update osbuilder chart to use custom docker registry

Author: floreks

Makefile

@@ -287,3 +287,18 @@ kubesplit: manifests kustomize
 	rm -rf helm-chart
 	mkdir helm-chart
 	$(KUSTOMIZE) build config/default | kubesplit -helm helm-chart
+
+helm:
+	helm upgrade \
+		--install \
+		--create-namespace \
+		--namespace test-registry \
+		--set registry.storage.s3.accessKey=${AWS_ACCESSKEY} \
+		--set registry.storage.s3.secretKey=${AWS_SECRETKEY} \
+		--set registry.storage.s3.region=${AWS_BUCKET_REGION} \
+		--set registry.storage.s3.bucket=${AWS_BUCKET_NAME} \
+		--set registry.storage.s3.endpoint=${AWS_BUCKET_ENDPOINT} \
+		--set registry.auth.htpasswd.secret.name=registry-default-user-password \
+		--set registry.ingress.dns=osbuilder.plrl-dev-aws.onplural.sh \
+		--set builder.replicas=0 \
+		osbuilder ./charts/osbuilder

charts/osartifact/Chart.yaml

@@ -1,5 +1,8 @@
 apiVersion: v2
 name: osartifact
 description: A Helm chart for OSArtifact CRD deployment
+maintainers:
+  - name: Plural
+    email: [email protected]
 type: application
 version: 0.3.0

charts/osbuilder/Chart.lock

@@ -1,3 +1,6 @@
-dependencies: []
-digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726
-generated: "2025-01-10T15:08:39.051068115Z"
+dependencies:
+- name: cert-manager
+  repository: https://charts.jetstack.io
+  version: v1.16.3
+digest: sha256:1ce80837e63f45e983685469e3af7c684b95ce548feadbb96a0519825a37bc8a
+generated: "2025-01-22T12:30:56.241307222+01:00"

charts/osbuilder/Chart.yaml

@@ -1,11 +1,16 @@
 apiVersion: v2
 name: osbuilder
 description: A Helm chart for osbuilder
-appVersion: 0.1.5
-version: 0.1.5
-dependencies: []
 maintainers:
-  - name: Ettore Di Giacinto
-    email: [email protected]
-home: https://kairos.io/
+  - name: Plural
+    email: [email protected]
+home: https://github.com/pluralsh/osbuilder
 type: application
+appVersion: 0.1.5
+version: 0.1.5
+dependencies:
+  - name: cert-manager
+    alias: certManager
+    repository: https://charts.jetstack.io
+    version: v1.16.3
+    condition: certManager.enabled

charts/osbuilder/charts/cert-manager-v1.16.3.tgz

@@ -6,7 +6,7 @@ template:
         restartPolicy: Never
         containers:
         -   name: upload
-            image: {{ .Values.image.toolsRepository | default "quay.io/kairos/osbuilder-tools" }}:{{ .Values.image.tag | default .Chart.AppVersion }}
+            image: {{ .Values.builder.toolsRepository | default "quay.io/kairos/osbuilder-tools" }}:{{ .Values.builder.image.tag | default .Chart.AppVersion }}
             command:
                 - bash
             args:

charts/osbuilder/templates/NOTES.txt

@@ -50,7 +50,6 @@ app.kubernetes.io/name: {{ include "helm-chart.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
-{{/*
 Create the name of the service account to use
 */}}
 {{- define "helm-chart.serviceAccountName" -}}

charts/osbuilder/templates/_helpers.tpl

@@ -1,6 +1,10 @@
 apiVersion: v1
+kind: ConfigMap
+metadata:
+    name: osartifactbuilder-operator-manager-config
+    namespace: '{{.Release.Namespace}}'
 data:
-    controller_manager_config.yaml: "apiVersion: controller-runtime.sigs.k8s.io/v1alpha1\nkind:
+  controller_manager_config.yaml: "apiVersion: controller-runtime.sigs.k8s.io/v1alpha1\nkind:
         ControllerManagerConfig\nhealth:\n  healthProbeBindAddress: :8081\nmetrics:\n
         \ bindAddress: 127.0.0.1:8080\nwebhook:\n  port: 9443\nleaderElection:\n  leaderElect:
         true\n  resourceName: 98ca89ca.kairos.io\n#   leaderElectionReleaseOnCancel
@@ -12,43 +16,4 @@ data:
         after \n#   the manager stops, so would be fine to enable this option. However,
         \n#   if you are doing or is intended to do any operation such as perform
         cleanups \n#   after the manager stops then its usage might be unsafe.\n#
-        \  leaderElectionReleaseOnCancel: true\n"
-kind: ConfigMap
-metadata:
-    name: osartifactbuilder-operator-manager-config
-    namespace: '{{.Release.Namespace}}'
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: nginx-config
-data:
-  nginx.conf: |
-    server {
-      listen       80;
-      server_name  localhost;
-
-      client_max_body_size  21000M;
-
-      #access_log  /var/log/nginx/host.access.log  main;
-
-      location ~ "/upload/([0-9a-zA-Z-.]*)$" {
-        alias     /usr/share/nginx/html/$1;
-        client_body_temp_path  /tmp;
-        dav_methods  PUT DELETE MKCOL COPY MOVE;
-        create_full_put_path   on;
-        dav_access             group:rw  all:r;
-      }
-
-      location / {
-        root   /usr/share/nginx/html;
-        autoindex on;
-      }
-
-      # redirect server error pages to the static page /50x.html
-      #
-      error_page   500 502 503 504  /50x.html;
-        location = /50x.html {
-        root   /usr/share/nginx/html;
-      }
-    }
+        \  leaderElectionReleaseOnCancel: true\n"

charts/osbuilder/templates/configmap.yaml

@@ -1,133 +1,69 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-    name: '{{ include "helm-chart.fullname" . }}'
-    namespace: '{{.Release.Namespace}}'
-    labels:
-      {{- include "helm-chart.labels" . | nindent 8 }}
+  name: '{{ include "helm-chart.fullname" . }}'
+  namespace: '{{.Release.Namespace}}'
+  labels:
+    {{- include "helm-chart.labels" . | nindent 4 }}
 spec:
-    replicas: {{ .Values.replicas | default 1}}
-    selector:
-        matchLabels:
-            {{- include "helm-chart.selectorLabels" . | nindent 10 }}
-    template:
-        metadata:
-            annotations:
-                {{- range keys .Values.podAnnotations }}
-                {{ . | quote }}: {{ get $.Values.podAnnotations . | quote}}
-                {{- end }}
-            labels:
-                {{- include "helm-chart.selectorLabels" . | nindent 14}}
-        spec:
-            {{- with .Values.imagePullSecrets }}
-            imagePullSecrets:
-            {{- toYaml . | nindent 14 }}
-            {{- end }}
-            containers:
-              - args:
-                  - --secure-listen-address=0.0.0.0:8443
-                  - --upstream=http://127.0.0.1:8080/
-                  - --logtostderr=true
-                  - --v=0
-                image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
-                name: kube-rbac-proxy
-                ports:
-                  - containerPort: 8443
-                    name: https
-                    protocol: TCP
-                resources:
-                    limits:
-                        cpu: 500m
-                        memory: 128Mi
-                    requests:
-                        cpu: 5m
-                        memory: 64Mi
-                securityContext:
-                    allowPrivilegeEscalation: false
-              - args:
-                  - --pvc-storage-size={{ .Values.pvcStorageSize }}
-                  - --health-probe-bind-address=:8081
-                  - --metrics-bind-address=127.0.0.1:8080
-                  - --leader-elect
-                  - '--tool-image={{ .Values.toolsImage.repository | default "quay.io/kairos/auroraboot" }}:{{ .Values.toolsImage.tag | default "latest" }}'
-                command:
-                  - /manager
-                image: '{{ .Values.image.repository | default "ghcr.io/pluralsh/osbuilder" }}:{{ .Values.image.tag | default .Chart.AppVersion }}'
-                livenessProbe:
-                    httpGet:
-                        path: /healthz
-                        port: 8081
-                    initialDelaySeconds: 15
-                    periodSeconds: 20
-                name: manager
-                readinessProbe:
-                    httpGet:
-                        path: /readyz
-                        port: 8081
-                    initialDelaySeconds: 5
-                    periodSeconds: 10
-                {{- if and .Values.resources .Values.resources.controller }}
-                resources:
-{{ toYaml .Values.resources.controller | indent 20 }}
-                {{- end }}
-                securityContext:
-                    allowPrivilegeEscalation: false
-            securityContext:
-                runAsNonRoot: true
-            serviceAccountName: '{{ include "helm-chart.serviceAccountName" . }}'
-            terminationGracePeriodSeconds: 10
-            {{- with .Values.nodeSelector }}
-            nodeSelector:
-            {{- toYaml . | nindent 14 }}
-            {{- end }}
-            {{- with .Values.affinity }}
-            affinity:
-            {{- toYaml . | nindent 14 }}
-            {{- end }}
-            {{- with .Values.tolerations }}
-            tolerations:
-            {{- toYaml . | nindent 14 }}
-            {{- end }}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-    labels:
-        app.kubernetes.io/name: osbuilder-nginx
-    name: 'osbuilder-nginx'
-    namespace: '{{.Release.Namespace}}'
-spec:
-    replicas: 1
-    selector:
-        matchLabels:
-            app.kubernetes.io/name: osbuilder-nginx
-    template:
-        metadata:
-            labels:
-                app.kubernetes.io/name: osbuilder-nginx
-        spec:
-            containers:
-              - image: nginx
-                name: nginx
-                ports:
-                  - containerPort: 80
-                volumeMounts:
-                  - mountPath: /usr/share/nginx/html
-                    name: nginx-public
-                  - mountPath: /etc/nginx/conf.d
-                    name: config
-                    readOnly: true
-            serviceAccountName: '{{ include "helm-chart.serviceAccountName" . }}'
-            terminationGracePeriodSeconds: 10
-            securityContext:
-              fsGroup: 101
-            volumes:
-              - name: nginx-public
-                persistentVolumeClaim:
-                    claimName: osartifactbuilder-operator-nginx-public
-              - name: config
-                configMap:
-                  name: nginx-config
-                  items:
-                    - key: nginx.conf
-                      path: default.conf
+  replicas: {{ .Values.builder.replicas }}
+  selector:
+    matchLabels:
+      {{- include "helm-chart.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        {{- range keys .Values.builder.podAnnotations }}
+        {{ . | quote }}: {{ get $.Values.builder.podAnnotations . | quote}}
+        {{- end }}
+      labels:
+        {{- include "helm-chart.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.builder.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 14 }}
+      {{- end }}
+      containers:
+        - name: manager
+          image: '{{ .Values.builder.image.repository | default "ghcr.io/pluralsh/osbuilder" }}:{{ .Values.builder.image.tag | default .Chart.AppVersion }}'
+          command: [ '/manager' ]
+          args:
+            - --pvc-storage-size={{ .Values.builder.pvcStorageSize }}
+            - --health-probe-bind-address=:8081
+            - --metrics-bind-address=127.0.0.1:8080
+            - --leader-elect
+            - '--tool-image={{ .Values.builder.toolsImage.repository | default "quay.io/kairos/auroraboot" }}:{{ .Values.builder.toolsImage.tag | default "latest" }}'
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          {{- if and .Values.builder.resources .Values.builder.resources.controller }}
+          resources:
+            {{- toYaml .Values.builder.resources.controller | nindent 12 }}
+          {{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: '{{ include "helm-chart.serviceAccountName" . }}'
+      terminationGracePeriodSeconds: 10
+      {{- with .Values.builder.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 14 }}
+      {{- end }}
+      {{- with .Values.builder.affinity }}
+      affinity:
+        {{- toYaml . | nindent 14 }}
+      {{- end }}
+      {{- with .Values.builder.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 14 }}
+      {{- end }}

charts/osbuilder/templates/deployment.yaml

@@ -0,0 +1,34 @@
+{{- if not .Values.registry.ingress.enabled }}
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "helm-chart.fullname" . }}-registry-selfsigned-issuer
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/component: registry
+    {{- include "helm-chart.labels" . | nindent 4 }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "helm-chart.fullname" . }}-registry-tls
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/component: registry
+    {{- include "helm-chart.labels" . | nindent 4 }}
+spec:
+  secretName: {{ include "helm-chart.fullname" . }}-registry-tls
+  isCA: false
+  usages:
+    - server auth
+    - client auth
+  dnsNames:
+    - "{{ include "helm-chart.fullname" . }}-registry.{{.Release.Namespace}}.svc.cluster.local"
+    - "{{ include "helm-chart.fullname" . }}-registry"
+  issuerRef:
+    name: {{ include "helm-chart.fullname" . }}-registry-selfsigned-issuer
+
+{{- end }}