docker-registry.helm icon indicating copy to clipboard operation
docker-registry.helm copied to clipboard

Published 20 hours ago verified publisher icon twuni

Feature Request Make /auth a volume

Open cawoodm opened this issue 3 years ago • 4 comments

At the moment we have to generate a fixed user and copy the htpasswd string into the values.yml This means, once the registry is running we have to shut it down and re-install it to add new users.

It would be far nicer just to map the /auth out as a volume so we can edit users on the fly.

That way, changes to htpasswd (i.e. new users) on the host are immediately visible to the registry.

I have provided a configuration for the current chart as a workaround:

extraVolumeMounts:
  - mountPath: /auth
    name: auth

extraVolumes:
  - name: auth
    hostPath:
      # Put your htpasswd file in here:
      path: /etc/secrets/registry/

extraEnvVars:
  - name: REGISTRY_AUTH
    value: "htpasswd"
  - name: REGISTRY_AUTH_HTPASSWD_REALM
    value: "Registry Realm"
  - name: REGISTRY_AUTH_HTPASSWD_PATH
    value: "/auth/htpasswd"

Also a question: I assumed my registry container runs as root (K3S runs as root by default) but it was unable to see /etc/secrets/registry/ which has root read. Only when I moved htpasswd to /tmp with o+r (everybody can read) did it work. Does the registry run with reduced priveleges?

Which user is the registry running as??

cawoodm avatar Jan 17 '22 15:01 cawoodm

So it seems the registry is running as dracula which is weird. I discovered this by shelling into the pod and creating a new file in /auth. The file owner (on the host) was dracula????

cawoodm avatar Jan 17 '22 16:01 cawoodm

At a hunch, your host has a user (dracula) with UID 1000, which is what the registry uses as far as I can tell.

rjhenry avatar Jan 26 '22 16:01 rjhenry

So it seems the registry is running as dracula which is weird.

If you did not change the defaults, the container runs with UID 1000. You can configure securityContext as needed or set securityContext.enabled to false if you want to run as root.

jthurner avatar Feb 22 '22 07:02 jthurner

I used an existing secret, created outside of the helm chart, that contains the htpasswd things:

apiVersion: v1
kind: Secret
metadata:
  name: htpasswd-docker-registry
  namespace: docker-registry
type: Opaque
stringData:
  htpasswd: |
    username:funnystringfromhtpasswdhere

Then use it like this:

extraVolumeMounts:
  - name: htpasswd-docker-registry
    mountPath: /auth

extraVolumes:
 - name: htpasswd-docker-registry
   secret:
     secretName: htpasswd-docker-registry

extraEnvVars:
  - name: REGISTRY_AUTH
    value: "htpasswd"
  - name: REGISTRY_AUTH_HTPASSWD_REALM
    value: "Registry Realm"
  - name: REGISTRY_AUTH_HTPASSWD_PATH
    value: "/auth/htpasswd"

johanneskastl avatar Feb 23 '22 20:02 johanneskastl