feat(helm): add password protection to internal Docker registry

Fixes MODELIX-1058

helm/modelix/templates/common/docker-registry-deployment.yaml

@@ -29,12 +29,30 @@ spec:
           name: docker-registry
           ports:
             - containerPort: 5000
+          env:
+            - name: REGISTRY_AUTH
+              value: "htpasswd"
+            - name: REGISTRY_AUTH_HTPASSWD_REALM
+              value: "Registry Realm"
+            - name: REGISTRY_AUTH_HTPASSWD_PATH
+              value: "/auth/htpasswd"
           resources:
             requests:
               memory: "800Mi"
               cpu: "0.1"
             limits:
               memory: "800Mi"
               cpu: "1.0"
+          volumeMounts:
+            - name: "docker-registry-secret"
+              mountPath: "/auth"
+              readOnly: true
+      volumes:
+        - name: "docker-registry-secret"
+          secret:
+            secretName: "{{ include "modelix.fullname" . }}-docker-registry-secret"
+            items:
+              - key: htpasswd
+                path: htpasswd
       restartPolicy: Always
       {{- include "modelix.pullSecret" . | nindent 6 }}

helm/modelix/templates/common/docker-registry-secret.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ include "modelix.fullname" . }}-docker-registry-secret"
+  labels:
+    component: docker-registry
+    {{- include "modelix.labels" . | nindent 4 }}
+type: kubernetes.io/dockerconfigjson
+data:
+  {{- $username := "docker-registry-user" }}
+  # retrieve the secret data using lookup function and when not exists, return an empty dictionary / map as result
+  {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace (printf "%s%s" ( include "modelix.fullname" . ) "-docker-registry-secret")) | default dict }}
+  {{- $secretData := (get $secretObj "data") | default dict }}
+  {{- $password := (get $secretData "password" | b64dec ) | default (randAlphaNum 64) }}
+  username: {{ $username | b64enc | quote }}
+  password: {{ $password  | b64enc | quote }}
+  htpasswd: {{ (htpasswd $username $password) | b64enc | quote }}
+  {{- $authValue := printf "%s:%s" $username $password | b64enc }}
+  # Kubernetes accesses the internal registry through the static node port exposed at localhost.
+  # The secrete used in `imagePullSecretes` needs to use this local address.
+  {{- $registryLocal := printf "%s:%.0f" "localhost" .Values.internalDockerRegistry.nodePort }}
+  .dockerconfigjson: {{ (printf "%s%s%s%s%s" "{ \"auths\": { \"" $registryLocal "\": {\"auth\": \"" $authValue "\"}}}") | b64enc | quote }}
+  # Pods access a the registry by its service name.
+  # They need an auth the uses the service name.
+  {{- $registryServiceName := printf "%s%s" ( include "modelix.fullname" . ) "-docker-registry"}}
+  .dockerconfigjsonUsingServiceName: {{ (printf "%s%s%s%s%s" "{ \"auths\": { \"" $registryServiceName ":5000\": {\"auth\": \"" $authValue "\"}}}") | b64enc | quote }}

helm/modelix/templates/common/docker-registry-service.yaml

@@ -11,6 +11,7 @@ spec:
   - name: "5000"
     port: 5000
     targetPort: 5000
+    nodePort: {{ .Values.internalDockerRegistry.nodePort }}
   selector:
     component: docker-registry
     {{- include "modelix.selectorLabels" . | nindent 4 }}

helm/modelix/templates/common/instances-manager-deployment.yaml

@@ -46,8 +46,8 @@ spec:
             value: http://{{ include "modelix.fullname" . }}-workspace-manager:28104/
           - name: WORKSPACE_DOCKER_REGISTRY
             value: localhost:5000
-          - name: DOCKER_REGISTRY_SERVICE_NAME
-            value: "{{ include "modelix.fullname" . }}-docker-registry"
+          - name: INTERNAL_DOCKER_REGISTRY_AUTHORITY
+            value: "localhost:{{ .Values.internalDockerRegistry.nodePort }}"
           {{- include "modelix.authorizationConfig" . | nindent 10 }}
         ports:
         - containerPort: 33332

helm/modelix/templates/common/workspace-client-deployment.yaml

@@ -74,5 +74,6 @@ spec:
           periodSeconds: 20
           timeoutSeconds: 10
       restartPolicy: Always
-      {{- include "modelix.pullSecret" . | nindent 6 }}
+      imagePullSecrets:
+        - name: "{{ include "modelix.fullname" . }}-docker-registry-secret"
 {{- end -}}

helm/modelix/templates/common/workspace-manager-deployment.yaml

@@ -51,6 +51,8 @@ spec:
           - name: DOCKER_CONFIG_SECRET_NAME
             value: "{{ include "modelix.fullname" . }}-docker-secret"
           {{- end }}
+          - name: DOCKER_CONFIG_INTERN_REGISTRY_SECRET_NAME
+            value: "{{ include "modelix.fullname" . }}-docker-registry-secret"
           {{- include "modelix.authorizationConfig" . | nindent 10 }}
         image: "{{ .Values.dockerProxy.prefix }}modelix/modelix-workspace-manager:{{ .Values.imageTags.wsManager | default .Values.versions.modelix.workspaces }}"
         imagePullPolicy: IfNotPresent

helm/modelix/values.yaml

@@ -76,6 +76,16 @@ dockerProxy:
   secret64: ""
   caCertificate: ""
 
+internalDockerRegistry:
+  # The internal docker registry does not use HTTPS.
+  # Kubernetes only allows pulling images from such insecure repositories when they run on localhost.
+  # Therefore, the internal docker registry is exposed through NodePort on each cluster node.
+  # The node port on which it is exposed needs
+  # to be known in advance because we need to specify the address for authentication.
+  # The node port is configurable to allow
+  # changing it in deployments where it conflicts with other statically assigned node ports.
+  nodePort: 30033
+
 serviceAccount: ""
 
 authorization:

versions.properties

@@ -1,5 +1,5 @@
 # Modelix core version.
 modelixCoreVersion=10.1.0-pr1190-817f4549
 # Modelix Workspaces versions
-modelixWorkspacesVersion=0.5.0
+modelixWorkspacesVersion=0.8.0
 vncBaseImageVersion=0.8.3