Merge pull request #584 from alexander-demicev/registry

Add embedded registry option to server config

Author: alexander-demicev

controlplane/api/v1alpha1/conversion.go

@@ -57,6 +57,7 @@ func (src *RKE2ControlPlane) ConvertTo(dstRaw conversion.Hub) error {
 		dst.Spec.AgentConfig.PodSecurityAdmissionConfigFile = restored.Spec.AgentConfig.PodSecurityAdmissionConfigFile
 	}
 
+	dst.Spec.ServerConfig.EmbeddedRegistry = restored.Spec.ServerConfig.EmbeddedRegistry
 	dst.Spec.MachineTemplate = restored.Spec.MachineTemplate
 	dst.Status = restored.Status
 
@@ -133,6 +134,7 @@ func (src *RKE2ControlPlaneTemplate) ConvertTo(dstRaw conversion.Hub) error {
 		dst.Spec.Template.Spec.AgentConfig.PodSecurityAdmissionConfigFile = restored.Spec.Template.Spec.AgentConfig.PodSecurityAdmissionConfigFile
 	}
 
+	dst.Spec.Template.Spec.ServerConfig.EmbeddedRegistry = restored.Spec.Template.Spec.ServerConfig.EmbeddedRegistry
 	dst.Spec.Template = restored.Spec.Template
 	dst.Status = restored.Status
 
@@ -220,3 +222,7 @@ func Convert_v1beta1_RKE2ConfigSpec_To_v1alpha1_RKE2ConfigSpec(in *bootstrapv1be
 func Convert_v1alpha1_RKE2ConfigSpec_To_v1beta1_RKE2ConfigSpec(in *bootstrapv1alpha1.RKE2ConfigSpec, out *bootstrapv1beta1.RKE2ConfigSpec, s apiconversion.Scope) error {
 	return bootstrapv1alpha1.Convert_v1alpha1_RKE2ConfigSpec_To_v1beta1_RKE2ConfigSpec(in, out, s)
 }
+
+func Convert_v1beta1_RKE2ServerConfig_To_v1alpha1_RKE2ServerConfig(in *controlplanev1.RKE2ServerConfig, out *RKE2ServerConfig, s apiconversion.Scope) error {
+	return autoConvert_v1beta1_RKE2ServerConfig_To_v1alpha1_RKE2ServerConfig(in, out, s)
+}

controlplane/api/v1alpha1/zz_generated.conversion.go

@@ -194,6 +194,10 @@ type RKE2ServerConfig struct {
 	// The config map must contain a key named cloud-config.
 	//+optional
 	CloudProviderConfigMap *corev1.ObjectReference `json:"cloudProviderConfigMap,omitempty"`
+
+	// EmbeddedRegistry enables the embedded registry.
+	//+optional
+	EmbeddedRegistry bool `json:"embeddedRegistry,omitempty"`
 }
 
 // RKE2ControlPlaneStatus defines the observed state of RKE2ControlPlane.

controlplane/api/v1beta1/rke2controlplane_types.go

@@ -2155,6 +2155,9 @@ spec:
                           type: string
                         type: array
                     type: object
+                  embeddedRegistry:
+                    description: EmbeddedRegistry enables the embedded registry.
+                    type: boolean
                   etcd:
                     description: Etcd defines optional custom configuration of ETCD.
                     properties:

controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanes.yaml

@@ -1004,6 +1004,9 @@ spec:
                                   type: string
                                 type: array
                             type: object
+                          embeddedRegistry:
+                            description: EmbeddedRegistry enables the embedded registry.
+                            type: boolean
                           etcd:
                             description: Etcd defines optional custom configuration
                               of ETCD.

controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanetemplates.yaml

@@ -0,0 +1,51 @@
+# Configuring Embedded Registry in RKE2
+
+## Overview
+RKE2 allows users to enable an **embedded registry** on control plane nodes. When the `embeddedRegistry` option is set to `true` in the `serverConfig`, users can configure the registry using the `PrivateRegistriesConfig` field.
+The process follows [RKE2 docs](https://docs.rke2.io/install/registry_mirror).
+
+## Enabling Embedded Registry
+To enable the embedded registry, set the `embeddedRegistry` field to `true` in the `serverConfig` section of the `RKE2ControlPlane` configuration:
+
+```yaml
+apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+kind: RKE2ControlPlane
+metadata:
+  name: my-cluster-control-plane
+spec:
+  serverConfig:
+    embeddedRegistry: true
+```
+
+## Configuring Private Registries
+Once the embedded registry is enabled, you can configure private registries using the `PrivateRegistriesConfig` field in `RKE2ConfigSpec`. This field allows you to define registry mirrors, authentication, and TLS settings.
+
+Example:
+
+```yaml
+apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
+kind: RKE2Config
+metadata:
+  name: my-cluster-bootstrap
+spec:
+  privateRegistriesConfig:
+    mirrors:
+      "myregistry.example.com":
+        endpoint:
+          - "https://mirror1.example.com"
+          - "https://mirror2.example.com"
+    configs:
+      "myregistry.example.com":
+        authSecret:
+          name: my-registry-secret
+        tls:
+          tlsConfigSecret:
+            name: my-registry-tls-secret
+          insecureSkipVerify: false
+```
+
+## TLS Secret Format
+When configuring the `tlsConfigSecret`, ensure the secret contains the following keys:
+- **`ca.crt`** – CA certificate
+- **`tls.key`** – TLS private key
+- **`tls.crt`** – TLS certificate

docs/book/src/02_topics/04_embedded-registry.md

@@ -7,6 +7,7 @@
     - [Air-gapped installation](./02_topics/01_air-gapped-installation.md)
     - [Node registration methods](./02_topics/02_node-registration-methods.md)
     - [CIS and PSA](./02_topics/03_cis-psa.md)
+    - [Embedded registry](./02_topics/04_embedded-registry.md)
 - [Examples](./03_examples/00.md)
     - [AWS](./03_examples/01_aws.md)
     - [vSphere](./03_examples/02_vsphere.md)

docs/book/src/SUMMARY.md

@@ -131,6 +131,7 @@ type ServerConfig struct {
 	KubeSchedulerImage                string   `yaml:"kube-scheduler-image,omitempty"`
 	ServiceNodePortRange              string   `yaml:"service-node-port-range,omitempty"`
 	TLSSan                            []string `yaml:"tls-san,omitempty"`
+	EmbeddedRegistry                  bool     `yaml:"embedded-registry,omitempty"`
 
 	// We don't expose these fields in the API
 	ClusterCIDR string `yaml:"cluster-cidr,omitempty"`
@@ -365,6 +366,8 @@ func newRKE2ServerConfig(opts ServerConfigOpts) (*ServerConfig, []bootstrapv1.Fi
 		rke2ServerConfig.CloudControllerManagerExtraEnv = componentMapToSlice(extraEnv, opts.ServerConfig.CloudControllerManager.ExtraEnv)
 	}
 
+	rke2ServerConfig.EmbeddedRegistry = opts.ServerConfig.EmbeddedRegistry
+
 	return rke2ServerConfig, files, nil
 }
 

pkg/rke2/config.go

@@ -162,6 +162,7 @@ var _ = Describe("RKE2ServerConfig", func() {
 					ExtraEnv:      map[string]string{"testenv": "testenv"},
 					ExtraMounts:   map[string]string{"testmount": "testmount"},
 				},
+				EmbeddedRegistry: true,
 			},
 		}
 	})
@@ -221,6 +222,7 @@ var _ = Describe("RKE2ServerConfig", func() {
 		Expect(rke2ServerConfig.CloudControllerManagerExtraMounts).To(Equal(componentMapToSlice(extraMount, serverConfig.CloudControllerManager.ExtraMounts)))
 		Expect(rke2ServerConfig.CloudControllerManagerExtraEnv).To(Equal(componentMapToSlice(extraEnv, serverConfig.CloudControllerManager.ExtraEnv)))
 		Expect(rke2ServerConfig.Token).To(Equal(opts.Token))
+		Expect(rke2ServerConfig.EmbeddedRegistry).To(BeTrue())
 
 		Expect(files).To(HaveLen(4))