update chart

backend/controller/artefacts/oci_registry.go

@@ -28,16 +28,17 @@ import (
 var _ Service = &OCIArtifactService{}
 
 type RegistryConfig struct {
-	Registry      string `help:"OCI container registry, in the form host[:port]/repository" env:"FTL_ARTEFACTS_REGISTRY"`
-	Username      string `help:"OCI container registry username" env:"FTL_ARTEFACTS_USER"`
-	Password      string `help:"OCI container registry password" env:"FTL_ARTEFACTS_PWD"`
-	AllowInsecure bool   `help:"Allows the use of insecure HTTP based registries." env:"FTL_ARTEFACTS_ALLOW_INSECURE"`
+	Registry      string `help:"OCI container registry, in the form host[:port]/repository" env:"FTL_ARTEFACT_REGISTRY"`
+	Username      string `help:"OCI container registry username" env:"FTL_ARTEFACT_REGISTRY_USERNAME"`
+	Password      string `help:"OCI container registry password" env:"FTL_ARTEFACT_REGISTRY_PASSWORD"`
+	AllowInsecure bool   `help:"Allows the use of insecure HTTP based registries." env:"FTL_ARTEFACT_REGISTRY_ALLOW_INSECURE"`
 }
 
 type OCIArtifactService struct {
-	repository  string
-	repoFactory func() (*remote.Repository, error)
-	auth        authn.AuthConfig
+	repository    string
+	repoFactory   func() (*remote.Repository, error)
+	auth          authn.AuthConfig
+	allowInsecure bool
 }
 
 type ArtefactRepository struct {
@@ -80,9 +81,10 @@ func NewOCIRegistryStorage(c RegistryConfig) *OCIArtifactService {
 	}
 
 	return &OCIArtifactService{
-		repository:  c.Registry,
-		repoFactory: repoFactory,
-		auth:        authn.AuthConfig{Username: c.Username, Password: c.Password},
+		repository:    c.Registry,
+		repoFactory:   repoFactory,
+		auth:          authn.AuthConfig{Username: c.Username, Password: c.Password},
+		allowInsecure: c.AllowInsecure,
 	}
 }
 
@@ -170,7 +172,11 @@ func (s *OCIArtifactService) Download(ctx context.Context, dg sha256.SHA256) (io
 	// ORAS is really annoying, and needs you to know the size of the blob you're downloading
 	// So we are using google's go-containerregistry to do the actual download
 	// This is not great, we should remove oras at some point
-	newDigest, err := name.NewDigest(fmt.Sprintf("%s@sha256:%s", s.repository, dg.String()))
+	opts := []name.Option{}
+	if s.allowInsecure {
+		opts = append(opts, name.Insecure)
+	}
+	newDigest, err := name.NewDigest(fmt.Sprintf("%s@sha256:%s", s.repository, dg.String()), opts...)
 	if err != nil {
 		return nil, fmt.Errorf("unable to create digest '%s': %w", dg, err)
 	}

charts/ftl/Chart.lock

@@ -2,8 +2,5 @@ dependencies:
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
   version: 15.5.38
-- name: harbor
-  repository: https://helm.goharbor.io
-  version: 1.15.1
-digest: sha256:5a14d0cc902b2697bdf1f726abbe44a58c75a9d54b4c5f8780d44136003153a5
-generated: "2024-10-14T00:01:15.60650687Z"
+digest: sha256:67269c8ba9048da425bdc3e6f8e28bff54bdb98e1c53a8dc0feb0b77363b48a9
+generated: "2024-11-06T10:54:22.116589+11:00"

charts/ftl/Chart.yaml

@@ -9,8 +9,4 @@ dependencies:
   - name: postgresql
     version: 15.5.38
     repository: oci://registry-1.docker.io/bitnamicharts
-    condition: postgresql.enabled
-  - name: harbor
-    version: v1.15.1
-    repository: https://helm.goharbor.io
-    condition: harbor.enabled
+    condition: postgresql.enabled

charts/ftl/templates/controller.yaml

@@ -57,6 +57,22 @@ spec:
             - name: FTL_KMS_URI
               value: "{{ .Values.controller.kmsUri }}"
             {{- end }}
+            - name: FTL_ARTEFACT_REGISTRY
+              value: "{{ .Values.registry.repository }}"
+            - name: FTL_ARTEFACT_REGISTRY_ALLOW_INSECURE
+              value: "{{ .Values.registry.allowInsecure }}"
+            - name: FTL_ARTEFACT_REGISTRY_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "ftl.fullname" . }}-secrets
+                  key: FTL_CONTROLLER_REGISTRY_USERNAME
+                  optional: true
+            - name: FTL_ARTEFACT_REGISTRY_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "ftl.fullname" . }}-secrets
+                  key: FTL_CONTROLLER_REGISTRY_PASSWORD
+                  optional: true
           ports:
             {{- range .Values.controller.ports }}
             - name: {{ .name }}

charts/ftl/templates/registry.yaml

@@ -0,0 +1,37 @@
+{{- if .Values.registry.create }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: registry
+  name: registry
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: registry
+  template:
+    metadata:
+      labels:
+        app: registry
+    spec:
+      containers:
+        - name: registry
+          image: registry:2
+          ports:
+            - containerPort: 5000
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "ftl.fullname" . }}-registry
+spec:
+  ports:
+    - name: http
+      port: 5000
+      protocol: TCP
+      targetPort: 5000
+  selector:
+    app: registry
+  type:  "ClusterIP"
+{{- end }}

charts/ftl/templates/runner.yaml

@@ -59,6 +59,22 @@ data:
                 {{- if .Values.runner.env }}
                 {{- toYaml .Values.runner.env | nindent 16 }}
                 {{- end }}
+                - name: FTL_ARTEFACT_REGISTRY
+                  value: "{{ .Values.registry.repository }}"
+                - name: FTL_ARTEFACT_REGISTRY_ALLOW_INSECURE
+                  value: "{{ .Values.registry.allowInsecure }}"
+                - name: FTL_ARTEFACT_REGISTRY_USERNAME
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ include "ftl.fullname" . }}-secrets
+                      key: FTL_RUNNER_REGISTRY_USERNAME
+                      optional: true
+                - name: FTL_ARTEFACT_REGISTRY_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ include "ftl.fullname" . }}-secrets
+                      key: FTL_RUNNER_REGISTRY_PASSWORD
+                      optional: true
               ports:
                 {{- range .Values.runner.ports }}
                 - name: {{ .name }}

charts/ftl/templates/secrets.yaml

@@ -8,3 +8,7 @@ type: Opaque
 stringData:
   FTL_LOG_ENCRYPTION_KEY: {{ .Values.secrets.logEncryptionKey }}
   FTL_ASYNC_ENCRYPTION_KEY: {{ .Values.secrets.asyncEncryptionKey }}
+  FTL_CONTROLLER_REGISTRY_USERNAME: {{ .Values.secrets.controllerRegistryUsername }}
+  FTL_CONTROLLER_REGISTRY_PASSWORD: {{ .Values.secrets.controllerRegistryPassword }}
+  FTL_RUNNER_REGISTRY_USERNAME: {{ .Values.secrets.runnerRegistryUsername }}
+  FTL_RUNNER_REGISTRY_PASSWORD: {{ .Values.secrets.runnerRegistryPassword }}

charts/ftl/values.yaml

@@ -9,6 +9,10 @@ ingress:
 secrets:
   logEncryptionKey: null
   asyncEncryptionKey: null
+  controllerRegistryUsername: null
+  controllerRegistryPassword: null
+  runnerRegistryUsername: null
+  runnerRegistryPassword: null
 
 dbMigration:
   enabled: true
@@ -211,16 +215,6 @@ runner:
   topologySpreadConstraints: null
   tolerations: null
 
-harbor:
-  enabled: false
-  expose:
-    tls:
-      enabled: false
-    type: nodePort
-  persistence:
-    enabled: true
-    resourcePolicy: ""
-
 postgresql:
   enabled: true
   architecture: standalone
@@ -238,4 +232,9 @@ postgresql:
         database: ftl
 
 istio:
-  enabled: false # set to true to have this chart install the grpc config to enable trailers
+  enabled: false # set to true to have this chart install the grpc config to enable trailers
+
+registry:
+  repository: ""
+  allowInsecure: false
+  create: false

deployment/values.yaml

@@ -32,3 +32,7 @@ provisioner:
 istio:
   enabled: true
 
+registry:
+    repository: "ftl-registry:5000/ftl-artefacts"
+    allowInsecure: "true"
+    create: true