feat: config to enable resilient registry

.github/workflows/test-bigbang.yml

@@ -49,7 +49,7 @@ jobs:
         if: ${{ env.IRON_BANK_ROBOT_USERNAME != '' }}
         env:
           IRON_BANK_ROBOT_USERNAME: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
-        run: make ib-init-package
+        run: make build-registry1-init-package ZARF_CONFIG=./hack/zarf-config-registry1.toml
 
       # Upload the contents of the build directory for later stages to use
       - name: Upload build artifacts

Makefile

@@ -119,7 +119,7 @@ build-local-agent-image: ## Build the Zarf agent image to be used in a locally b
 	@ if [ "$(ARCH)" = "amd64" ]; then cp build/zarf build/zarf-linux-amd64; fi
 	@ if [ "$(ARCH)" = "arm64" ] && [ ! -s ./build/zarf-arm ]; then $(MAKE) build-cli-linux-arm; fi
 	@ if [ "$(ARCH)" = "arm64" ]; then cp build/zarf-arm build/zarf-linux-arm64; fi
-	docker buildx build --load --platform linux/$(ARCH) --tag ghcr.io/defenseunicorns/zarf/agent:local .
+	docker buildx build --load --platform linux/$(ARCH) --tag ghcr.io/defenseunicorns/zarf/agent:local --tag registry1.dso.mil/ironbank/opensource/defenseunicorns/zarf/zarf-agent:local .
 	@ if [ "$(ARCH)" = "amd64" ]; then rm build/zarf-linux-amd64; fi
 	@ if [ "$(ARCH)" = "arm64" ]; then rm build/zarf-linux-arm64; fi
 
@@ -131,19 +131,21 @@ init-package: ## Create the zarf init package (must `brew install coreutils` on
 release-init-package:
 	$(ZARF_BIN) package create -o build -a $(ARCH) --set AGENT_IMAGE_TAG=$(AGENT_IMAGE_TAG) --confirm .
 
-# INTERNAL: used to build an iron bank version of the init package with an ib version of the registry image
-ib-init-package:
-	@test -s $(ZARF_BIN) || $(MAKE) build-cli
-	$(ZARF_BIN) package create -o build -a $(ARCH) --confirm . \
-		--set REGISTRY_IMAGE_DOMAIN="registry1.dso.mil/" \
-		--set REGISTRY_IMAGE="ironbank/opensource/docker/registry-v2" \
-		--set REGISTRY_IMAGE_TAG="2.8.3"
-
 # INTERNAL: used to publish the init package
 publish-init-package:
 	$(ZARF_BIN) package publish build/zarf-init-$(ARCH)-$(CLI_VERSION).tar.zst oci://$(REPOSITORY_URL)
 	$(ZARF_BIN) package publish . oci://$(REPOSITORY_URL)
 
+# INTERNAL: used to build an iron bank version of the init package and output to a local directory for testing
+build-registry1-init-package:
+	@test -s $(ZARF_BIN) || $(MAKE) build-cli
+	ZARF_CONFIG=$(ZARF_CONFIG) $(ZARF_BIN) package create --output build --confirm .
+
+# INTERNAL: used to build a release version of the ib init package with a specific agent image
+publish-registry1-init-package:
+	@test -s $(ZARF_BIN) || $(MAKE) build-cli
+	ZARF_CONFIG=$(ZARF_CONFIG) $(ZARF_BIN) package create --output $(REPOSITORY_URL) --confirm .
+
 build-examples: ## Build all of the example packages
 	@test -s $(ZARF_BIN) || $(MAKE) build-cli
 

hack/zarf-config-registry1.toml

@@ -0,0 +1,26 @@
+[package.create]
+flavor = "registry1.alpha"
+architecture = "amd64"
+
+[package.create.set]
+# The image reference to use for the Zarf agent, defaults to a locally built image
+agent_image_domain = "registry1.dso.mil/"
+agent_image = "ironbank/opensource/defenseunicorns/zarf/zarf-agent"
+# renovate: datasource=docker depName=registry1.dso.mil/ironbank/opensource/defenseunicorns/zarf/zarf-agent
+agent_image_tag = "v0.32.6"
+
+# Tag for the zarf injector binary to use
+injector_version = "2023-08-02"
+injector_amd64_shasum = "91de0768855ee2606a4f85a92bb480ff3a14ca205fd8d05eb397c18e15aa0247"
+injector_arm64_shasum = "663df681deea957b0ec53538eab221691a83de8e95d86b8a29008af711934bee"
+
+# The image reference to use for the registry that Zarf deploys into the cluster
+registry_image_domain = ""
+registry_image = "library/registry"
+# change this to use registry1 image when the image is available there - need alpha image for IRSA s3 backend access
+# renovate: datasource=docker depName=docker.io/library/registry versioning=loose
+registry_image_tag = "3.0.0-alpha.1"
+
+# The image reference to use for the optional git-server Zarf deploys
+# renovate: datasource=docker depName=registry1.dso.mil/ironbank/opensource/go-gitea/gitea
+gitea_image = "registry1.dso.mil/ironbank/opensource/go-gitea/gitea:v1.21.5"

packages/zarf-registry/chart/templates/_helpers.tpl

@@ -23,6 +23,37 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 {{- end -}}
 
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "docker-registry.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "docker-registry.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "docker-registry.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "docker-registry.labels" -}}
+{{ include "docker-registry.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+helm.sh/chart: {{ include "docker-registry.chart" . }}
+{{- with .Values.customLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end -}}
+
 {{/*
 Merge all configmaps
 */}}
@@ -34,3 +65,14 @@ Merge all configmaps
 {{ .Values.caBundle | indent 6 }}
 {{- end }}
 {{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "docker-registry.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "docker-registry.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}

packages/zarf-registry/chart/templates/deployment.yaml

@@ -26,6 +26,7 @@ spec:
       annotations:
         checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
     spec:
+      serviceAccountName: {{ include "docker-registry.serviceAccountName" . }}
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
 {{ toYaml .Values.imagePullSecrets | indent 8 }}
@@ -83,7 +84,11 @@ spec:
               subPath: ca-certificates.crt
               readOnly: true
 {{- end }}
+{{- if .Values.affinity.enabled }}
       affinity:
+{{- if .Values.affinity.custom }}
+{{ toYaml .Values.affinity.custom | indent 8 }}
+{{- else }}
 {{- if (eq "ReadWriteMany" .Values.persistence.accessMode) }}
         podAntiAffinity:
 {{- else }}
@@ -99,6 +104,12 @@ spec:
                       values:
                         - {{ template "docker-registry.name" . }}
                 topologyKey: kubernetes.io/hostname
+{{- end }}
+{{- end }}
+{{- if .Values.tolerations}}
+      tolerations:
+{{ toYaml .Values.tolerations | indent 8 }}
+{{- end }}
       volumes:
         - name: config
           secret:

packages/zarf-registry/chart/templates/hpa.yaml

@@ -13,8 +13,13 @@ spec:
     apiVersion: apps/v1
     kind: Deployment
     name: {{ template "docker-registry.fullname" . }}
+{{- if .Values.autoscaling.mapReplicasToNodes }}
+  minReplicas: {{ len (lookup "v1" "Node" "" "") }}
+  maxReplicas: {{ add (len (lookup "v1" "Node" "" "")) 4 }}
+{{- else }}
   minReplicas: {{ .Values.autoscaling.minReplicas }}
   maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+{{- end }}
   metrics:
     - type: Resource
       resource:

packages/zarf-registry/chart/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  name: {{ template "docker-registry.serviceAccountName" . }}
+  labels:
+    {{- include "docker-registry.labels" . | nindent 4 }}
+{{- if .Values.serviceAccount.annotations }}
+  annotations:
+{{ toYaml .Values.serviceAccount.annotations | indent 4 }}
+{{- end }}
+{{- end -}}

packages/zarf-registry/chart/values.yaml

@@ -48,8 +48,15 @@ secrets:
 podDisruptionBudget:
   minAvailable: 1
 
+affinity:
+  enabled: true
+  custom: {}
+
+tolerations: []
+
 autoscaling:
   enabled: true
+  mapReplicasToNodes: false
   minReplicas: 1
   maxReplicas: 5
   targetCPUUtilizationPercentage: 80
@@ -75,3 +82,8 @@ extraEnvVars: []
 ## Additional ENV variables to set
 # - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
 #   value: "/var/lib/example"
+
+serviceAccount:
+  create: false
+  name: ""
+  annotations: {}

packages/zarf-registry/registry-values.yaml

@@ -34,14 +34,31 @@ fullnameOverride: "zarf-docker-registry"
 podLabels:
   zarf.dev/agent: "ignore"
 
+affinity:
+  enabled: ###ZARF_VAR_REGISTRY_AFFINITY_ENABLE###
+  custom:
+    ###ZARF_VAR_REGISTRY_AFFINITY_CUSTOM###
+
+tolerations:
+  ###ZARF_VAR_REGISTRY_TOLERATIONS###
+
 autoscaling:
   enabled: ###ZARF_VAR_REGISTRY_HPA_ENABLE###
+  mapReplicasToNodes: ###ZARF_VAR_REGISTRY_HPA_AUTO_SIZE###
   minReplicas: "###ZARF_VAR_REGISTRY_HPA_MIN###"
   maxReplicas: "###ZARF_VAR_REGISTRY_HPA_MAX###"
-  targetCPUUtilizationPercentage: 80
+  targetCPUUtilizationPercentage: ###ZARF_VAR_REGISTRY_HPA_TARGET_CPU###
 
 caBundle: |
   ###ZARF_VAR_REGISTRY_CA_BUNDLE###
 
 extraEnvVars:
   ###ZARF_VAR_REGISTRY_EXTRA_ENVS###
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: ###ZARF_VAR_REGISTRY_CREATE_SERVICE_ACCOUNT###
+  # The name of the service account to use. If name not set and create is true, a name is generated using fullname template
+  name: "###ZARF_VAR_REGISTRY_SERVICE_ACCOUNT_NAME###"
+  annotations:
+    ###ZARF_VAR_REGISTRY_SERVICE_ACCOUNT_ANNOTATIONS###

packages/zarf-registry/zarf.yaml

@@ -58,6 +58,40 @@ variables:
     default: ""
     autoIndent: true
 
+  - name: REGISTRY_CREATE_SERVICE_ACCOUNT
+    description: Toggle the creation of a new service account for the registry
+    default: "false"
+
+  - name: REGISTRY_SERVICE_ACCOUNT_NAME
+    description: The name of the service account to use. If not set and create is true, a name is generated using fullname template
+    default: ""
+
+  - name: REGISTRY_SERVICE_ACCOUNT_ANNOTATIONS
+    description: Map of annotations to add to the created service account
+    default: ""
+
+  - name: REGISTRY_AFFINITY_ENABLE
+    description: Enable pod affinity for the registry
+    default: "true"
+
+  - name: REGISTRY_AFFINITY_CUSTOM
+    description: Custom pod affinity yaml block for the registry
+    default: ""
+    autoIndent: true
+
+  - name: REGISTRY_TOLERATIONS
+    description: Custom tolerations array for the registry
+    default: ""
+    autoIndent: true
+
+  - name: REGISTRY_HPA_AUTO_SIZE
+    description: Enable to set min and max replicas based on amount of nodes
+    default: "false"
+
+  - name: REGISTRY_HPA_TARGET_CPU
+    description: The target CPU utilization percentage for the registry
+    default: "80"
+
 constants:
   - name: REGISTRY_IMAGE
     value: "###ZARF_PKG_TMPL_REGISTRY_IMAGE###"