search

twuni / docker-registry.helm

Helm chart for a Docker registry. Successor to stable/docker-registry chart.
Apache License 2.0
320 stars 148 forks source link

Feature Request Make /auth a volume #50

Closed cawoodm closed 2 weeks ago

cawoodm commented 2 years ago

At the moment we have to generate a fixed user and copy the htpasswd string into the values.yml This means, once the registry is running we have to shut it down and re-install it to add new users.

It would be far nicer just to map the /auth out as a volume so we can edit users on the fly.

That way, changes to htpasswd (i.e. new users) on the host are immediately visible to the registry.

I have provided a configuration for the current chart as a workaround:

extraVolumeMounts:
  - mountPath: /auth
    name: auth

extraVolumes:
  - name: auth
    hostPath:
      # Put your htpasswd file in here:
      path: /etc/secrets/registry/

extraEnvVars:
  - name: REGISTRY_AUTH
    value: "htpasswd"
  - name: REGISTRY_AUTH_HTPASSWD_REALM
    value: "Registry Realm"
  - name: REGISTRY_AUTH_HTPASSWD_PATH
    value: "/auth/htpasswd"

Also a question: I assumed my registry container runs as root (K3S runs as root by default) but it was unable to see /etc/secrets/registry/ which has root read. Only when I moved htpasswd to /tmp with o+r (everybody can read) did it work. Does the registry run with reduced priveleges?

Which user is the registry running as??

cawoodm commented 2 years ago

So it seems the registry is running as dracula which is weird. I discovered this by shelling into the pod and creating a new file in /auth. The file owner (on the host) was dracula????

rjhenry commented 2 years ago

At a hunch, your host has a user (dracula) with UID 1000, which is what the registry uses as far as I can tell.

jthurner commented 2 years ago

So it seems the registry is running as dracula which is weird.

If you did not change the defaults, the container runs with UID 1000. You can configure securityContext as needed or set securityContext.enabled to false if you want to run as root.

johanneskastl commented 2 years ago

I used an existing secret, created outside of the helm chart, that contains the htpasswd things:

apiVersion: v1
kind: Secret
metadata:
  name: htpasswd-docker-registry
  namespace: docker-registry
type: Opaque
stringData:
  htpasswd: |
    username:funnystringfromhtpasswdhere

Then use it like this:

extraVolumeMounts:
  - name: htpasswd-docker-registry
    mountPath: /auth

extraVolumes:
 - name: htpasswd-docker-registry
   secret:
     secretName: htpasswd-docker-registry

extraEnvVars:
  - name: REGISTRY_AUTH
    value: "htpasswd"
  - name: REGISTRY_AUTH_HTPASSWD_REALM
    value: "Registry Realm"
  - name: REGISTRY_AUTH_HTPASSWD_PATH
    value: "/auth/htpasswd"
joshsizer commented 2 weeks ago

Closing this issue as you can use extraVolumes, extraVolumesMounts, and extraEnvVars to accomplish this. However, if this is still a sought after feature, please ask to reopen this issue or create a new one!