The Kubernetes platform.
The Package manager.
The Open Service Broker.
Drycc Workflow's builder component relies on a registry for storing application container images.
Drycc Workflow ships with a registry component by default, which provides an in-cluster Container registry backed by the platform-configured object storage. Operators might want to use an off-cluster registry for performance or security reasons.
Every component that relies on a registry uses two inputs for configuration:
The Helm chart for Drycc Workflow can be easily configured to connect Workflow components to off-cluster registry. Drycc Workflow supports external registries which provide either short-lived tokens that are valid only for a specified amount of time or long-lived tokens (basic username/password) which are valid forever for authenticating to them. For those registries which provide short lived tokens for authentication, Drycc Workflow will generate and refresh them such that the deployed apps will only have access to the short-lived tokens and not to the actual credentials for the registries.
When using a private registry the container images are no longer pulled by Drycc Workflow Controller but rather are managed by Kubernetes. This will increase security and overall speed, however the
port information can no longer be discovered. Instead the
port information can be set via
drycc config:set PORT=<port> prior to deploying the application.
Drycc Workflow currently supports:
helm inspect values drycc/workflow > values.yaml
registryLocationparameter to reference the registry location you are using:
You are now ready to
helm install drycc oci://registry.drycc.cc/charts/workflow --namespace drycc -f values.yaml using your desired registry.
Here we show how the relevant parts of the fetched
values.yaml file might look like after configuring for a particular off-cluster registry:
After following the docs and creating a registry, e.g.
myregistry, with its corresponding login server of
myregistry.azurecr.io, the following values should be supplied:
global: ... registryLocation: "off-cluster" ... registry-token-refresher: ... registry: hostname: "myregistry.azurecr.io" organization: "myorg" username: "myusername" password: "mypassword" ...
Note: The mandatory organization field (here
myorg) will be created as an ACR repository if it does not already exist.
global: ... registryLocation: "off-cluster" ... registry-token-refresher: ... registry: hostname: "quay.io" organization: "myorg" username: "myusername" password: "mypassword" ...