Bump actions/checkout from 3 to 6

Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

.circleci/config.yml

@@ -1,15 +0,0 @@
-version: 2.1
-jobs:
-  lint:
-    docker:
-    - image: twuni/helm:3.4.1
-    steps:
-    - checkout
-    - run:
-        command: helm lint --strict
-        name: lint
-workflows:
-  version: 2
-  default:
-    jobs:
-    - lint

.github/dependabot.yaml

@@ -0,0 +1,8 @@
+---
+# Dependabot Config Ref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily

.github/workflows/ci.yaml

@@ -0,0 +1,41 @@
+---
+# GitHub Actions Workflows Ref: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
+name: CI
+"on":
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - "**"
+  workflow_dispatch:
+concurrency:
+  group: ${{ github.event_name }}-${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+permissions: read-all
+jobs:
+  helm-lint:
+    name: Helm Lint
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v6
+      - run: |
+          helm lint --strict
+  integration-test:
+    name: Integration Test
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v6
+      - uses: AbsaOSS/k3d-action@v2.4.0
+        name: Create K3D Cluster with Container Registry
+        with:
+          cluster-name: local-ci-k3d-cluster
+          args: >-
+            --agents 1
+            --registry-create local-ci-k3d-registry
+      - name: Test
+        run: |
+          helm install docker-registry . --wait --wait-for-jobs
+          kubectl get all,pvc

.github/workflows/helm_release.yaml

@@ -0,0 +1,35 @@
+name: Release Charts
+
+on:
+  workflow_dispatch:
+
+jobs:
+  release:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+      
+      - name: Install chart-releaser
+        uses: helm/chart-releaser-action@v1.7.0
+        with:
+          install_only: true
+
+      - name: Run chart-releaser
+        env:
+          CR_TOKEN: "${{ secrets.CR_TOKEN }}"
+        run: |
+          owner=$(cut -d '/' -f 1 <<< "$GITHUB_REPOSITORY")
+          repo=$(cut -d '/' -f 2 <<< "$GITHUB_REPOSITORY")
+          cr package
+          cr upload --owner="$owner" --git-repo "$repo" --token="$CR_TOKEN" --release-name-template="v{{ .Version }}" --packages-with-index --push --skip-existing --generate-release-notes --commit main
+          cr index --owner="$owner" --git-repo "$repo" --token="$CR_TOKEN" --release-name-template="v{{ .Version }}" --packages-with-index --push --index-path="."

.github/workflows/pr_diff.yaml

@@ -0,0 +1,58 @@
+name: PR Diff for Helm chart
+
+on:
+  pull_request_target:
+
+permissions:
+  pull-requests: write
+
+jobs:
+  diff:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: azure/setup-helm@v3
+      - name: Run diff
+        id: diff
+        run: |
+          OPTIONS=(
+            --namespace meta-namespace
+            --set serviceAccount.create=true
+            --set priorityClassName=high
+            --set podAnnotations.test=annotation
+            --set extraEnvVars[0].name=TEST_NAME
+            --set extraEnvVars[0].value=TEST_VALUE
+            --set extraVolumes[0].name=test
+            --set extraVolumes[0].emptyDir.medium=Memory
+            --set extraVolumeMounts[0].name=test
+            --set extraVolumeMounts[0].mountPath=/test
+            --set secrets.htpasswd=abc
+            --set tlsSecretName=abc
+            --set garbageCollect.enabled=true
+            --set namespace=target-namespace
+            --set proxy.enabled=true
+            --set storage=s3
+            --set secrets.s3.secretKey=abc
+            --set secrets.s3.accessKey=def
+            --set s3.region=us-42
+            --set s3.bucket=abc
+            --set s3.encrypt=abc
+          )
+          helm template --debug ${OPTIONS[@]} --output-dir before https://github.com/twuni/docker-registry.helm/archive/refs/heads/main.tar.gz
+          helm template --debug ${OPTIONS[@]} --output-dir after .
+          # https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings
+          echo 'HELM_DIFF<<EOF' >> $GITHUB_ENV
+          echo "$(diff -ur before after)" >> $GITHUB_ENV
+          echo 'EOF' >> $GITHUB_ENV
+      - uses: marocchino/sticky-pull-request-comment@d2ad0de260ae8b0235ce059e63f2949ba9e05943
+        with:
+          message: |
+            Running a `helm template` smoketest on commit ${{ github.ref }} results in the following diff against `${{ github.base_ref }}`:
+            
+            <details><summary>diff</summary><p>
+            
+            ```diff
+            ${{ env.HELM_DIFF }}
+            ```
+            
+            </p></details>

.gitignore

@@ -0,0 +1 @@
+.cr-release-packages

Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
 description: A Helm chart for Docker Registry
 name: docker-registry
-version: 1.13.2
+version: 3.0.0
-appVersion: 2.7.1
+appVersion: 3.0.0
 home: https://hub.docker.com/_/registry/
 icon: https://helm.twun.io/docker-registry.png
 maintainers:

README.md

@@ -12,18 +12,33 @@ This chart will do the following:
 
 * Implement a Docker registry deployment
 
+## ⚠️ Repo Migration and Deprecation Notice
+
+The following change only affects attempts to install or update the chart via the https://helm.twun.io repo.
+
+The https://helm.twun.io repo has been migrated to https://twuni.github.io/docker-registry.helm.
+
+To update your configuration, remove and re-add the repo with the new URL:
+
+```console
+helm repo remove twuni
+helm repo add twuni https://twuni.github.io/docker-registry.helm
+```
+
+The deprecated repo URL, https://helm.twun.io, may become unavailable as early as **October 16, 2025**.
+
 ## Installing the Chart
 
 First, add the repo:
 
 ```console
-$ helm repo add twuni https://helm.twun.io
+helm repo add twuni https://twuni.github.io/docker-registry.helm
 ```
 
 To install the chart, use the following:
 
 ```console
-$ helm install twuni/docker-registry
+helm install twuni/docker-registry
 ```
 
 ## Configuration
@@ -35,7 +50,7 @@ their default values.
 |:----------------------------|:-------------------------------------------------------------------------------------------|:----------------|
 | `image.pullPolicy`          | Container pull policy                                                                      | `IfNotPresent`  |
 | `image.repository`          | Container image to use                                                                     | `registry`      |
-| `image.tag`                 | Container image tag to deploy                                                              | `2.7.1`         |
+| `image.tag`                 | Container image tag to deploy                                                              | `2.8.1`         |
 | `imagePullSecrets`          | Specify image pull secrets                                                                 | `nil` (does not add image pull secrets to deployed pods) |
 | `persistence.accessMode`    | Access mode to use for PVC                                                                 | `ReadWriteOnce` |
 | `persistence.enabled`       | Whether to use a PVC for the Docker storage                                                | `false`         |
@@ -43,6 +58,10 @@ their default values.
 | `persistence.size`          | Amount of space to claim for PVC                                                           | `10Gi`          |
 | `persistence.storageClass`  | Storage Class to use for PVC                                                               | `-`             |
 | `persistence.existingClaim` | Name of an existing PVC to use for config                                                  | `nil`           |
+| `serviceAccount.create`     | Create ServiceAccount                                                                      | `false`         |
+| `serviceAccount.name`       | ServiceAccount name                                                                        | `nil`           |
+| `serviceAccount.annotations` | Annotations to add to the ServiceAccount                                                  | `{}`            |
+| `deployment.annotations`    | Annotations to add to the Deployment                                                       | `{}`            |
 | `service.port`              | TCP port on which the service is exposed                                                   | `5000`          |
 | `service.type`              | service type                                                                               | `ClusterIP`     |
 | `service.clusterIP`         | if `service.type` is `ClusterIP` and this is non-empty, sets the cluster IP of the service | `nil`           |
@@ -53,28 +72,37 @@ their default values.
 | `service.sessionAffinityConfig` | service session affinity config                                                        | `nil`           |
 | `replicaCount`              | k8s replicas                                                                               | `1`             |
 | `updateStrategy`            | update strategy for deployment                                                             | `{}`            |
-| `podAnnotations`            | Annotations for pod                                                                        | `{}`            |
+| `podAnnotations`            | Annotations for deployment pod, and `garbageCollect` pod unless set explicitly there. See `garbageCollect` | `{}` |
-| `podLabels`                 | Labels for pod                                                                             | `{}`            |
+| `podLabels`                 | Labels for deployment pod, and `garbageCollect` pod unless set explicitly there. See `garbageCollect` | `{}` |
 | `podDisruptionBudget`       | Pod disruption budget                                                                      | `{}`            |
 | `resources.limits.cpu`      | Container requested CPU                                                                    | `nil`           |
 | `resources.limits.memory`   | Container requested memory                                                                 | `nil`           |
+| `autoscaling.enabled`       | Enable autoscaling using HorizontalPodAutoscaler                                           | `false`         |
+| `autoscaling.minReplicas`   | Minimal number of replicas                                                                 | `1`             |
+| `autoscaling.maxReplicas`   | Maximal number of replicas                                                                 | `2`             |
+| `autoscaling.targetCPUUtilizationPercentage` | Target average utilization of CPU on Pods                                 | `60`            |
+| `autoscaling.targetMemoryUtilizationPercentage` | (Kubernetes ≥1.23) Target average utilization of Memory on Pods        | `60`            |
+| `autoscaling.behavior`      | (Kubernetes ≥1.23) Configurable scaling behavior                                           | `{}`            |
 | `priorityClassName      `   | priorityClassName                                                                          | `""`            |
 | `storage`                   | Storage system to use                                                                      | `filesystem`    |
 | `tlsSecretName`             | Name of secret for TLS certs                                                               | `nil`           |
 | `secrets.htpasswd`          | Htpasswd authentication                                                                    | `nil`           |
 | `secrets.s3.accessKey`      | Access Key for S3 configuration                                                            | `nil`           |
 | `secrets.s3.secretKey`      | Secret Key for S3 configuration                                                            | `nil`           |
-| `secrets.s3.secretRef`      | The ref for an external secret containing the accessKey and secretKey keys                 | `""`            |
+| `secrets.s3.secretRef`      | The ref for an external secret containing the s3AccessKey and s3SecretKey keys                 | `""`            |
 | `secrets.swift.username`    | Username for Swift configuration                                                           | `nil`           |
 | `secrets.swift.password`    | Password for Swift configuration                                                           | `nil`           |
-| `haSharedSecret`            | Shared secret for Registry                                                                 | `nil`           |
+| `secrets.haSharedSecret`    | Shared secret for Registry                                                                 | `nil`           |
 | `configData`                | Configuration hash for docker                                                              | `nil`           |
+| `configPath` | Configuration mount point in docker, `/etc/docker/registry` for registry version 2, `/etc/distribution` for version 3 | `/etc/docker/registry` |
 | `s3.region`                 | S3 region                                                                                  | `nil`           |
 | `s3.regionEndpoint`         | S3 region endpoint                                                                         | `nil`           |
 | `s3.bucket`                 | S3 bucket name                                                                             | `nil`           |
 | `s3.rootdirectory`          | S3 prefix that is applied to allow you to segment data                                     | `nil`           |
 | `s3.encrypt`                | Store images in encrypted format                                                           | `nil`           |
 | `s3.secure`                 | Use HTTPS                                                                                  | `nil`           |
+| `s3.forcepathstyle`         | Use path-style addressing, needed for some s3 compatible storage (minio)                   | `nil`           |
+| `s3.skipverify`             | Allows connection to s3 storage using TLS with untrusted/self-signed certificate           | `nil`           |
 | `swift.authurl`             | Swift authurl                                                                              | `nil`           |
 | `swift.container`           | Swift container                                                                            | `nil`           |
 | `proxy.enabled`             | If true, registry will function as a proxy/mirror                                          | `false`         |
@@ -82,6 +110,7 @@ their default values.
 | `proxy.username`            | Remote registry login username                                                             | `nil`           |
 | `proxy.password`            | Remote registry login password                                                             | `nil`           |
 | `proxy.secretRef`           | The ref for an external secret containing the proxyUsername and proxyPassword keys         | `""`            |
+| `namespace`                 | specify a namespace to install the chart to - defaults to `.Release.Namespace`             | `{{ .Release.Namespace }}` |
 | `nodeSelector`              | node labels for pod assignment                                                             | `{}`            |
 | `affinity`                  | affinity settings                                                                          | `{}`            |
 | `tolerations`               | pod tolerations                                                                            | `[]`            |
@@ -91,11 +120,29 @@ their default values.
 | `ingress.path`              | Ingress service path                                                                       | `/`             |
 | `ingress.hosts`             | Ingress hostnames                                                                          | `[]`            |
 | `ingress.tls`               | Ingress TLS configuration (YAML)                                                           | `[]`            |
+| `ingress.className`         | Ingress controller class name                                                              | `nginx`         |
+| `metrics.enabled`           | Enable metrics on Service                                                                  | `false`         |
+| `metrics.port`              | TCP port on which the service metrics is exposed                                           | `5001`          |
+| `metrics.serviceMonitor.annotations` | Prometheus Operator ServiceMonitor annotations                                    | `{}`            |
+| `metrics.serviceMonitor.enable` | If true, Prometheus Operator ServiceMonitor will be created                            | `false`         |
+| `metrics.serviceMonitor.labels` | Prometheus Operator ServiceMonitor labels                                              | `{}`            |
+| `metrics.prometheusRule.annotations` | Prometheus Operator PrometheusRule annotations                                    | `{}`            |
+| `metrics.prometheusRule.enable` | If true, Prometheus Operator prometheusRule will be created                            | `false`         |
+| `metrics.prometheusRule.labels` | Prometheus Operator prometheusRule labels                                              | `{}`            |
+| `metrics.prometheusRule.rules` | PrometheusRule defining alerting rules for a Prometheus instance                        | `{}`            |
 | `extraVolumeMounts`         | Additional volumeMounts to the registry container                                          | `[]`            |
 | `extraVolumes`              | Additional volumes to the pod                                                              | `[]`            |
+| `extraEnvVars`              | Additional environment variables to the pod                                                | `[]`            |
+| `initContainers`            | Init containers to be created in the pod                                                   | `[]`            |
+| `garbageCollect.enabled`    | If true, will deploy garbage-collector cronjob                                             | `false`         |
+| `garbageCollect.deleteUntagged` | If true, garbage-collector will delete manifests that are not currently referenced via tag | `true`      |
+| `garbageCollect.schedule`   | CronTab schedule, please use standard crontab format                                       | `0 1 * * *`     |
+| `garbageCollect.podAnnotations` | CronJob pod Annotations. If left empty and chart `podAnnotations` are set, will use those. If both are set, these take precedence for the `garbageCollect` pods. | `{}` |
+| `garbageCollect.podLabels`  | CronJob pod Annotations. If left empty and chart `podLabels` are set, will use those. If both are set, these take precedence for the `garbageCollect` pods. | `{}` |
+| `garbageCollect.resources`  | garbage-collector requested resources                                                      | `{}`            |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to
 `helm install`.
 
 To generate htpasswd file, run this docker command:
-`docker run --entrypoint htpasswd registry:2 -Bbn user password > ./htpasswd`.
+`docker run --entrypoint htpasswd httpd:2 -Bbn user password > ./htpasswd`.

templates/_helpers.tpl

@@ -22,3 +22,198 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{- define "docker-registry.envs" -}}
+- name: REGISTRY_HTTP_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ template "docker-registry.fullname" . }}-secret
+      key: haSharedSecret
+
+{{- if .Values.secrets.htpasswd }}
+- name: REGISTRY_AUTH
+  value: "htpasswd"
+- name: REGISTRY_AUTH_HTPASSWD_REALM
+  value: "Registry Realm"
+- name: REGISTRY_AUTH_HTPASSWD_PATH
+  value: "/auth/htpasswd"
+{{- end }}
+
+{{- if .Values.tlsSecretName }}
+- name: REGISTRY_HTTP_TLS_CERTIFICATE
+  value: /etc/ssl/docker/tls.crt
+- name: REGISTRY_HTTP_TLS_KEY
+  value: /etc/ssl/docker/tls.key
+{{- end -}}
+
+{{- if eq .Values.storage "filesystem" }}
+- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
+  value: "/var/lib/registry"
+{{- else if eq .Values.storage "azure" }}
+- name: REGISTRY_STORAGE_AZURE_ACCOUNTNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ template "docker-registry.fullname" . }}-secret
+      key: azureAccountName
+- name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ template "docker-registry.fullname" . }}-secret
+      key: azureAccountKey
+- name: REGISTRY_STORAGE_AZURE_CONTAINER
+  valueFrom:
+    secretKeyRef:
+      name: {{ template "docker-registry.fullname" . }}-secret
+      key: azureContainer
+{{- else if eq .Values.storage "s3" }}
+- name: REGISTRY_STORAGE_S3_REGION
+  value: {{ required ".Values.s3.region is required" .Values.s3.region }}
+- name: REGISTRY_STORAGE_S3_BUCKET
+  value: {{ required ".Values.s3.bucket is required" .Values.s3.bucket }}
+{{- if or (and .Values.secrets.s3.secretKey .Values.secrets.s3.accessKey) .Values.secrets.s3.secretRef }}
+- name: REGISTRY_STORAGE_S3_ACCESSKEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
+      key: s3AccessKey
+- name: REGISTRY_STORAGE_S3_SECRETKEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
+      key: s3SecretKey
+{{- end -}}
+
+{{- if .Values.s3.regionEndpoint }}
+- name: REGISTRY_STORAGE_S3_REGIONENDPOINT
+  value: {{ .Values.s3.regionEndpoint }}
+{{- end -}}
+
+{{- if .Values.s3.rootdirectory }}
+- name: REGISTRY_STORAGE_S3_ROOTDIRECTORY
+  value: {{ .Values.s3.rootdirectory | quote }}
+{{- end -}}
+
+{{- if .Values.s3.encrypt }}
+- name: REGISTRY_STORAGE_S3_ENCRYPT
+  value: {{ .Values.s3.encrypt | quote }}
+{{- end -}}
+
+{{- if .Values.s3.secure }}
+- name: REGISTRY_STORAGE_S3_SECURE
+  value: {{ .Values.s3.secure | quote }}
+{{- end -}}
+
+{{- if .Values.s3.forcepathstyle }}
+- name: REGISTRY_STORAGE_S3_FORCEPATHSTYLE
+  value: {{ .Values.s3.forcepathstyle | quote }}
+{{- end -}}
+
+{{- if .Values.s3.skipverify }}
+- name: REGISTRY_STORAGE_S3_SKIPVERIFY
+  value: {{ .Values.s3.skipverify | quote }}
+{{- end -}}
+
+{{- else if eq .Values.storage "swift" }}
+- name: REGISTRY_STORAGE_SWIFT_AUTHURL
+  value: {{ required ".Values.swift.authurl is required" .Values.swift.authurl }}
+- name: REGISTRY_STORAGE_SWIFT_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ template "docker-registry.fullname" . }}-secret
+      key: swiftUsername
+- name: REGISTRY_STORAGE_SWIFT_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ template "docker-registry.fullname" . }}-secret
+      key: swiftPassword
+- name: REGISTRY_STORAGE_SWIFT_CONTAINER
+  value: {{ required ".Values.swift.container is required" .Values.swift.container }}
+{{- end -}}
+
+{{- if .Values.proxy.enabled }}
+- name: REGISTRY_PROXY_REMOTEURL
+  value: {{ required ".Values.proxy.remoteurl is required" .Values.proxy.remoteurl }}
+- name: REGISTRY_PROXY_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
+      key: proxyUsername
+- name: REGISTRY_PROXY_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
+      key: proxyPassword
+{{- end -}}
+
+{{- if .Values.persistence.deleteEnabled }}
+- name: REGISTRY_STORAGE_DELETE_ENABLED
+  value: "true"
+{{- end -}}
+
+{{- with .Values.extraEnvVars }}
+{{ toYaml . }}
+{{- end -}}
+
+{{- end -}}
+
+{{- define "docker-registry.volumeMounts" -}}
+- name: "{{ template "docker-registry.fullname" . }}-config"
+  mountPath: {{ .Values.configPath }}
+
+{{- if .Values.secrets.htpasswd }}
+- name: auth
+  mountPath: /auth
+  readOnly: true
+{{- end }}
+
+{{- if eq .Values.storage "filesystem" }}
+- name: data
+  mountPath: /var/lib/registry/
+{{- end }}
+
+{{- if .Values.tlsSecretName }}
+- mountPath: /etc/ssl/docker
+  name: tls-cert
+  readOnly: true
+{{- end }}
+
+{{- with .Values.extraVolumeMounts }}
+{{ toYaml . }}
+{{- end }}
+
+{{- end -}}
+
+{{- define "docker-registry.volumes" -}}
+- name: {{ template "docker-registry.fullname" . }}-config
+  configMap:
+    name: {{ template "docker-registry.fullname" . }}-config
+
+{{- if .Values.secrets.htpasswd }}
+- name: auth
+  secret:
+    secretName: {{ template "docker-registry.fullname" . }}-secret
+    items:
+    - key: htpasswd
+      path: htpasswd
+{{- end }}
+
+{{- if eq .Values.storage "filesystem" }}
+- name: data
+  {{- if .Values.persistence.enabled }}
+  persistentVolumeClaim:
+    claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ template "docker-registry.fullname" . }}{{- end }}
+  {{- else }}
+  emptyDir: {}
+  {{- end -}}
+{{- end }}
+
+{{- if .Values.tlsSecretName }}
+- name: tls-cert
+  secret:
+    secretName: {{ .Values.tlsSecretName }}
+{{- end }}
+
+{{- with .Values.extraVolumes }}
+{{ toYaml . }}
+{{- end }}
+{{- end -}}

templates/configmap.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ template "docker-registry.fullname" . }}-config
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     app: {{ template "docker-registry.name" . }}
     chart: {{ .Chart.Name }}-{{ .Chart.Version }}

templates/cronjob.yaml

@@ -0,0 +1,82 @@
+{{- if .Values.garbageCollect.enabled }}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ template "docker-registry.fullname" . }}-garbage-collector
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    app: {{ template "docker-registry.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  schedule: {{ .Values.garbageCollect.schedule | quote }}
+  jobTemplate:
+    metadata:
+      labels:
+        app: {{ template "docker-registry.name" . }}
+        release: {{ .Release.Name }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+        {{- if .Values.podAnnotations }}
+        {{- toYaml .Values.podAnnotations | nindent 8 }}
+        {{- end }}
+    spec:
+      template:
+        metadata:
+          labels:
+            release: {{ .Release.Name }}
+            {{- if or .Values.podLabels .Values.garbageCollect.podLabels }}
+            {{- toYaml (merge (.Values.garbageCollect.podLabels | default (dict)) (.Values.podLabels | default (dict))) | nindent 12 }}
+            {{- end }}
+          {{- if or .Values.podAnnotations .Values.garbageCollect.podAnnotations }}
+          annotations:
+            {{- toYaml (merge (.Values.garbageCollect.podAnnotations | default (dict)) (.Values.podAnnotations | default (dict))) | nindent 12 }}
+          {{- end}}
+        spec:
+          {{- if or (eq .Values.serviceAccount.create true) (ne .Values.serviceAccount.name "") }}
+          serviceAccountName: {{ .Values.serviceAccount.name | default (include "docker-registry.fullname" .) }}
+          {{- end }}
+          {{- if .Values.imagePullSecrets }}
+          imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 12 }}
+          {{- end }}
+          {{- if .Values.priorityClassName }}
+          priorityClassName: "{{ .Values.priorityClassName }}"
+          {{- end }}
+          {{- if .Values.securityContext.enabled }}
+          securityContext: {{ omit .Values.securityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
+          containers:
+            - name: {{ .Chart.Name }}
+              image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+              imagePullPolicy: {{ .Values.image.pullPolicy }}
+              command:
+              - /bin/registry
+              - garbage-collect
+              - --delete-untagged={{ .Values.garbageCollect.deleteUntagged }}
+              - {{ .Values.configPath }}/config.yml
+              {{- if .Values.garbageCollect.resources }}
+              resources:
+              {{- toYaml .Values.garbageCollect.resources | nindent 16 }}
+              {{- end }}
+              env: {{ include "docker-registry.envs" . | nindent 16 }}
+              {{- if .Values.containerSecurityContext.enabled }}
+              securityContext: {{ omit .Values.containerSecurityContext "enabled" | toYaml | nindent 16 }}
+              {{- end }}
+              volumeMounts: {{ include "docker-registry.volumeMounts" . | nindent 16 }}
+          restartPolicy: OnFailure
+          {{- if .Values.nodeSelector }}
+          nodeSelector: {{ toYaml .Values.nodeSelector | nindent 12 }}
+          {{- end }}
+          {{- if .Values.affinity }}
+          affinity: {{ toYaml .Values.affinity | nindent 12 }}
+          {{- end }}
+          {{- if .Values.tolerations }}
+          tolerations: {{ toYaml .Values.tolerations | nindent 12 }}
+          {{- end }}
+          volumes: {{ include "docker-registry.volumes" . | nindent 12 }}
+{{- end }}

templates/deployment.yaml

@@ -2,48 +2,57 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ template "docker-registry.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     app: {{ template "docker-registry.name" . }}
     chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
+{{- if .Values.deployment.annotations }}
+  annotations:
+{{ toYaml .Values.deployment.annotations | indent 4 }}
+{{- end }}
 spec:
   selector:
     matchLabels:
       app: {{ template "docker-registry.name" . }}
       release: {{ .Release.Name }}
   replicas: {{ .Values.replicaCount }}
-{{- if .Values.updateStrategy }}
+  {{- if .Values.updateStrategy }}
-  strategy:
+  strategy: {{ toYaml .Values.updateStrategy | nindent 4 }}
-{{ toYaml .Values.updateStrategy | indent 4 }}
+  {{- end }}
-{{- end }}
   minReadySeconds: 5
   template:
     metadata:
       labels:
         app: {{ template "docker-registry.name" . }}
         release: {{ .Release.Name }}
-        {{- if .Values.podLabels }}
+        {{- with .Values.podLabels }}
-{{ toYaml .Values.podLabels | indent 8 }}
+        {{ toYaml . | nindent 8 }}
         {{- end }}
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
-{{- if $.Values.podAnnotations }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
-{{ toYaml $.Values.podAnnotations | indent 8 }}
+        {{- if .Values.podAnnotations }}
-{{- end }}
+        {{ toYaml .Values.podAnnotations | nindent 8 }}
+        {{- end }}
     spec:
-      {{- if .Values.imagePullSecrets }}
+      {{- if or (eq .Values.serviceAccount.create true) (ne .Values.serviceAccount.name "") }}
-      imagePullSecrets:
+      serviceAccountName: {{ .Values.serviceAccount.name | default (include "docker-registry.fullname" .) }}
-{{ toYaml .Values.imagePullSecrets | indent 8 }}
       {{- end }}
-{{- if .Values.priorityClassName }}
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
+      {{- end }}
+      {{- if .Values.priorityClassName }}
       priorityClassName: "{{ .Values.priorityClassName }}"
-{{- end }}
+      {{- end }}
-{{- if .Values.securityContext.enabled }}
+      {{- if .Values.securityContext.enabled }}
-      securityContext:
+      securityContext: {{ omit .Values.securityContext "enabled" | toYaml | nindent 8 }}
-        fsGroup: {{ .Values.securityContext.fsGroup }}
+      {{- end }}
-        runAsUser: {{ .Values.securityContext.runAsUser }}
+      {{- with .Values.initContainers }}
-{{- end }}
+      initContainers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -51,189 +60,41 @@ spec:
           command:
           - /bin/registry
           - serve
-          - /etc/docker/registry/config.yml
+          - {{ .Values.configPath }}/config.yml
           ports:
             - containerPort: 5000
+            {{- if .Values.metrics.enabled }}
+            - containerPort: {{ (split ":" .Values.configData.http.debug.addr)._1 }}
+              name: http-metrics
+              protocol: TCP
+            {{- end }}
           livenessProbe:
             httpGet:
-{{- if .Values.tlsSecretName }}
+              {{- if .Values.tlsSecretName }}
               scheme: HTTPS
-{{- end }}
+              {{- end }}
               path: /
               port: 5000
           readinessProbe:
             httpGet:
-{{- if .Values.tlsSecretName }}
+              {{- if .Values.tlsSecretName }}
               scheme: HTTPS
-{{- end }}
+              {{- end }}
               path: /
               port: 5000
-          resources:
+          resources: {{ toYaml .Values.resources | nindent 12 }}
-{{ toYaml .Values.resources | indent 12 }}
+          env: {{ include "docker-registry.envs" . | nindent 12 }}
-          env:
+          {{- if .Values.containerSecurityContext.enabled }}
-{{- if .Values.secrets.htpasswd }}
+          securityContext: {{ omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
-            - name: REGISTRY_AUTH
-              value: "htpasswd"
-            - name: REGISTRY_AUTH_HTPASSWD_REALM
-              value: "Registry Realm"
-            - name: REGISTRY_AUTH_HTPASSWD_PATH
-              value: "/auth/htpasswd"
-{{- end }}
-            - name: REGISTRY_HTTP_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "docker-registry.fullname" . }}-secret
-                  key: haSharedSecret
-{{- if .Values.tlsSecretName }}
-            - name: REGISTRY_HTTP_TLS_CERTIFICATE
-              value: /etc/ssl/docker/tls.crt
-            - name: REGISTRY_HTTP_TLS_KEY
-              value: /etc/ssl/docker/tls.key
-{{- end }}
-{{- if eq .Values.storage "filesystem" }}
-            - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
-              value: "/var/lib/registry"
-{{- else if eq .Values.storage "azure" }}
-            - name: REGISTRY_STORAGE_AZURE_ACCOUNTNAME
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "docker-registry.fullname" . }}-secret
-                  key: azureAccountName
-            - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "docker-registry.fullname" . }}-secret
-                  key: azureAccountKey
-            - name: REGISTRY_STORAGE_AZURE_CONTAINER
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "docker-registry.fullname" . }}-secret
-                  key: azureContainer
-{{- else if eq .Values.storage "s3" }}
-            {{- if or (and .Values.secrets.s3.secretKey .Values.secrets.s3.accessKey) .Values.secrets.s3.secretRef }}
-            - name: REGISTRY_STORAGE_S3_ACCESSKEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
-                  key: s3AccessKey
-            - name: REGISTRY_STORAGE_S3_SECRETKEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
-                  key: s3SecretKey
-            {{- end }}
-            - name: REGISTRY_STORAGE_S3_REGION
-              value: {{ required ".Values.s3.region is required" .Values.s3.region }}
-          {{- if .Values.s3.regionEndpoint }}
-            - name: REGISTRY_STORAGE_S3_REGIONENDPOINT
-              value: {{ .Values.s3.regionEndpoint }}
           {{- end }}
-            - name: REGISTRY_STORAGE_S3_BUCKET
+          volumeMounts: {{ include "docker-registry.volumeMounts" . | nindent 12 }}
-              value: {{ required ".Values.s3.bucket is required" .Values.s3.bucket }}
+      {{- if .Values.nodeSelector }}
-          {{- if .Values.s3.rootdirectory }}
+      nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
-            - name: REGISTRY_STORAGE_S3_ROOTDIRECTORY
+      {{- end }}
-              value: {{ .Values.s3.rootdirectory | quote }}
+      {{- if .Values.affinity }}
-          {{- end }}
+      affinity: {{ toYaml .Values.affinity | nindent 8 }}
-          {{- if .Values.s3.encrypt }}
+      {{- end }}
-            - name: REGISTRY_STORAGE_S3_ENCRYPT
+      {{- if .Values.tolerations }}
-              value: {{ .Values.s3.encrypt | quote }}
+      tolerations: {{ toYaml .Values.tolerations | nindent 8 }}
-          {{- end }}
+      {{- end }}
-          {{- if .Values.s3.secure }}
+      volumes: {{ include "docker-registry.volumes" . | nindent 8 }}
-            - name: REGISTRY_STORAGE_S3_SECURE
-              value: {{ .Values.s3.secure | quote }}
-          {{- end }}
-{{- else if eq .Values.storage "swift" }}
-            - name: REGISTRY_STORAGE_SWIFT_AUTHURL
-              value: {{ required ".Values.swift.authurl is required" .Values.swift.authurl }}
-            - name: REGISTRY_STORAGE_SWIFT_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "docker-registry.fullname" . }}-secret
-                  key: swiftUsername
-            - name: REGISTRY_STORAGE_SWIFT_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "docker-registry.fullname" . }}-secret
-                  key: swiftPassword
-            - name: REGISTRY_STORAGE_SWIFT_CONTAINER
-              value: {{ required ".Values.swift.container is required" .Values.swift.container }}
-{{- end }}
-{{- if .Values.proxy.enabled }}
-            - name: REGISTRY_PROXY_REMOTEURL
-              value: {{ required ".Values.proxy.remoteurl is required" .Values.proxy.remoteurl }}
-            - name: REGISTRY_PROXY_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
-                  key: proxyUsername
-            - name: REGISTRY_PROXY_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
-                  key: proxyPassword
-{{- end }}
-{{- if .Values.persistence.deleteEnabled }}
-            - name: REGISTRY_STORAGE_DELETE_ENABLED
-              value: "true"
-{{- end }}
-          volumeMounts:
-{{- if .Values.secrets.htpasswd }}
-            - name: auth
-              mountPath: /auth
-              readOnly: true
-{{- end }}
-{{- if eq .Values.storage "filesystem" }}
-            - name: data
-              mountPath: /var/lib/registry/
-{{- end }}
-            - name: "{{ template "docker-registry.fullname" . }}-config"
-              mountPath: "/etc/docker/registry"
-{{- if .Values.tlsSecretName }}
-            - mountPath: /etc/ssl/docker
-              name: tls-cert
-              readOnly: true
-{{- end }}
-{{- with .Values.extraVolumeMounts }}
-            {{- toYaml . | nindent 12 }}
-{{- end }}
-{{- if .Values.nodeSelector }}
-      nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 8 }}
-{{- end }}
-{{- if .Values.affinity }}
-      affinity:
-{{ toYaml .Values.affinity | indent 8 }}
-{{- end }}
-{{- if .Values.tolerations }}
-      tolerations:
-{{ toYaml .Values.tolerations | indent 8 }}
-{{- end }}
-      volumes:
-{{- if .Values.secrets.htpasswd }}
-        - name: auth
-          secret:
-            secretName: {{ template "docker-registry.fullname" . }}-secret
-            items:
-            - key: htpasswd
-              path: htpasswd
-{{- end }}
-{{- if eq .Values.storage "filesystem" }}
-        - name: data
-      {{- if .Values.persistence.enabled }}
-          persistentVolumeClaim:
-            claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ template "docker-registry.fullname" . }}{{- end }}
-      {{- else }}
-          emptyDir: {}
-      {{- end -}}
-{{- end }}
-        - name: {{ template "docker-registry.fullname" . }}-config
-          configMap:
-            name: {{ template "docker-registry.fullname" . }}-config
-{{- if .Values.tlsSecretName }}
-        - name: tls-cert
-          secret:
-            secretName: {{ .Values.tlsSecretName }}
-{{- end }}
-{{- with .Values.extraVolumes }}
-        {{- toYaml . | nindent 8 }}
-{{- end }}

templates/hpa.yaml

@@ -0,0 +1,42 @@
+{{- if .Values.autoscaling.enabled }}
+{{- $apiVersions := .Capabilities.APIVersions -}}
+{{- if $apiVersions.Has "autoscaling/v2" }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ template "docker-registry.fullname" . }}
+  labels:
+    app: {{ template "docker-registry.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ template "docker-registry.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+{{- with .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ . }}
+{{- end }}
+{{- with .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ . }}
+{{- end }}
+{{- with .Values.autoscaling.behavior }}
+  behavior:
+    {{- toYaml . | nindent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}

templates/hpaV1.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.autoscaling.enabled }}
+{{- $apiVersions := .Capabilities.APIVersions -}}
+{{- if not ($apiVersions.Has "autoscaling/v2") }}
+apiVersion: autoscaling/v1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ template "docker-registry.fullname" . }}
+  labels:
+    app: {{ template "docker-registry.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ template "docker-registry.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  targetCPUUtilizationPercentage: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+{{- end }}
+{{- end }}

templates/ingress.yaml

@@ -1,11 +1,13 @@
 {{- if .Values.ingress.enabled -}}
+{{- $apiVersions := .Capabilities.APIVersions -}}
 {{- $serviceName := include "docker-registry.fullname" . -}}
 {{- $servicePort := .Values.service.port -}}
 {{- $path := .Values.ingress.path -}}
-apiVersion: {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} networking.k8s.io/v1beta1 {{- else }} extensions/v1beta1 {{- end }}
+apiVersion: {{- if $apiVersions.Has "networking.k8s.io/v1" }} networking.k8s.io/v1 {{- else }} networking.k8s.io/v1beta1 {{- end }}
 kind: Ingress
 metadata:
   name: {{ template "docker-registry.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     app: {{ template "docker-registry.name" . }}
     chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
@@ -19,15 +21,27 @@ metadata:
       {{ $key }}: {{ $value | quote }}
     {{- end }}
 spec:
+{{- if $apiVersions.Has "networking.k8s.io/v1" }}
+  ingressClassName: {{ .Values.ingress.className }}
+{{- end }}
   rules:
     {{- range $host := .Values.ingress.hosts }}
     - host: {{ $host }}
       http:
         paths:
           - path: {{ $path }}
+{{- if $apiVersions.Has "networking.k8s.io/v1" }}
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ $serviceName }}
+                port:
+                  number: {{ $servicePort }}
+{{- else }}
             backend:
               serviceName: {{ $serviceName }}
               servicePort: {{ $servicePort }}
+{{- end }}
     {{- end -}}
   {{- if .Values.ingress.tls }}
   tls:

templates/poddisruptionbudget.yaml

@@ -1,8 +1,13 @@
 {{- if .Values.podDisruptionBudget -}}
+{{- if .Capabilities.APIVersions.Has "policy/v1" -}}
+apiVersion: policy/v1
+{{- else}}
 apiVersion: policy/v1beta1
+{{- end }}
 kind: PodDisruptionBudget
 metadata:
   name: {{ template "docker-registry.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     app: {{ template "docker-registry.name" . }}
     chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}

templates/prometheusrules.yaml

@@ -0,0 +1,17 @@
+{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ template "docker-registry.fullname" . }}
+  labels:
+    app.kubernetes.io/component: controller
+  {{- if .Values.metrics.prometheusRule.labels }}
+    {{- toYaml .Values.metrics.prometheusRule.labels | nindent 4 }}
+  {{- end }}
+spec:
+{{- if .Values.metrics.prometheusRule.rules }}
+  groups:
+  - name: {{ template "docker-registry.fullname" . }}
+    rules: {{- toYaml .Values.metrics.prometheusRule.rules | nindent 4 }}
+{{- end }}
+{{- end }}

templates/pvc.yaml

@@ -4,6 +4,7 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
   name: {{ template "docker-registry.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     app: {{ template "docker-registry.fullname" . }}
     chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"

templates/secret.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ template "docker-registry.fullname" . }}-secret
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     app: {{ template "docker-registry.name" . }}
     chart: {{ .Chart.Name }}-{{ .Chart.Version }}

templates/service.yaml

@@ -2,11 +2,15 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ template "docker-registry.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     app: {{ template "docker-registry.name" . }}
     chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
+{{- if .Values.service.labels }}
+{{ toYaml .Values.service.labels | indent 4 }}
+{{- end }}
 {{- if .Values.service.annotations }}
   annotations:
 {{ toYaml .Values.service.annotations | indent 4 }}
@@ -36,6 +40,12 @@ spec:
       targetPort: 5000
 {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }}
       nodePort: {{ .Values.service.nodePort }}
+{{- end }}
+{{- if .Values.metrics.enabled }}
+    - port: {{ .Values.metrics.port }}
+      protocol: TCP
+      name: http-metrics
+      targetPort: {{ (split ":" .Values.configData.http.debug.addr)._1 }}
 {{- end }}
   selector:
     app: {{ template "docker-registry.name" . }}

templates/serviceaccount.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: {{ template "docker-registry.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+{{- if .Values.serviceAccount.name }}
+  name: {{ .Values.serviceAccount.name }}
+{{- else  }}
+  name: {{ include "docker-registry.fullname" . }}
+{{- end }}
+{{- if .Values.serviceAccount.annotations }}
+  annotations:
+{{ toYaml .Values.serviceAccount.annotations | indent 4 }}
+{{- end }}
+{{- end -}}

templates/servicemonitor.yaml

@@ -0,0 +1,21 @@
+{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "docker-registry.fullname" . }}-servicemonitor
+  labels:
+    app: {{ template "docker-registry.name" . }}-metrics
+    release: {{ .Release.Name }}
+{{- if .Values.metrics.serviceMonitor.labels }}
+{{ toYaml .Values.metrics.serviceMonitor.labels | indent 4 }}
+{{- end }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ template "docker-registry.name" . }}
+      release: {{ .Release.Name }}
+      heritage: {{ .Release.Service }}
+  endpoints:
+  - port: http-metrics
+    interval: 15s
+{{- end }}

values.yaml

@@ -12,12 +12,19 @@ updateStrategy: {}
 podAnnotations: {}
 podLabels: {}
 
+serviceAccount:
+  create: false
+  name: ""
+  annotations: {}
+
 image:
   repository: registry
-  tag: 2.7.1
+  tag: 3.0.0
   pullPolicy: IfNotPresent
 # imagePullSecrets:
     # - name: docker
+deployment: {}
+  # annotations:
 service:
   name: registry
   type: ClusterIP
@@ -30,8 +37,11 @@ service:
   # loadBalancerSourceRanges:
   annotations: {}
   # foo.io/bar: "true"
+  labels: {}
+  # foo.io/baz: "false"
 ingress:
   enabled: false
+  className: nginx
   path: /
   # Used to create an Ingress record.
   hosts:
@@ -51,11 +61,11 @@ resources: {}
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
   # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
   # limits:
-  #  cpu: 100m
+  #   cpu: 100m
-  #  memory: 128Mi
+  #   memory: 128Mi
   # requests:
-  #  cpu: 100m
+  #   cpu: 100m
-  #  memory: 128Mi
+  #   memory: 128Mi
 persistence:
   accessMode: 'ReadWriteOnce'
   enabled: false
@@ -88,17 +98,19 @@ secrets:
 
 # Options for s3 storage type:
 # s3:
-#  region: us-east-1
+#   region: us-east-1
-#  regionEndpoint: s3.us-east-1.amazonaws.com
+#   regionEndpoint: https://s3.us-east-1.amazonaws.com
-#  bucket: my-bucket
+#   bucket: my-bucket
-#  rootdirectory: /object/prefix
+#   rootdirectory: /object/prefix
-#  encrypt: false
+#   encrypt: false
-#  secure: true
+#   secure: true
+#   forcepathstyle: true
+#   skipverify: true
 
 # Options for swift storage type:
 # swift:
-#  authurl: http://swift.example.com/
+#   authurl: http://swift.example.com/
-#  container: my-container
+#   container: my-container
 
 # https://docs.docker.com/registry/recipes/mirror/
 proxy:
@@ -110,6 +122,20 @@ proxy:
   # Keys: proxyUsername, proxyPassword
   secretRef: ""
 
+metrics:
+  enabled: false
+  port: 5001
+  # Create a prometheus-operator servicemonitor
+  serviceMonitor:
+    enabled: false
+    labels: {}
+  # prometheus-operator PrometheusRule defining alerting rules for a Prometheus instance
+  prometheusRule:
+    enabled: false
+    labels: {}
+    rules: {}
+
+configPath: /etc/distribution
 configData:
   version: 0.1
   log:
@@ -122,14 +148,37 @@ configData:
     addr: :5000
     headers:
       X-Content-Type-Options: [nosniff]
+    debug:
+      addr: :5001
+      prometheus:
+        enabled: false
+        path: /metrics
   health:
     storagedriver:
       enabled: true
       interval: 10s
       threshold: 3
 
+containerSecurityContext:
+  enabled: true
+  seLinuxOptions: {}
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsUser: 1000
+  runAsGroup: 1000
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+
 securityContext:
   enabled: true
+  fsGroupChangePolicy: Always
+  sysctls: []
+  supplementalGroups: []
   runAsUser: 1000
   fsGroup: 1000
 
@@ -139,6 +188,30 @@ podDisruptionBudget: {}
   # maxUnavailable: 1
   # minAvailable: 2
 
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 2
+  targetCPUUtilizationPercentage: 60
+  targetMemoryUtilizationPercentage: 60 # available only on Kubernetes ≥1.23 [required "autoscaling/v2"]
+  behavior: {} # available only on Kubernetes ≥1.23 [required "autoscaling/v2"]
+#   scaleDown:
+#     stabilizationWindowSeconds: 300
+#     policies:
+#     - type: Percent
+#       value: 100
+#       periodSeconds: 15
+#   scaleUp:
+#     stabilizationWindowSeconds: 0
+#     policies:
+#     - type: Percent
+#       value: 100
+#       periodSeconds: 15
+#     - type: Pods
+#       value: 4
+#       periodSeconds: 15
+#     selectPolicy: Max
+
 nodeSelector: {}
 
 affinity: {}
@@ -160,3 +233,32 @@ extraVolumes: []
 #        - key: cloudfront.pem
 #          path: cloudfront.pem
 #          mode: 511
+
+extraEnvVars: []
+## Additional ENV variables to set
+# - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
+#   value: "/var/lib/example"
+
+initContainers: []
+## Init containers to add to the Deployment
+# - name: init
+#   image: busybox
+#   command: []
+
+garbageCollect:
+  enabled: false
+  deleteUntagged: true
+  schedule: "0 1 * * *"
+  podAnnotations: {}
+  podLabels: {}
+  resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi