From a65e5d6d6b7319a430e6d875aca1859017630a66 Mon Sep 17 00:00:00 2001 From: Eric B Date: Sat, 9 Nov 2024 23:16:48 -0500 Subject: [PATCH] feat(buildkitd): specify per-registry configuration e.g. caCert, insecure, mirrors --- charts/buildkitd/Chart.yaml | 2 +- charts/buildkitd/templates/configmap.yaml | 35 +++++++++++++++++++++ charts/buildkitd/templates/statefulset.yaml | 10 ++++++ charts/buildkitd/values.yaml | 9 ++++++ 4 files changed, 55 insertions(+), 1 deletion(-) diff --git a/charts/buildkitd/Chart.yaml b/charts/buildkitd/Chart.yaml index 24415fc5..72096d56 100644 --- a/charts/buildkitd/Chart.yaml +++ b/charts/buildkitd/Chart.yaml @@ -4,7 +4,7 @@ description: A Helm chart for https://github.com/moby/buildkit (rootless) type: application appVersion: 0.17.0 kubeVersion: ">=1.19.0-0" -version: 0.18.0 +version: 0.18.1 maintainers: - name: Wiremind url: https://github.com/wiremind/wiremind-helm-charts diff --git a/charts/buildkitd/templates/configmap.yaml b/charts/buildkitd/templates/configmap.yaml index cf60a8c7..e69f42c7 100644 --- a/charts/buildkitd/templates/configmap.yaml +++ b/charts/buildkitd/templates/configmap.yaml @@ -81,6 +81,24 @@ data: # maxEntries is the maximum number of history entries to keep. maxEntries = {{ .Values.config.history.maxEntries }} + {{- if eq "slice" (kindOf .Values.config.registries) }} + {{- range .Values.config.registries }} + [registry."{{ .host }}"] + {{- if eq "bool" (kindOf .http) }} + http = {{ .http }} + {{- end }} + {{- if eq "bool" (kindOf .insecure) }} + insecure = {{ .insecure }} + {{- end }} + {{- if eq "slice" (kindOf .mirrors) }} + mirrors = {{ toJson .mirrors }} + {{- end }} + ca = ["/etc/ssl/private/{{ replace ":" "-" .host }}.crt"] + + {{- end }} + {{- end }} + + --- # See https://github.com/moby/buildkit/blob/master/Dockerfile @@ -119,3 +137,20 @@ data: OTEL_EXPORTER_OTLP_INSECURE: {{ .Values.config.otel.common.insecure | quote }} OTEL_EXPORTER_OTLP_TRACES_INSECURE: {{ .Values.config.otel.traces.insecure | quote }} OTEL_EXPORTER_OTLP_METRICS_INSECURE: {{ .Values.config.otel.metrics.insecure | quote }} +{{- if eq "slice" (kindOf .Values.config.registries) }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "buildkitd.fullname" . }}-registry-ca-certs + labels: + app: {{ template "buildkitd.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +data: + {{- range .Values.config.registries }} + "{{ replace ":" "-" .host }}.crt": + {{ toYaml .caCert | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/buildkitd/templates/statefulset.yaml b/charts/buildkitd/templates/statefulset.yaml index b201a642..4312326f 100644 --- a/charts/buildkitd/templates/statefulset.yaml +++ b/charts/buildkitd/templates/statefulset.yaml @@ -34,6 +34,12 @@ spec: emptyDir: medium: Memory sizeLimit: 1Gi + {{- if eq "slice" (kindOf .Values.config.registries) }} + - name: registry-certs + configMap: + defaultMode: 420 + name: {{ include "buildkitd.fullname" . }}-registry-ca-certs + {{- end }} containers: - name: buildkitd image: {{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s-rootless" .Chart.AppVersion) }} @@ -53,6 +59,10 @@ spec: mountPath: /home/{{ .Values.user.name }}/.config/buildkit - name: runtime-dir mountPath: /run/{{ .Values.user.name }}/{{ .Values.user.uid }} + {{- if eq "slice" (kindOf .Values.config.registries) }} + - name: registry-certs + mountPath: /etc/ssl/private + {{- end }} args: {{- with .Values.extraArgs }} {{- toYaml . | nindent 12 }} diff --git a/charts/buildkitd/values.yaml b/charts/buildkitd/values.yaml index 3be46e04..5d10d969 100644 --- a/charts/buildkitd/values.yaml +++ b/charts/buildkitd/values.yaml @@ -89,6 +89,15 @@ config: history: maxAge: 172800 maxEntries: 50 + registries: + # - host: my-registry.com:5000 + # insecure: false + # http: false # use https only + # mirrors: + # - mirror1.com + # - mirror2.net + # caCert: |- + # ...CA cert goes here... livenessProbe: initialDelaySeconds: 5