Configuring Registry

Drycc Workflow ships with a registry component by default, which provides an in-cluster container registry backed by the platform-configured object storage. Operators might want to use an off-cluster registry for performance or security reasons.

Configuring Off-Cluster Private Registry

Every component that relies on a registry uses two inputs for configuration:

1. Registry Location environment variable named DRYCC_REGISTRY_LOCATION
2. Access credentials stored as a Kubernetes secret named registry-secret

The Helm chart for Drycc Workflow can be easily configured to connect Workflow components to an off-cluster registry. Drycc Workflow supports external registries that provide either short-lived tokens, which are valid only for a specified amount of time, or long-lived tokens (basic username/password), which are valid indefinitely for authentication. For registries that provide short-lived tokens for authentication, Drycc Workflow will generate and refresh them such that deployed apps will only have access to the short-lived tokens and not to the actual credentials for the registries.

When using a private registry, container images are no longer pulled by the Drycc Workflow Controller but rather are managed by Kubernetes. This will increase security and overall speed; however, the port information can no longer be discovered. Instead, the port information can be set via drycc config set PORT=<port> prior to deploying the application.

Drycc Workflow currently supports:

1. off-cluster: Any provider that supports long-lived username/password authentication, such as Azure Container Registry, Docker Hub, quay.io, or a self-hosted container registry.

Configuration

1. If you haven’t already fetched the values file, do so with helm inspect values drycc/workflow > values.yaml
2. Update registry location details by modifying the values file: * Update the registry.enabled parameter to reference the registry location you are using: true, false * Update the values in the section which corresponds to your registry location type.

You are now ready to helm install drycc oci://registry.drycc.cc/charts/workflow --namespace drycc -f values.yaml using your desired registry.

Examples

Here we show how the relevant parts of the fetched values.yaml file might look after configuring for a particular off-cluster registry:

Azure Container Registry (ACR)

After following the docs and creating a registry, e.g. myregistry, with its corresponding login server of myregistry.azurecr.io, the following values should be supplied:

builder:
  registryHost: "myregistry.azurecr.io"
  registryUsername: "xxxx"
  registryPassword: "xxxx"
  registryOrganization: "xxxx"
registry:
  enabled: false

Note: The mandatory organization field (here xxxx) will be created as an ACR repository if it does not already exist.

Quay.io

builder:
  registryHost: "quay.io"
  registryUsername: "xxxx"
  registryPassword: "xxxx"
  registryOrganization: "xxxx"
registry:
  enabled: false