feat: add chart registry#115
Open
phamtranlinhchi wants to merge 13 commits into
Open
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughIntroduces a complete Helm chart for deploying a Docker Registry on Kubernetes using SeaweedFS as an S3 storage backend. Includes chart metadata, Kubernetes templates for ConfigMap, Service, and DaemonSet resources, configuration values, and comprehensive documentation. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Suggested reviewers
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (8)
kubernetes/docker-registry/templates/config.yaml (1)
9-9: Remove trailing blank line.YAMLlint flagged an extra blank line at the end of the file.
Proposed fix
{{ .Values.registryConfig | indent 4 }} -🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@kubernetes/docker-registry/templates/config.yaml` at line 9, Remove the trailing blank line at the end of the kubernetes/docker-registry/templates/config.yaml file so the file ends on the last YAML content line (no extra newline or empty line after EOF); locate the template file (config.yaml) and delete the final empty line to satisfy YAML linting.kubernetes/docker-registry/README.md (1)
16-27: Add language identifier to fenced code block.Markdownlint suggests specifying a language for the fenced code block. Since this is a directory tree, you can use
textorplaintext.Proposed fix
-``` +```text +--- <namespace_1>🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@kubernetes/docker-registry/README.md` around lines 16 - 27, Update the fenced code block in kubernetes/docker-registry/README.md that contains the directory tree to include a language identifier (e.g., "text" or "plaintext") after the opening backticks; locate the triple-backtick block showing the tree with lines like "+--- <namespace_1>" and change the opening fence to ```text so markdownlint stops flagging it and the block is rendered as plain text.kubernetes/docker-registry/Chart.yaml (2)
8-11: Dependency version uses flexible range.Using
version: 1.x.xallows any 1.x version of the common chart. This is flexible but could introduce unexpected behavior if the common chart has breaking changes within the 1.x range. Consider whether a more specific version constraint is appropriate for your use case.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@kubernetes/docker-registry/Chart.yaml` around lines 8 - 11, The Chart.yaml dependency entry pins the common chart with a loose semver "version: 1.x.x" which can pull any 1.* release; update the dependencies block to use a tighter version constraint (for example an exact patch like "1.2.3" or a bounded range such as ">=1.2.0 <1.3.0") for the - name: common entry so upgrades are predictable and controlled; modify the version field in Chart.yaml accordingly and ensure any Chart.lock or Helm dependency update steps are run to reflect the change.
6-6: Remove deprecatedengine: gotplfield.The
enginefield is deprecated in Helm 3 (apiVersion: v2 charts). Helm 3 only supports Go templates, so this field is unnecessary.Proposed fix
description: Docker registry -engine: gotpl dependencies:🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@kubernetes/docker-registry/Chart.yaml` at line 6, Remove the deprecated engine: gotpl field from Chart.yaml; locate the Chart.yaml entry containing the "engine: gotpl" line and delete that key so the chart relies on Helm v3 default Go template engine (verify Chart.yaml remains valid YAML and that apiVersion: v2 is preserved).kubernetes/docker-registry/templates/registry_deployment.yaml (2)
21-28: Consider adding resource limits, security context, and health probes.The container definition is missing several production-readiness configurations:
- Resource limits/requests: Without these, the pod could consume unbounded resources
- Security context: Consider running as non-root with read-only filesystem where possible
- Liveness/readiness probes: Docker Registry exposes a health endpoint at
/v2/that can be usedExample additions
containers: - name: registry image: {{ include "common.images.image" ( dict "imageRoot" .Values.image "global" .Values.global ) }} ports: - containerPort: 5000 livenessProbe: httpGet: path: /v2/ port: 5000 initialDelaySeconds: 10 readinessProbe: httpGet: path: /v2/ port: 5000 initialDelaySeconds: 5 resources: requests: memory: "128Mi" cpu: "100m" limits: memory: "512Mi" cpu: "500m" securityContext: runAsNonRoot: true readOnlyRootFilesystem: true volumeMounts: - name: config mountPath: /etc/docker/registry🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@kubernetes/docker-registry/templates/registry_deployment.yaml` around lines 21 - 28, Add production-ready settings to the "registry" container block: declare resource requests/limits (e.g., CPU and memory) to bound consumption, add a securityContext (e.g., runAsNonRoot: true and readOnlyRootFilesystem: true) to avoid running as root, and add liveness and readiness probes that hit the Docker Registry health path "/v2/" on port 5000 with sensible initialDelaySeconds and timeouts; modify the container definition that uses include "common.images.image" so these fields are present alongside ports and volumeMounts.
33-33: Remove trailing blank line.YAMLlint flagged an extra blank line at the end of the file.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@kubernetes/docker-registry/templates/registry_deployment.yaml` at line 33, Remove the extra trailing blank line at the end of the registry_deployment.yaml template so the file ends immediately after the final YAML document content; locate the registry_deployment.yaml template and delete the final empty newline/blank line so YAML linters no longer flag an extra blank line at EOF.kubernetes/docker-registry/templates/service.yaml (1)
13-13: Remove trailing blank line.Proposed fix
type: ClusterIP -🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@kubernetes/docker-registry/templates/service.yaml` at line 13, The service YAML contains an extra trailing blank line at the end of the template (service.yaml / Service manifest); open the template and remove the empty final line so the file ends immediately after the last YAML content (ensure there is at most a single newline/EOF, not an extra blank line).kubernetes/docker-registry/values.yaml (1)
7-7: Pin the image tag to a specific version instead of the major version.Using
tag: 2will pull whatever the latest 2.x version is, causing unpredictable updates. Pin to a specific version (e.g.,2.8.3) for reproducibility. Note that Docker Registry v3.0.0 is now available; evaluate whether to upgrade to the latest major version or explicitly remain on 2.x for compatibility.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@kubernetes/docker-registry/values.yaml` at line 7, The current image tag is pinned to the major version via the tag key (tag: 2); change this to a specific patch version (e.g., tag: 2.8.3) in values.yaml to ensure reproducible deployments, or deliberately bump to a specific v3 release if you want to move to the new major (e.g., tag: 3.0.0); update the tag value accordingly and run your chart deployment/test to verify compatibility.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@kubernetes/docker-registry/README.md`:
- Line 1: Update the README title and content to accurately reflect the
docker-registry chart: change the title from "Shared Volume Chart" to something
like "Docker Registry Chart" and add sections describing what the chart deploys
(components and purpose), prerequisites (e.g., SeaweedFS for S3 backend), a
summary of configuration options pulled from values.yaml (list key configurable
values and their meanings), and a secure guidance section showing how to
override S3 credentials (recommend using Kubernetes Secrets, Helm --set-file or
values.yaml referencing secret keys, and example secret key names). Ensure you
reference the chart name "docker-registry", the values file "values.yaml", and
the S3/SeaweedFS backend in the README so users can locate relevant configs.
In `@kubernetes/docker-registry/templates/config.yaml`:
- Around line 1-8: The ConfigMap is embedding .Values.registryConfig (rendered
to config.yml) which includes S3 credentials; move sensitive fields out of
.Values.registryConfig into a Kubernetes Secret and stop writing them into the
ConfigMap. Update the Chart to split registryConfig into a non-sensitive part
kept in the ConfigMap (config.yml) and a new secret-backed object (Kubernetes
Secret) containing accesskey/secretkey; then modify the deployment/Pod spec to
mount the Secret or inject the credentials as environment variables instead of
reading them from the ConfigMap. Ensure references to .Values.registryConfig are
changed to read non-secret values only and that the new Secret keys match the
names expected by the registry configuration loader.
In `@kubernetes/docker-registry/values.yaml`:
- Around line 23-24: Replace the hardcoded credentials in values.yaml: remove
literal values for accesskey and secretkey and replace them with non-sensitive
placeholders like "CHANGE_ME" or empty strings; update values.yaml to document
that these must be overridden (via --set or a separate values file) and add
guidance to use Kubernetes Secrets and reference them from the chart instead of
embedding secrets directly; ensure the keys referenced (accesskey, secretkey)
are wired to read from a Secret or user-supplied values rather than hardcoded
strings.
---
Nitpick comments:
In `@kubernetes/docker-registry/Chart.yaml`:
- Around line 8-11: The Chart.yaml dependency entry pins the common chart with a
loose semver "version: 1.x.x" which can pull any 1.* release; update the
dependencies block to use a tighter version constraint (for example an exact
patch like "1.2.3" or a bounded range such as ">=1.2.0 <1.3.0") for the - name:
common entry so upgrades are predictable and controlled; modify the version
field in Chart.yaml accordingly and ensure any Chart.lock or Helm dependency
update steps are run to reflect the change.
- Line 6: Remove the deprecated engine: gotpl field from Chart.yaml; locate the
Chart.yaml entry containing the "engine: gotpl" line and delete that key so the
chart relies on Helm v3 default Go template engine (verify Chart.yaml remains
valid YAML and that apiVersion: v2 is preserved).
In `@kubernetes/docker-registry/README.md`:
- Around line 16-27: Update the fenced code block in
kubernetes/docker-registry/README.md that contains the directory tree to include
a language identifier (e.g., "text" or "plaintext") after the opening backticks;
locate the triple-backtick block showing the tree with lines like "+---
<namespace_1>" and change the opening fence to ```text so markdownlint stops
flagging it and the block is rendered as plain text.
In `@kubernetes/docker-registry/templates/config.yaml`:
- Line 9: Remove the trailing blank line at the end of the
kubernetes/docker-registry/templates/config.yaml file so the file ends on the
last YAML content line (no extra newline or empty line after EOF); locate the
template file (config.yaml) and delete the final empty line to satisfy YAML
linting.
In `@kubernetes/docker-registry/templates/registry_deployment.yaml`:
- Around line 21-28: Add production-ready settings to the "registry" container
block: declare resource requests/limits (e.g., CPU and memory) to bound
consumption, add a securityContext (e.g., runAsNonRoot: true and
readOnlyRootFilesystem: true) to avoid running as root, and add liveness and
readiness probes that hit the Docker Registry health path "/v2/" on port 5000
with sensible initialDelaySeconds and timeouts; modify the container definition
that uses include "common.images.image" so these fields are present alongside
ports and volumeMounts.
- Line 33: Remove the extra trailing blank line at the end of the
registry_deployment.yaml template so the file ends immediately after the final
YAML document content; locate the registry_deployment.yaml template and delete
the final empty newline/blank line so YAML linters no longer flag an extra blank
line at EOF.
In `@kubernetes/docker-registry/templates/service.yaml`:
- Line 13: The service YAML contains an extra trailing blank line at the end of
the template (service.yaml / Service manifest); open the template and remove the
empty final line so the file ends immediately after the last YAML content
(ensure there is at most a single newline/EOF, not an extra blank line).
In `@kubernetes/docker-registry/values.yaml`:
- Line 7: The current image tag is pinned to the major version via the tag key
(tag: 2); change this to a specific patch version (e.g., tag: 2.8.3) in
values.yaml to ensure reproducible deployments, or deliberately bump to a
specific v3 release if you want to move to the new major (e.g., tag: 3.0.0);
update the tag value accordingly and run your chart deployment/test to verify
compatibility.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 25108cd7-0c8e-420d-896f-281182a4c17b
📒 Files selected for processing (7)
kubernetes/docker-registry/Chart.yamlkubernetes/docker-registry/README.mdkubernetes/docker-registry/charts/common-1.4.3.tgzkubernetes/docker-registry/templates/config.yamlkubernetes/docker-registry/templates/registry_deployment.yamlkubernetes/docker-registry/templates/service.yamlkubernetes/docker-registry/values.yaml
There was a problem hiding this comment.
Actionable comments posted: 8
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@kubernetes/docker-registry/templates/pvc.yaml`:
- Line 16: The file pvc.yaml ends without a trailing newline (the last line is
"storage: 6Gi"); add a single POSIX-compliant newline character at the end of
pvc.yaml so the file terminates with a newline. Ensure the final file ends with
a blank line after the "storage: 6Gi" entry.
- Around line 13-16: Make storage configurable by moving the hardcoded
storageClassName and size into values: add entries persistence.storageClassName
and persistence.size in values.yaml, then update the pvc template (the
storageClassName and resources.requests.storage fields in the PVC template) to
read from those values (fall back to existing defaults if unset) so users can
override storageClassName and storage size via values.yaml.
In `@kubernetes/docker-registry/templates/registry_statefuleset.yaml`:
- Line 1: Rename the template file from registry_statefuleset.yaml to
registry_statefulset.yaml and update all references to it (e.g., any includes in
Helm templates, Chart templates list, kustomize manifests, CI/deployment
scripts) so the new name is used; search for the symbol
"registry_statefuleset.yaml" and replace with "registry_statefulset.yaml" and
verify template rendering still works for the registry StatefulSet resource.
- Line 24: The container image spec currently sets the image via the include
"common.images.image" call but lacks an explicit imagePullPolicy; add an
imagePullPolicy field next to the image line in registry_statefuleset.yaml and
source its value from .Values.image.pullPolicy (falling back to a sensible
default such as "IfNotPresent") so the template uses .Values.image.pullPolicy |
default "IfNotPresent" for predictable pull behavior.
- Around line 23-31: Add a securityContext to the registry container and a
Pod-level fsGroup so the registry runs non-root and has a read-only root
filesystem while still allowing the storage volume to be writable: set container
name "registry" securityContext fields (runAsNonRoot: true, runAsUser and
runAsGroup to a non-root uid/gid such as 1000, readOnlyRootFilesystem: true) and
ensure the "config" volumeMount is mounted readOnly: true while "storage"
remains writable; also add a podSecurityContext.fsGroup (e.g., 1000) so the
storage volume is writable by the non-root process.
- Around line 23-31: The registry container currently lacks Kubernetes probes;
add livenessProbe and readinessProbe to the container spec for the container
named "registry" (the block using include "common.images.image") to allow K8s to
detect and recover from failures. Implement an HTTP GET probe to /v2/ (or
tcpSocket to port 5000 if HTTP not supported) with sensible defaults (e.g.,
initialDelaySeconds: 10, periodSeconds: 10, timeoutSeconds: 2, failureThreshold:
3) for liveness, and a readinessProbe with a shorter initialDelaySeconds or
successThreshold as appropriate. Place both probe blocks under the same
container definition so they are applied to the registry pod. Ensure probes
reference containerPort 5000.
- Around line 23-31: The registry container in registry_statefuleset.yaml is
missing resource requests/limits; add a configurable resources block under the
container spec for the container named "registry" (the same block that uses the
image from include "common.images.image") and wire it to values (e.g.,
.Values.registry.resources) so requests (cpu/memory) and limits (cpu/memory) can
be set via values.yaml; ensure the Helm template uses default values or a
fallback and preserve existing volumeMounts (/etc/docker/registry and
/var/lib/registry) and port 5000.
In `@kubernetes/docker-registry/templates/service.yaml`:
- Line 8: The Service selector in service.yaml currently uses only
common.labels.matchLabels and therefore won't match the StatefulSet pods which
also include the label app.kubernetes.io/component: docker-registry in the
registry_statefuleset.yaml podTemplate; update the Service selector to include
that additional label (add app.kubernetes.io/component: docker-registry
alongside the output of include "common.labels.matchLabels" .) so the selector
exactly matches all labels present on the StatefulSet pod template.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 62aea512-1627-431a-8657-0395eaac30f3
📒 Files selected for processing (4)
kubernetes/docker-registry/templates/config.yamlkubernetes/docker-registry/templates/pvc.yamlkubernetes/docker-registry/templates/registry_statefuleset.yamlkubernetes/docker-registry/templates/service.yaml
Comment on lines
+23
to
+31
| - name: registry | ||
| image: {{ include "common.images.image" ( dict "imageRoot" .Values.image "global" .Values.global ) }} | ||
| ports: | ||
| - containerPort: 5000 | ||
| volumeMounts: | ||
| - name: config | ||
| mountPath: /etc/docker/registry | ||
| - name: storage | ||
| mountPath: /var/lib/registry |
There was a problem hiding this comment.
Critical: Missing security context configuration.
The container lacks essential security settings that are critical for production deployments. Docker Registry can run without root privileges.
🛡️ Proposed security hardening
- name: registry
image: {{ include "common.images.image" ( dict "imageRoot" .Values.image "global" .Values.global ) }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ runAsNonRoot: true
+ runAsUser: 1000
+ runAsGroup: 1000
+ readOnlyRootFilesystem: true
+ capabilities:
+ drop:
+ - ALL
ports:
- containerPort: 5000
volumeMounts:
- name: config
mountPath: /etc/docker/registry
+ readOnly: true
- name: storage
mountPath: /var/lib/registryNote: readOnlyRootFilesystem: true requires the config volume to be mounted read-only, while the storage volume remains writable for registry data.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| - name: registry | |
| image: {{ include "common.images.image" ( dict "imageRoot" .Values.image "global" .Values.global ) }} | |
| ports: | |
| - containerPort: 5000 | |
| volumeMounts: | |
| - name: config | |
| mountPath: /etc/docker/registry | |
| - name: storage | |
| mountPath: /var/lib/registry | |
| - name: registry | |
| image: {{ include "common.images.image" ( dict "imageRoot" .Values.image "global" .Values.global ) }} | |
| securityContext: | |
| allowPrivilegeEscalation: false | |
| runAsNonRoot: true | |
| runAsUser: 1000 | |
| runAsGroup: 1000 | |
| readOnlyRootFilesystem: true | |
| capabilities: | |
| drop: | |
| - ALL | |
| ports: | |
| - containerPort: 5000 | |
| volumeMounts: | |
| - name: config | |
| mountPath: /etc/docker/registry | |
| readOnly: true | |
| - name: storage | |
| mountPath: /var/lib/registry |
🧰 Tools
🪛 YAMLlint (1.38.0)
[error] 24-24: too many spaces inside braces
(braces)
[error] 24-24: too many spaces inside braces
(braces)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@kubernetes/docker-registry/templates/registry_statefuleset.yaml` around lines
23 - 31, Add a securityContext to the registry container and a Pod-level fsGroup
so the registry runs non-root and has a read-only root filesystem while still
allowing the storage volume to be writable: set container name "registry"
securityContext fields (runAsNonRoot: true, runAsUser and runAsGroup to a
non-root uid/gid such as 1000, readOnlyRootFilesystem: true) and ensure the
"config" volumeMount is mounted readOnly: true while "storage" remains writable;
also add a podSecurityContext.fsGroup (e.g., 1000) so the storage volume is
writable by the non-root process.
🧹 Nitpick | 🔵 Trivial
Recommend adding health probes.
Liveness and readiness probes improve reliability by enabling Kubernetes to detect and recover from failures.
🏥 Proposed health probe configuration
- name: registry
image: {{ include "common.images.image" ( dict "imageRoot" .Values.image "global" .Values.global ) }}
ports:
- containerPort: 5000
+ livenessProbe:
+ httpGet:
+ path: /
+ port: 5000
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ readinessProbe:
+ httpGet:
+ path: /
+ port: 5000
+ initialDelaySeconds: 5
+ periodSeconds: 5
volumeMounts:📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| - name: registry | |
| image: {{ include "common.images.image" ( dict "imageRoot" .Values.image "global" .Values.global ) }} | |
| ports: | |
| - containerPort: 5000 | |
| volumeMounts: | |
| - name: config | |
| mountPath: /etc/docker/registry | |
| - name: storage | |
| mountPath: /var/lib/registry | |
| - name: registry | |
| image: {{ include "common.images.image" ( dict "imageRoot" .Values.image "global" .Values.global ) }} | |
| ports: | |
| - containerPort: 5000 | |
| livenessProbe: | |
| httpGet: | |
| path: / | |
| port: 5000 | |
| initialDelaySeconds: 10 | |
| periodSeconds: 10 | |
| readinessProbe: | |
| httpGet: | |
| path: / | |
| port: 5000 | |
| initialDelaySeconds: 5 | |
| periodSeconds: 5 | |
| volumeMounts: | |
| - name: config | |
| mountPath: /etc/docker/registry | |
| - name: storage | |
| mountPath: /var/lib/registry |
🧰 Tools
🪛 YAMLlint (1.38.0)
[error] 24-24: too many spaces inside braces
(braces)
[error] 24-24: too many spaces inside braces
(braces)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@kubernetes/docker-registry/templates/registry_statefuleset.yaml` around lines
23 - 31, The registry container currently lacks Kubernetes probes; add
livenessProbe and readinessProbe to the container spec for the container named
"registry" (the block using include "common.images.image") to allow K8s to
detect and recover from failures. Implement an HTTP GET probe to /v2/ (or
tcpSocket to port 5000 if HTTP not supported) with sensible defaults (e.g.,
initialDelaySeconds: 10, periodSeconds: 10, timeoutSeconds: 2, failureThreshold:
3) for liveness, and a readinessProbe with a shorter initialDelaySeconds or
successThreshold as appropriate. Place both probe blocks under the same
container definition so they are applied to the registry pod. Ensure probes
reference containerPort 5000.
Major: Missing resource limits and requests.
The container should define resource requests and limits to ensure proper scheduling and prevent resource exhaustion.
⚖️ Proposed resource configuration
- name: registry
image: {{ include "common.images.image" ( dict "imageRoot" .Values.image "global" .Values.global ) }}
+ resources:
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ limits:
+ cpu: 500m
+ memory: 512Mi
ports:Consider making these values configurable via values.yaml for different deployment scenarios.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| - name: registry | |
| image: {{ include "common.images.image" ( dict "imageRoot" .Values.image "global" .Values.global ) }} | |
| ports: | |
| - containerPort: 5000 | |
| volumeMounts: | |
| - name: config | |
| mountPath: /etc/docker/registry | |
| - name: storage | |
| mountPath: /var/lib/registry | |
| - name: registry | |
| image: {{ include "common.images.image" ( dict "imageRoot" .Values.image "global" .Values.global ) }} | |
| resources: | |
| requests: | |
| cpu: 100m | |
| memory: 128Mi | |
| limits: | |
| cpu: 500m | |
| memory: 512Mi | |
| ports: | |
| - containerPort: 5000 | |
| volumeMounts: | |
| - name: config | |
| mountPath: /etc/docker/registry | |
| - name: storage | |
| mountPath: /var/lib/registry |
🧰 Tools
🪛 YAMLlint (1.38.0)
[error] 24-24: too many spaces inside braces
(braces)
[error] 24-24: too many spaces inside braces
(braces)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@kubernetes/docker-registry/templates/registry_statefuleset.yaml` around lines
23 - 31, The registry container in registry_statefuleset.yaml is missing
resource requests/limits; add a configurable resources block under the container
spec for the container named "registry" (the same block that uses the image from
include "common.images.image") and wire it to values (e.g.,
.Values.registry.resources) so requests (cpu/memory) and limits (cpu/memory) can
be set via values.yaml; ensure the Helm template uses default values or a
fallback and preserve existing volumeMounts (/etc/docker/registry and
/var/lib/registry) and port 5000.
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@kubernetes/docker-registry/values.yaml`:
- Around line 27-28: The values.yaml currently enables image deletion via the
registry by setting delete.enabled: true; update this to prevent accidental data
loss or harden the registry by either setting delete.enabled: false if deletion
should be disabled, or, if deletion must remain enabled, add configuration and
documentation to require authentication/authorization for delete operations and
ensure backups and audit logging are in place (e.g., note required auth
settings, backup schedule, and audit log configuration alongside the delete
block so operators see the risk).
- Around line 20-25: The values.yaml currently configures the S3 backend to use
plaintext HTTP (regionendpoint: http://seaweedfs-s3..., secure: false,
skipverify: true); update the S3 backend settings (regionendpoint, secure,
skipverify and any certificate handling) to use HTTPS when TLS is available by
changing regionendpoint to
https://seaweedfs-s3.seaweedfs.svc.cluster.local:8333, set secure: true and set
skipverify appropriately (false for valid certs, true only for self-signed in
testing), and ensure any related secrets/keys (accesskey/secretkey) and the
seaweedfs-s3 service are configured to serve TLS so the Docker registry's S3
client connects securely.
- Line 7: The values file currently uses a floating major tag "tag: 2"; change
this to a specific, immutable image reference to ensure reproducible deployments
— replace the "tag: 2" value with a concrete version like "tag: 2.8.3" or switch
to an image digest (e.g., add or set an "image.digest" field with the SHA) so
the Docker Registry image used by your chart (referenced by the tag/image
fields) is pinned to a single release.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 2c5ec6b6-97fb-4b97-9d0b-5c54c1bd4261
📒 Files selected for processing (1)
kubernetes/docker-registry/values.yaml
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@kubernetes/docker-registry/README.md`:
- Around line 19-31: The README shows two different registry endpoints (e.g.,
registry-docker-registry-service.registry.svc.cluster.local:5000 in the catalog
example and
private-registry-docker-registry-service.private-registry.svc.cluster.local:5000
in the tags example), which is confusing; pick a single consistent endpoint
pattern (or explicitly mark one as an alternate) and update the curl examples
(the catalog GET and the <image_name>/tags/list example) so they use the same
service/namespace naming convention or add a clear label like "alternate
example" next to the differing URL.
- Around line 10-53: The README.md triggers markdownlint errors
(MD022/MD031/MD047) because code fences and headings lack required blank lines
and some fences/lines are malformed; fix by ensuring every fenced code block
(the bash examples under "### 1.1 By Curl" and the toml block under the
hosts.toml example) is preceded and followed by a single blank line, ensure the
triple-backtick fences are correct and closed, add a blank line before the
horizontal rule (---), and add blank lines around the "### 1.2 By GUI of
seaweedfs" heading; apply these fixes to the code fences and headings referenced
in README.md so markdownlint passes.
In `@kubernetes/docker-registry/templates/registry_daemonset.yaml`:
- Around line 21-29: The registry container lacks health checks, so add
readinessProbe and livenessProbe entries to the container spec for the container
named "registry" in the registry_daemonset.yaml; implement HTTP GET probes
against path "/v2" on port 5000 (or TCP if your registry variant requires), with
sensible timeouts and thresholds (e.g., initialDelaySeconds, periodSeconds,
timeoutSeconds, failureThreshold) to allow startup and to fail fast on unhealthy
pods; place these probe blocks under the container definition (alongside ports
and volumeMounts) so the Service only sends traffic to ready pods and Kubernetes
can restart unhealthy containers.
- Around line 21-25: Add CPU/memory resource requests and limits for the
registry container to avoid unconstrained scheduling: update the registry
DaemonSet template (the container named "registry" that uses {{ include
"common.images.image" ... }} ) to include a resources: block driven by chart
values (e.g. .Values.registry.resources or .Values.image.resources). Ensure the
block uses templated defaults like {{- with .Values.registry.resources
}}resources: {{ toYaml . | indent 8 }}{{- end }} so callers can set
requests/limits in values.yaml and the template falls back gracefully when
unspecified.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: ede19045-86ce-44d8-a97f-0165d41ec8c9
📒 Files selected for processing (2)
kubernetes/docker-registry/README.mdkubernetes/docker-registry/templates/registry_daemonset.yaml
duchieu2k
requested changes
Apr 23, 2026
| tag: 2 | ||
| pullPolicy: IfNotPresent | ||
|
|
||
| registryConfig: |- |
Contributor
There was a problem hiding this comment.
change this config block to configmap template, list only which variable need to change such as url, path, enable feature,...
| # cannot decrypt _state created by another → upload fails | ||
| # ⚠ Do not change while uploads are in progress | ||
| # → existing _state tokens cannot be decrypted → active uploads fail | ||
| secret: "registry_key_2026" |
Contributor
There was a problem hiding this comment.
make secret as empty string and update secret via stacked_chart value
Contributor
There was a problem hiding this comment.
This is Internal key used by the registry to sign and verify upload session tokens. It's not exposed to clients, it used internally to ensure push/pull integrity
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by CodeRabbit
New Features
Documentation