aws_plugin_version }}
         INPUT_KUBECTL_VERSION: ${{ github.event.inputs.kubectl_version }}
+        INPUT_REGISTRY_VERSION: ${{ github.event.inputs.registry_version }}
         INPUT_SEAWEEDFS_VERSION: ${{ github.event.inputs.seaweedfs_version }}
       run: |
         chmod +x ./output/bin/buildtools

.github/workflows/update-addons.yaml

@@ -11,6 +11,9 @@ on:
       velero_chart_version:
         description: 'Velero chart version for updating the chart and images'
         required: false
+      registry_chart_version:
+        description: 'Registry chart version for updating the chart and images'
+        required: false
       seaweedfs_chart_version:
         description: 'SeaweedFS chart version for updating the chart and images'
         required: false
@@ -67,6 +70,7 @@ jobs:
           CHARTS_DESTINATION: registry.replicated.com/ec-charts
           INPUT_OPENEBS_CHART_VERSION: ${{ github.event.inputs.openebs_chart_version }}
           INPUT_VELERO_CHART_VERSION: ${{ github.event.inputs.velero_chart_version }}
+          INPUT_REGISTRY_CHART_VERSION: ${{ github.event.inputs.registry_chart_version }}
           INPUT_SEAWEEDFS_CHART_VERSION: ${{ github.event.inputs.seaweedfs_chart_version }}
         run: |
           chmod 755 ./output/bin/buildtools

cmd/buildtools/registry.go

@@ -1,8 +1,10 @@
 package main
 
 import (
+	"context"
 	"fmt"
 	"os"
+	"strings"
 
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli/v2"
@@ -20,10 +22,10 @@ var registryRepo = &repo.Entry{
 var registryImageComponents = map[string]addonComponent{
 	"docker.io/library/registry": {
 		name: "registry",
-		getCustomImageName: func(opts addonComponentOptions) (string, error) {
-			// TODO (@salah): build with apko once distribution is out of beta: https://github.com/wolfi-dev/os/blob/main/distribution.yaml
-			return "docker.io/library/registry:2.8.3", nil
+		getWolfiPackageName: func(opts addonComponentOptions) string {
+			return "distribution"
 		},
+		upstreamVersionInputOverride: "INPUT_REGISTRY_VERSION",
 	},
 }
 
@@ -33,70 +35,114 @@ var updateRegistryAddonCommand = &cli.Command{
 	UsageText: environmentUsageText,
 	Action: func(c *cli.Context) error {
 		logrus.Infof("updating registry addon")
-		latest, err := LatestChartVersion(registryRepo, "docker-registry")
-		if err != nil {
-			return fmt.Errorf("unable to get the latest registry version: %v", err)
-		}
-		logrus.Printf("latest registry chart version: %s", latest)
 
-		current := registry.Metadata
-		if current.Version == latest && !c.Bool("force") {
-			logrus.Infof("registry version is already up-to-date")
-			return nil
+		nextChartVersion := os.Getenv("INPUT_REGISTRY_CHART_VERSION")
+		if nextChartVersion != "" {
+			logrus.Infof("using input override from INPUT_REGISTRY_CHART_VERSION: %s", nextChartVersion)
+		} else {
+			logrus.Infof("fetching the latest registry chart version")
+			latest, err := LatestChartVersion(registryRepo, "docker-registry")
+			if err != nil {
+				return fmt.Errorf("failed to get the latest registry chart version: %v", err)
+			}
+			nextChartVersion = latest
+			logrus.Printf("latest registry chart version: %s", latest)
 		}
+		nextChartVersion = strings.TrimPrefix(nextChartVersion, "v")
 
-		logrus.Infof("mirroring registry chart version %s", latest)
-		if err := MirrorChart(registryRepo, "docker-registry", latest); err != nil {
-			return fmt.Errorf("unable to mirror chart: %w", err)
+		current := registry.Metadata
+		if current.Version == nextChartVersion && !c.Bool("force") {
+			logrus.Infof("registry chart version is already up-to-date")
+		} else {
+			logrus.Infof("mirroring registry chart version %s", nextChartVersion)
+			if err := MirrorChart(registryRepo, "docker-registry", nextChartVersion); err != nil {
+				return fmt.Errorf("failed to mirror registry chart: %v", err)
+			}
 		}
 
 		upstream := fmt.Sprintf("%s/docker-registry", os.Getenv("CHARTS_DESTINATION"))
-		newmeta := release.AddonMetadata{
-			Version:  latest,
-			Location: fmt.Sprintf("oci://proxy.replicated.com/anonymous/%s", upstream),
-			Images:   make(map[string]release.AddonImage),
-		}
+		withproto := fmt.Sprintf("oci://proxy.replicated.com/anonymous/%s", upstream)
 
-		values, err := release.GetValuesWithOriginalImages("registry")
-		if err != nil {
-			return fmt.Errorf("unable to get openebs values: %v", err)
-		}
+		logrus.Infof("updating registry images")
 
-		logrus.Infof("extracting images from chart")
-		withproto := fmt.Sprintf("oci://%s", upstream)
-		images, err := GetImagesFromOCIChart(withproto, "docker-registry", latest, values)
+		err := updateRegistryAddonImages(c.Context, withproto, nextChartVersion)
 		if err != nil {
-			return fmt.Errorf("failed to get images from chart: %w", err)
+			return fmt.Errorf("failed to update registry images: %w", err)
 		}
 
-		for _, image := range images {
-			component, ok := registryImageComponents[RemoveTagFromImage(image)]
-			if !ok {
-				return fmt.Errorf("no component found for image %s", image)
-			}
-			repo, tag, err := component.resolveImageRepoAndTag(c.Context, image)
-			if err != nil {
-				return fmt.Errorf("failed to resolve image and tag for %s: %w", image, err)
-			}
-			newmeta.Images[component.name] = release.AddonImage{
-				Repo: repo,
-				Tag:  tag,
-			}
-		}
+		logrus.Infof("successfully updated registry addon")
 
-		logrus.Infof("saving addon manifest")
-		newmeta.ReplaceImages = true
-		if err := newmeta.Save("registry"); err != nil {
-			return fmt.Errorf("failed to save metadata: %w", err)
-		}
+		return nil
+	},
+}
 
-		logrus.Infof("rendering values for registry ha")
-		err = newmeta.RenderValues("registry", "values-ha.tpl.yaml", "values-ha.yaml")
+var updateRegistryImagesCommand = &cli.Command{
+	Name:      "registry",
+	Usage:     "Updates the registry images",
+	UsageText: environmentUsageText,
+	Action: func(c *cli.Context) error {
+		logrus.Infof("updating registry images")
+
+		current := registry.Metadata
+
+		err := updateRegistryAddonImages(c.Context, current.Location, current.Version)
 		if err != nil {
-			return fmt.Errorf("failed to render values-ha: %w", err)
+			return fmt.Errorf("failed to update registry images: %w", err)
 		}
 
-		logrus.Infof("successfully updated registry addon")
+		logrus.Infof("successfully updated registry images")
+
 		return nil
 	},
 }
+
+func updateRegistryAddonImages(ctx context.Context, chartURL string, chartVersion string) error {
+	newmeta := release.AddonMetadata{
+		Version:  chartVersion,
+		Location: chartURL,
+		Images:   make(map[string]release.AddonImage),
+	}
+
+	values, err := release.GetValuesWithOriginalImages("registry")
+	if err != nil {
+		return fmt.Errorf("failed to get registry values: %v", err)
+	}
+
+	logrus.Infof("extracting images from chart version %s", chartVersion)
+	images, err := GetImagesFromOCIChart(chartURL, "docker-registry", chartVersion, values)
+	if err != nil {
+		return fmt.Errorf("failed to get images from registry chart: %w", err)
+	}
+
+	if err := ApkoLogin(); err != nil {
+		return fmt.Errorf("failed to apko login: %w", err)
+	}
+
+	for _, image := range images {
+		component, ok := registryImageComponents[RemoveTagFromImage(image)]
+		if !ok {
+			return fmt.Errorf("no component found for image %s", image)
+		}
+		repo, tag, err := component.resolveImageRepoAndTag(ctx, image)
+		if err != nil {
+			return fmt.Errorf("failed to resolve image and tag for %s: %w", image, err)
+		}
+		newmeta.Images[component.name] = release.AddonImage{
+			Repo: repo,
+			Tag:  tag,
+		}
+	}
+
+	logrus.Infof("saving addon manifest")
+	newmeta.ReplaceImages = true
+	if err := newmeta.Save("registry"); err != nil {
+		return fmt.Errorf("failed to save metadata: %w", err)
+	}
+
+	logrus.Infof("rendering values for registry ha")
+	if err := newmeta.RenderValues("registry", "values-ha.tpl.yaml", "values-ha.yaml"); err != nil {
+		return fmt.Errorf("failed to render ha values: %w", err)
+	}
+
+	return nil
+}

cmd/buildtools/update.go

@@ -40,6 +40,7 @@ var updateImagesCommand = &cli.Command{
 		updateOpenEBSImagesCommand,
 		updateVeleroImagesCommand,
 		updateOperatorImagesCommand,
+		updateRegistryImagesCommand,
 		updateSeaweedFSImagesCommand,
 	},
 }

cmd/buildtools/utils.go

@@ -74,7 +74,7 @@ func ComponentImageTag(componentName, packageName, packageVersion string) (strin
 	}
 	tag, err := ResolveApkoPackageVersion(componentName, packageName, packageVersion)
 	if err != nil {
-		return "", fmt.Errorf("apko output tag: %w", err)
+		return "", fmt.Errorf("resolve apko package version: %w", err)
 	}
 	return tag, nil
 }

deploy/images/registry/apko.tmpl.yaml

@@ -0,0 +1,48 @@
+contents:
+  repositories:
+    - https://packages.wolfi.dev/os
+  keyring:
+    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+  packages:
+    - busybox
+    - distribution
+    - distribution-compat
+
+accounts:
+  groups:
+    - groupname: nonroot
+      gid: 65532
+  users:
+    - username: nonroot
+      uid: 65532
+      gid: 65532
+  run-as: 65532
+
+paths:
+  - path: /etc/docker/registry
+    type: directory
+    uid: 65532
+    gid: 65532
+    permissions: 0o755
+    recursive: true
+  - path: /var/lib/registry
+    type: directory
+    uid: 65532
+    gid: 65532
+    permissions: 0o755
+    recursive: true
+  - path: /etc/ssl/docker
+    type: directory
+    uid: 65532
+    gid: 65532
+    permissions: 0o755
+    recursive: true
+  - path: /auth
+    type: directory
+    uid: 65532
+    gid: 65532
+    permissions: 0o755
+    recursive: true
+
+entrypoint:
+  command: /entrypoint.sh

pkg/addons/registry/static/metadata.yaml

@@ -9,5 +9,5 @@ version: 2.2.3
 location: oci://proxy.replicated.com/anonymous/registry.replicated.com/ec-charts/docker-registry
 images:
     registry:
-        repo: proxy.replicated.com/anonymous/registry
-        tag: 2.8.3@sha256:5d4d001e01c8543f233d392f5519deb0d299ca89447484dab98bbd957e18c2eb
+        repo: proxy.replicated.com/anonymous/replicated/ec-registry
+        tag: 3.0.0-r1@sha256:13e64b7ce464672c55306e7bcbe21692d8b7816640607f13d006fba4e351d44d

pkg/addons/registry/static/values-ha.tpl.yaml

@@ -16,6 +16,7 @@ configData:
   storage:
     s3:
       secure: false
+      forcepathstyle: true
 extraVolumeMounts:
 - mountPath: /auth
   name: auth

pkg/addons/registry/static/values-ha.yaml

@@ -29,6 +29,7 @@ configData:
   storage:
     s3:
       secure: false
+      forcepathstyle: true
 extraVolumeMounts:
 - mountPath: /auth
   name: auth
@@ -38,8 +39,8 @@ extraVolumes:
     secretName: registry-auth
 fullnameOverride: registry
 image:
-  repository: 'proxy.replicated.com/anonymous/registry'
-  tag: '2.8.3@sha256:5d4d001e01c8543f233d392f5519deb0d299ca89447484dab98bbd957e18c2eb'
+  repository: 'proxy.replicated.com/anonymous/replicated/ec-registry'
+  tag: '3.0.0-r1@sha256:13e64b7ce464672c55306e7bcbe21692d8b7816640607f13d006fba4e351d44d'
 replicaCount: 2
 s3:
   bucket: registry

pkg/addons/registry/static/values.yaml

@@ -25,8 +25,8 @@ extraVolumes:
     secretName: registry-auth
 fullnameOverride: registry
 image:
-  repository: 'proxy.replicated.com/anonymous/registry'
-  tag: '2.8.3@sha256:5d4d001e01c8543f233d392f5519deb0d299ca89447484dab98bbd957e18c2eb'
+  repository: 'proxy.replicated.com/anonymous/replicated/ec-registry'
+  tag: '3.0.0-r1@sha256:13e64b7ce464672c55306e7bcbe21692d8b7816640607f13d006fba4e351d44d'
 persistence:
   accessMode: ReadWriteOnce
   enabled: true