From e35a87e3eb903027cae0fcc8f007926a772ae4c8 Mon Sep 17 00:00:00 2001
From: zhengtianbao <china.zhengtianbao@gmail.com>
Date: Mon, 22 Nov 2021 04:45:09 -0600
Subject: [PATCH] Update registry template (#8198)

* Add registry replica setting

* Add registry liveness and readiness probe

* Set the security context for registry

* Add registry pvc access mode option

* registry add replica requirement check

* docs: add registry replicas setting note

* Update docs/kubernetes-apps/registry.md

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>
---
 docs/kubernetes-apps/registry.md                  |  2 ++
 roles/kubernetes-apps/registry/defaults/main.yml  |  2 ++
 .../registry/templates/registry-pvc.yml.j2        |  2 +-
 .../registry/templates/registry-rs.yml.j2         | 15 +++++++++++++++
 4 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/docs/kubernetes-apps/registry.md b/docs/kubernetes-apps/registry.md
index 77ff08caf..6ca814013 100644
--- a/docs/kubernetes-apps/registry.md
+++ b/docs/kubernetes-apps/registry.md
@@ -140,6 +140,8 @@ spec:
 ```
 <!-- END MUNGE: EXAMPLE registry-rc.yaml -->
 
+*Note:* that if you have set multiple replicas, make sure your CSI driver has support for the `ReadWriteMany` accessMode.
+
 ## Expose the registry in the cluster
 
 Now that we have a registry `Pod` running, we can expose it as a Service:
diff --git a/roles/kubernetes-apps/registry/defaults/main.yml b/roles/kubernetes-apps/registry/defaults/main.yml
index 6c7900d52..f3f55e2d7 100644
--- a/roles/kubernetes-apps/registry/defaults/main.yml
+++ b/roles/kubernetes-apps/registry/defaults/main.yml
@@ -1,5 +1,7 @@
 ---
 registry_namespace: "kube-system"
 registry_storage_class: ""
+registry_storage_access_mode: "ReadWriteOnce"
 registry_disk_size: "10Gi"
 registry_port: 5000
+registry_replica_count: 1
diff --git a/roles/kubernetes-apps/registry/templates/registry-pvc.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-pvc.yml.j2
index 30b707460..dc3fa5a8c 100644
--- a/roles/kubernetes-apps/registry/templates/registry-pvc.yml.j2
+++ b/roles/kubernetes-apps/registry/templates/registry-pvc.yml.j2
@@ -8,7 +8,7 @@ metadata:
     addonmanager.kubernetes.io/mode: Reconcile
 spec:
   accessModes:
-    - ReadWriteOnce
+    - {{ registry_storage_access_mode }}
   storageClassName: {{ registry_storage_class }}
   resources:
     requests:
diff --git a/roles/kubernetes-apps/registry/templates/registry-rs.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-rs.yml.j2
index b3e46ff0e..9470db46d 100644
--- a/roles/kubernetes-apps/registry/templates/registry-rs.yml.j2
+++ b/roles/kubernetes-apps/registry/templates/registry-rs.yml.j2
@@ -9,7 +9,11 @@ metadata:
     version: v{{ registry_image_tag }}
     addonmanager.kubernetes.io/mode: Reconcile
 spec:
+{% if registry_storage_class != "" and registry_storage_access_mode == "ReadWriteMany" %}
+  replicas: {{ registry_replica_count }}
+{% else %}
   replicas: 1
+{% endif %}
   selector:
     matchLabels:
       k8s-app: registry
@@ -22,6 +26,9 @@ spec:
     spec:
       priorityClassName: {% if registry_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}{{''}}
       serviceAccountName: registry
+      securityContext:
+        fsGroup: 1000
+        runAsUser: 1000
       containers:
         - name: registry
           image: {{ registry_image_repo }}:{{ registry_image_tag }}
@@ -38,6 +45,14 @@ spec:
             - containerPort: {{ registry_port }}
               name: registry
               protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: {{ registry_port }}
+          readinessProbe:
+            httpGet:
+              path: /
+              port: {{ registry_port }}
       volumes:
         - name: registry-pvc
 {% if registry_storage_class != "" %}
-- 
GitLab