Merge pull request #182 from twuni/readme-install-via-gh-pages

Update README with repo migration notice

.circleci/config.yml

@@ -1,15 +0,0 @@
-version: 2.1
-jobs:
-  lint:
-    docker:
-    - image: twuni/helm:3.4.1
-    steps:
-    - checkout
-    - run:
-        command: helm lint --strict
-        name: lint
-workflows:
-  version: 2
-  default:
-    jobs:
-    - lint

.github/dependabot.yaml

@@ -0,0 +1,8 @@
+---
+# Dependabot Config Ref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily

.github/workflows/ci.yaml

@@ -0,0 +1,41 @@
+---
+# GitHub Actions Workflows Ref: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
+name: CI
+"on":
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - "**"
+  workflow_dispatch:
+concurrency:
+  group: ${{ github.event_name }}-${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+permissions: read-all
+jobs:
+  helm-lint:
+    name: Helm Lint
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4.1.4
+      - run: |
+          helm lint --strict
+  integration-test:
+    name: Integration Test
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4.1.4
+      - uses: AbsaOSS/k3d-action@v2.4.0
+        name: Create K3D Cluster with Container Registry
+        with:
+          cluster-name: local-ci-k3d-cluster
+          args: >-
+            --agents 1
+            --registry-create local-ci-k3d-registry
+      - name: Test
+        run: |
+          helm install docker-registry . --wait --wait-for-jobs
+          kubectl get all,pvc

.github/workflows/helm_release.yaml

@@ -0,0 +1,35 @@
+name: Release Charts
+
+on:
+  workflow_dispatch:
+
+jobs:
+  release:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+      
+      - name: Install chart-releaser
+        uses: helm/chart-releaser-action@v1.7.0
+        with:
+          install_only: true
+
+      - name: Run chart-releaser
+        env:
+          CR_TOKEN: "${{ secrets.CR_TOKEN }}"
+        run: |
+          owner=$(cut -d '/' -f 1 <<< "$GITHUB_REPOSITORY")
+          repo=$(cut -d '/' -f 2 <<< "$GITHUB_REPOSITORY")
+          cr package
+          cr upload --owner="$owner" --git-repo "$repo" --token="$CR_TOKEN" --release-name-template="v{{ .Version }}" --packages-with-index --push --skip-existing --generate-release-notes --commit main
+          cr index --owner="$owner" --git-repo "$repo" --token="$CR_TOKEN" --release-name-template="v{{ .Version }}" --packages-with-index --push --index-path="."

.github/workflows/pr_diff.yaml

@@ -44,7 +44,7 @@ jobs:
           echo 'HELM_DIFF<<EOF' >> $GITHUB_ENV
           echo "$(diff -ur before after)" >> $GITHUB_ENV
           echo 'EOF' >> $GITHUB_ENV
-      - uses: marocchino/sticky-pull-request-comment@39c5b5dc7717447d0cba270cd115037d32d28443
+      - uses: marocchino/sticky-pull-request-comment@d2ad0de260ae8b0235ce059e63f2949ba9e05943
         with:
           message: |
             Running a `helm template` smoketest on commit ${{ github.ref }} results in the following diff against `${{ github.base_ref }}`:

.gitignore

@@ -0,0 +1 @@
+.cr-release-packages

Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
 description: A Helm chart for Docker Registry
 name: docker-registry
-version: 2.2.2
-appVersion: 2.8.1
+version: 3.0.0
+appVersion: 3.0.0
 home: https://hub.docker.com/_/registry/
 icon: https://helm.twun.io/docker-registry.png
 maintainers:

README.md

@@ -12,18 +12,33 @@ This chart will do the following:
 
 * Implement a Docker registry deployment
 
+## ⚠️ Repo Migration and Deprecation Notice
+
+The following change only affects attempts to install or update the chart via the https://helm.twun.io repo.
+
+The https://helm.twun.io repo has been migrated to https://twuni.github.io/docker-registry.helm.
+
+To update your configuration, remove and re-add the repo with the new URL:
+
+```console
+helm repo remove twuni
+helm repo add twuni https://twuni.github.io/docker-registry.helm
+```
+
+The deprecated repo URL, https://helm.twun.io, may become unavailable as early as **October 16, 2025**.
+
 ## Installing the Chart
 
 First, add the repo:
 
 ```console
-$ helm repo add twuni https://helm.twun.io
+helm repo add twuni https://twuni.github.io/docker-registry.helm
 ```
 
 To install the chart, use the following:
 
 ```console
-$ helm install twuni/docker-registry
+helm install twuni/docker-registry
 ```
 
 ## Configuration
@@ -35,7 +50,7 @@ their default values.
 |:----------------------------|:-------------------------------------------------------------------------------------------|:----------------|
 | `image.pullPolicy`          | Container pull policy                                                                      | `IfNotPresent`  |
 | `image.repository`          | Container image to use                                                                     | `registry`      |
-| `image.tag`                 | Container image tag to deploy                                                              | `2.7.1`         |
+| `image.tag`                 | Container image tag to deploy                                                              | `2.8.1`         |
 | `imagePullSecrets`          | Specify image pull secrets                                                                 | `nil` (does not add image pull secrets to deployed pods) |
 | `persistence.accessMode`    | Access mode to use for PVC                                                                 | `ReadWriteOnce` |
 | `persistence.enabled`       | Whether to use a PVC for the Docker storage                                                | `false`         |
@@ -46,6 +61,7 @@ their default values.
 | `serviceAccount.create`     | Create ServiceAccount                                                                      | `false`         |
 | `serviceAccount.name`       | ServiceAccount name                                                                        | `nil`           |
 | `serviceAccount.annotations` | Annotations to add to the ServiceAccount                                                  | `{}`            |
+| `deployment.annotations`    | Annotations to add to the Deployment                                                       | `{}`            |
 | `service.port`              | TCP port on which the service is exposed                                                   | `5000`          |
 | `service.type`              | service type                                                                               | `ClusterIP`     |
 | `service.clusterIP`         | if `service.type` is `ClusterIP` and this is non-empty, sets the cluster IP of the service | `nil`           |
@@ -56,8 +72,8 @@ their default values.
 | `service.sessionAffinityConfig` | service session affinity config                                                        | `nil`           |
 | `replicaCount`              | k8s replicas                                                                               | `1`             |
 | `updateStrategy`            | update strategy for deployment                                                             | `{}`            |
-| `podAnnotations`            | Annotations for pod                                                                        | `{}`            |
-| `podLabels`                 | Labels for pod                                                                             | `{}`            |
+| `podAnnotations`            | Annotations for deployment pod, and `garbageCollect` pod unless set explicitly there. See `garbageCollect` | `{}` |
+| `podLabels`                 | Labels for deployment pod, and `garbageCollect` pod unless set explicitly there. See `garbageCollect` | `{}` |
 | `podDisruptionBudget`       | Pod disruption budget                                                                      | `{}`            |
 | `resources.limits.cpu`      | Container requested CPU                                                                    | `nil`           |
 | `resources.limits.memory`   | Container requested memory                                                                 | `nil`           |
@@ -73,17 +89,20 @@ their default values.
 | `secrets.htpasswd`          | Htpasswd authentication                                                                    | `nil`           |
 | `secrets.s3.accessKey`      | Access Key for S3 configuration                                                            | `nil`           |
 | `secrets.s3.secretKey`      | Secret Key for S3 configuration                                                            | `nil`           |
-| `secrets.s3.secretRef`      | The ref for an external secret containing the accessKey and secretKey keys                 | `""`            |
+| `secrets.s3.secretRef`      | The ref for an external secret containing the s3AccessKey and s3SecretKey keys                 | `""`            |
 | `secrets.swift.username`    | Username for Swift configuration                                                           | `nil`           |
 | `secrets.swift.password`    | Password for Swift configuration                                                           | `nil`           |
 | `secrets.haSharedSecret`    | Shared secret for Registry                                                                 | `nil`           |
 | `configData`                | Configuration hash for docker                                                              | `nil`           |
+| `configPath` | Configuration mount point in docker, `/etc/docker/registry` for registry version 2, `/etc/distribution` for version 3 | `/etc/docker/registry` |
 | `s3.region`                 | S3 region                                                                                  | `nil`           |
 | `s3.regionEndpoint`         | S3 region endpoint                                                                         | `nil`           |
 | `s3.bucket`                 | S3 bucket name                                                                             | `nil`           |
 | `s3.rootdirectory`          | S3 prefix that is applied to allow you to segment data                                     | `nil`           |
 | `s3.encrypt`                | Store images in encrypted format                                                           | `nil`           |
 | `s3.secure`                 | Use HTTPS                                                                                  | `nil`           |
+| `s3.forcepathstyle`         | Use path-style addressing, needed for some s3 compatible storage (minio)                   | `nil`           |
+| `s3.skipverify`             | Allows connection to s3 storage using TLS with untrusted/self-signed certificate           | `nil`           |
 | `swift.authurl`             | Swift authurl                                                                              | `nil`           |
 | `swift.container`           | Swift container                                                                            | `nil`           |
 | `proxy.enabled`             | If true, registry will function as a proxy/mirror                                          | `false`         |
@@ -116,11 +135,14 @@ their default values.
 | `extraEnvVars`              | Additional environment variables to the pod                                                | `[]`            |
 | `initContainers`            | Init containers to be created in the pod                                                   | `[]`            |
 | `garbageCollect.enabled`    | If true, will deploy garbage-collector cronjob                                             | `false`         |
-| `garbageCollect.deleteUntagged` | If true, garbage-collector will delete manifests that are not currently referenced via tag | `true` |    |
-| `garbageCollect.schedule`   | CronTab schedule, please use standard crontab format                                        | `0 1 * * *` |  |
+| `garbageCollect.deleteUntagged` | If true, garbage-collector will delete manifests that are not currently referenced via tag | `true`      |
+| `garbageCollect.schedule`   | CronTab schedule, please use standard crontab format                                       | `0 1 * * *`     |
+| `garbageCollect.podAnnotations` | CronJob pod Annotations. If left empty and chart `podAnnotations` are set, will use those. If both are set, these take precedence for the `garbageCollect` pods. | `{}` |
+| `garbageCollect.podLabels`  | CronJob pod Annotations. If left empty and chart `podLabels` are set, will use those. If both are set, these take precedence for the `garbageCollect` pods. | `{}` |
+| `garbageCollect.resources`  | garbage-collector requested resources                                                      | `{}`            |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to
 `helm install`.
 
 To generate htpasswd file, run this docker command:
-`docker run --entrypoint htpasswd registry:2 -Bbn user password > ./htpasswd`.
+`docker run --entrypoint htpasswd httpd:2 -Bbn user password > ./htpasswd`.

templates/_helpers.tpl

@@ -103,6 +103,16 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
   value: {{ .Values.s3.secure | quote }}
 {{- end -}}
 
+{{- if .Values.s3.forcepathstyle }}
+- name: REGISTRY_STORAGE_S3_FORCEPATHSTYLE
+  value: {{ .Values.s3.forcepathstyle | quote }}
+{{- end -}}
+
+{{- if .Values.s3.skipverify }}
+- name: REGISTRY_STORAGE_S3_SKIPVERIFY
+  value: {{ .Values.s3.skipverify | quote }}
+{{- end -}}
+
 {{- else if eq .Values.storage "swift" }}
 - name: REGISTRY_STORAGE_SWIFT_AUTHURL
   value: {{ required ".Values.swift.authurl is required" .Values.swift.authurl }}
@@ -148,7 +158,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 
 {{- define "docker-registry.volumeMounts" -}}
 - name: "{{ template "docker-registry.fullname" . }}-config"
-  mountPath: "/etc/docker/registry"
+  mountPath: {{ .Values.configPath }}
 
 {{- if .Values.secrets.htpasswd }}
 - name: auth

templates/cronjob.yaml

@@ -17,16 +17,26 @@ spec:
         app: {{ template "docker-registry.name" . }}
         release: {{ .Release.Name }}
         {{- with .Values.podLabels }}
-        {{ toYaml . | nindent 8 }}
+        {{- toYaml . | nindent 8 }}
         {{- end }}
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
         checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
         {{- if .Values.podAnnotations }}
-        {{ toYaml .Values.podAnnotations | nindent 8 }}
+        {{- toYaml .Values.podAnnotations | nindent 8 }}
         {{- end }}
     spec:
       template:
+        metadata:
+          labels:
+            release: {{ .Release.Name }}
+            {{- if or .Values.podLabels .Values.garbageCollect.podLabels }}
+            {{- toYaml (merge (.Values.garbageCollect.podLabels | default (dict)) (.Values.podLabels | default (dict))) | nindent 12 }}
+            {{- end }}
+          {{- if or .Values.podAnnotations .Values.garbageCollect.podAnnotations }}
+          annotations:
+            {{- toYaml (merge (.Values.garbageCollect.podAnnotations | default (dict)) (.Values.podAnnotations | default (dict))) | nindent 12 }}
+          {{- end}}
         spec:
           {{- if or (eq .Values.serviceAccount.create true) (ne .Values.serviceAccount.name "") }}
           serviceAccountName: {{ .Values.serviceAccount.name | default (include "docker-registry.fullname" .) }}
@@ -38,9 +48,7 @@ spec:
           priorityClassName: "{{ .Values.priorityClassName }}"
           {{- end }}
           {{- if .Values.securityContext.enabled }}
-          securityContext:
-            fsGroup: {{ .Values.securityContext.fsGroup }}
-            runAsUser: {{ .Values.securityContext.runAsUser }}
+          securityContext: {{ omit .Values.securityContext "enabled" | toYaml | nindent 12 }}
           {{- end }}
           containers:
             - name: {{ .Chart.Name }}
@@ -50,8 +58,15 @@ spec:
               - /bin/registry
               - garbage-collect
               - --delete-untagged={{ .Values.garbageCollect.deleteUntagged }}
-              - /etc/docker/registry/config.yml
+              - {{ .Values.configPath }}/config.yml
+              {{- if .Values.garbageCollect.resources }}
+              resources:
+              {{- toYaml .Values.garbageCollect.resources | nindent 16 }}
+              {{- end }}
               env: {{ include "docker-registry.envs" . | nindent 16 }}
+              {{- if .Values.containerSecurityContext.enabled }}
+              securityContext: {{ omit .Values.containerSecurityContext "enabled" | toYaml | nindent 16 }}
+              {{- end }}
               volumeMounts: {{ include "docker-registry.volumeMounts" . | nindent 16 }}
           restartPolicy: OnFailure
           {{- if .Values.nodeSelector }}

templates/deployment.yaml

@@ -8,6 +8,10 @@ metadata:
     chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
+{{- if .Values.deployment.annotations }}
+  annotations:
+{{ toYaml .Values.deployment.annotations | indent 4 }}
+{{- end }}
 spec:
   selector:
     matchLabels:
@@ -43,9 +47,7 @@ spec:
       priorityClassName: "{{ .Values.priorityClassName }}"
       {{- end }}
       {{- if .Values.securityContext.enabled }}
-      securityContext:
-        fsGroup: {{ .Values.securityContext.fsGroup }}
-        runAsUser: {{ .Values.securityContext.runAsUser }}
+      securityContext: {{ omit .Values.securityContext "enabled" | toYaml | nindent 8 }}
       {{- end }}
       {{- with .Values.initContainers }}
       initContainers:
@@ -58,7 +60,7 @@ spec:
           command:
           - /bin/registry
           - serve
-          - /etc/docker/registry/config.yml
+          - {{ .Values.configPath }}/config.yml
           ports:
             - containerPort: 5000
             {{- if .Values.metrics.enabled }}
@@ -82,6 +84,9 @@ spec:
               port: 5000
           resources: {{ toYaml .Values.resources | nindent 12 }}
           env: {{ include "docker-registry.envs" . | nindent 12 }}
+          {{- if .Values.containerSecurityContext.enabled }}
+          securityContext: {{ omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           volumeMounts: {{ include "docker-registry.volumeMounts" . | nindent 12 }}
       {{- if .Values.nodeSelector }}
       nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}

templates/poddisruptionbudget.yaml

@@ -1,5 +1,9 @@
 {{- if .Values.podDisruptionBudget -}}
+{{- if .Capabilities.APIVersions.Has "policy/v1" -}}
+apiVersion: policy/v1
+{{- else}}
 apiVersion: policy/v1beta1
+{{- end }}
 kind: PodDisruptionBudget
 metadata:
   name: {{ template "docker-registry.fullname" . }}

templates/service.yaml

@@ -8,6 +8,9 @@ metadata:
     chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
+{{- if .Values.service.labels }}
+{{ toYaml .Values.service.labels | indent 4 }}
+{{- end }}
 {{- if .Values.service.annotations }}
   annotations:
 {{ toYaml .Values.service.annotations | indent 4 }}

values.yaml

@@ -19,10 +19,12 @@ serviceAccount:
 
 image:
   repository: registry
-  tag: 2.8.1
+  tag: 3.0.0
   pullPolicy: IfNotPresent
 # imagePullSecrets:
     # - name: docker
+deployment: {}
+  # annotations:
 service:
   name: registry
   type: ClusterIP
@@ -35,6 +37,8 @@ service:
   # loadBalancerSourceRanges:
   annotations: {}
   # foo.io/bar: "true"
+  labels: {}
+  # foo.io/baz: "false"
 ingress:
   enabled: false
   className: nginx
@@ -57,11 +61,11 @@ resources: {}
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
   # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
   # limits:
-  #  cpu: 100m
-  #  memory: 128Mi
+  #   cpu: 100m
+  #   memory: 128Mi
   # requests:
-  #  cpu: 100m
-  #  memory: 128Mi
+  #   cpu: 100m
+  #   memory: 128Mi
 persistence:
   accessMode: 'ReadWriteOnce'
   enabled: false
@@ -94,17 +98,19 @@ secrets:
 
 # Options for s3 storage type:
 # s3:
-#  region: us-east-1
-#  regionEndpoint: s3.us-east-1.amazonaws.com
-#  bucket: my-bucket
-#  rootdirectory: /object/prefix
-#  encrypt: false
-#  secure: true
+#   region: us-east-1
+#   regionEndpoint: https://s3.us-east-1.amazonaws.com
+#   bucket: my-bucket
+#   rootdirectory: /object/prefix
+#   encrypt: false
+#   secure: true
+#   forcepathstyle: true
+#   skipverify: true
 
 # Options for swift storage type:
 # swift:
-#  authurl: http://swift.example.com/
-#  container: my-container
+#   authurl: http://swift.example.com/
+#   container: my-container
 
 # https://docs.docker.com/registry/recipes/mirror/
 proxy:
@@ -129,6 +135,7 @@ metrics:
     labels: {}
     rules: {}
 
+configPath: /etc/distribution
 configData:
   version: 0.1
   log:
@@ -152,8 +159,26 @@ configData:
       interval: 10s
       threshold: 3
 
+containerSecurityContext:
+  enabled: true
+  seLinuxOptions: {}
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsUser: 1000
+  runAsGroup: 1000
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+
 securityContext:
   enabled: true
+  fsGroupChangePolicy: Always
+  sysctls: []
+  supplementalGroups: []
   runAsUser: 1000
   fsGroup: 1000
 
@@ -224,3 +249,16 @@ garbageCollect:
   enabled: false
   deleteUntagged: true
   schedule: "0 1 * * *"
+  podAnnotations: {}
+  podLabels: {}
+  resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi