feat: add registry addon (#1116)

**What problem does this PR solve?**:
This PR adds a new addon `registryMirror` that deploys
https://github.com/distribution/distribution as a StatefulSet
and a [sidecar container to sync
images](https://github.com/regclient/regclient/blob/main/docs/regsync.md)
across instances.
 
```
$ kubectl get pods -n registry-system 
NAME                                           READY   STATUS    RESTARTS   AGE
cncf-distribution-registry-docker-registry-0   2/2     Running   0          2m13s
cncf-distribution-registry-docker-registry-1   2/2     Running   0          8s

```
 
This addon is designed to only be a mirror and not used a regular
registry, hence the name and the lack of external access to the Service.
In a follow up PR, the in-cluster Service will be used a Containerd
mirror.
In a follow up PR, it will also be deployed with randomly generated
credentials to further prevent direct use.
 
**Which issue(s) this PR fixes**:
Fixes #

**How Has This Been Tested?**:
<!--
Please describe the tests that you ran to verify your changes.
Provide output from the tests and any manual steps needed to replicate
the tests.
-->

**Special notes for your reviewer**:
<!--
Use this to provide any additional information to the reviewers.
This may include:
- Best way to review the PR.
- Where the author wants the most review attention on.
- etc.
-->

Author: dkoshkin

api/v1alpha1/addon_types.go

@@ -27,6 +27,8 @@ const (
 
 	ServiceLoadBalancerProviderMetalLB = "MetalLB"
 
+	RegistryProviderCNCFDistribution = "CNCF Distribution"
+
 	AddonStrategyClusterResourceSet AddonStrategy = "ClusterResourceSet"
 	AddonStrategyHelmAddon          AddonStrategy = "HelmAddon"
 
@@ -100,6 +102,9 @@ type GenericAddons struct {
 
 	// +kubebuilder:validation:Optional
 	ServiceLoadBalancer *ServiceLoadBalancer `json:"serviceLoadBalancer,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	Registry *RegistryAddon `json:"registry,omitempty"`
 }
 
 type AddonStrategy string
@@ -335,3 +340,10 @@ type AddressRange struct {
 	// +kubebuilder:validation:Format=ipv4
 	End string `json:"end"`
 }
+
+type RegistryAddon struct {
+	// The OCI registry provider to deploy.
+	// +kubebuilder:default="CNCF Distribution"
+	// +kubebuilder:validation:Enum="CNCF Distribution"
+	Provider string `json:"provider"`
+}

api/v1alpha1/constants.go

@@ -28,6 +28,8 @@ const (
 	ClusterAutoscalerVariableName = "clusterAutoscaler"
 	// ServiceLoadBalancerVariableName is the Service LoadBalancer config patch variable name.
 	ServiceLoadBalancerVariableName = "serviceLoadBalancer"
+	// RegistryAddonVariableName is the OCI registry config patch variable name.
+	RegistryAddonVariableName = "registry"
 
 	// GlobalMirrorVariableName is the global image registry mirror patch variable name.
 	GlobalMirrorVariableName = "globalImageRegistryMirror"

api/v1alpha1/crds/caren.nutanix.com_awsclusterconfigs.yaml

@@ -234,6 +234,17 @@ spec:
                             - HelmAddon
                           type: string
                       type: object
+                    registry:
+                      properties:
+                        provider:
+                          default: CNCF Distribution
+                          description: The OCI registry provider to deploy.
+                          enum:
+                            - CNCF Distribution
+                          type: string
+                      required:
+                        - provider
+                      type: object
                     serviceLoadBalancer:
                       properties:
                         configuration:

api/v1alpha1/crds/caren.nutanix.com_dockerclusterconfigs.yaml

@@ -243,6 +243,17 @@ spec:
                             - HelmAddon
                           type: string
                       type: object
+                    registry:
+                      properties:
+                        provider:
+                          default: CNCF Distribution
+                          description: The OCI registry provider to deploy.
+                          enum:
+                            - CNCF Distribution
+                          type: string
+                      required:
+                        - provider
+                      type: object
                     serviceLoadBalancer:
                       properties:
                         configuration:

api/v1alpha1/crds/caren.nutanix.com_nutanixclusterconfigs.yaml

@@ -243,6 +243,17 @@ spec:
                             - HelmAddon
                           type: string
                       type: object
+                    registry:
+                      properties:
+                        provider:
+                          default: CNCF Distribution
+                          description: The OCI registry provider to deploy.
+                          enum:
+                            - CNCF Distribution
+                          type: string
+                      required:
+                        - provider
+                      type: object
                     serviceLoadBalancer:
                       properties:
                         configuration:

api/v1alpha1/zz_generated.deepcopy.go

@@ -85,6 +85,8 @@ A Helm chart for cluster-api-runtime-extensions-nutanix
 | hooks.nfd.crsStrategy.defaultInstallationConfigMap.name | string | `"node-feature-discovery"` |  |
 | hooks.nfd.helmAddonStrategy.defaultValueTemplateConfigMap.create | bool | `true` |  |
 | hooks.nfd.helmAddonStrategy.defaultValueTemplateConfigMap.name | string | `"default-nfd-helm-values-template"` |  |
+| hooks.registry.cncfDistribution.defaultValueTemplateConfigMap.create | bool | `true` |  |
+| hooks.registry.cncfDistribution.defaultValueTemplateConfigMap.name | string | `"default-cncf-distribution-registry-helm-values-template"` |  |
 | hooks.serviceLoadBalancer.metalLB.defaultValueTemplateConfigMap.create | bool | `true` |  |
 | hooks.serviceLoadBalancer.metalLB.defaultValueTemplateConfigMap.name | string | `"default-metallb-helm-values-template"` |  |
 | hooks.virtualIP.kubeVip.defaultTemplateConfigMap.create | bool | `true` |  |

charts/cluster-api-runtime-extensions-nutanix/README.md

@@ -0,0 +1,12 @@
+replicaCount: 2
+persistence:
+  enabled: true
+  size: 50Gi
+service:
+  type: ClusterIP
+  clusterIP: {{ .ServiceIP }}
+  port: 80
+statefulSet:
+  enabled: true
+  syncer:
+    interval: 2m

charts/cluster-api-runtime-extensions-nutanix/addons/registry/cncf-distribution/values-template.yaml

@@ -23,6 +23,10 @@ data:
     ChartName: cluster-autoscaler
     ChartVersion: 9.46.3
     RepositoryURL: '{{ if .Values.helmRepository.enabled }}oci://helm-repository.{{ .Release.Namespace }}.svc/charts{{ else }}https://kubernetes.github.io/autoscaler{{ end }}'
+  cncf-distribution-registry: |
+    ChartName: docker-registry
+    ChartVersion: 2.3.1
+    RepositoryURL: '{{ if .Values.helmRepository.enabled }}oci://helm-repository.{{ .Release.Namespace }}.svc/charts{{ else }}https://mesosphere.github.io/charts/staging/{{ end }}'
   cosi-controller: |
     ChartName: cosi
     ChartVersion: 0.0.1-alpha.5

charts/cluster-api-runtime-extensions-nutanix/templates/helm-config.yaml

@@ -0,0 +1,12 @@
+# Copyright 2025 Nutanix. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+{{- if .Values.hooks.registry.cncfDistribution.defaultValueTemplateConfigMap.name }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: '{{ .Values.hooks.registry.cncfDistribution.defaultValueTemplateConfigMap.name }}'
+data:
+  values.yaml: |-
+    {{- .Files.Get "addons/registry/cncf-distribution/values-template.yaml" | nindent 4 }}
+{{- end -}}

charts/cluster-api-runtime-extensions-nutanix/templates/registry/distribution/helm-addon-installation.yaml

@@ -504,6 +504,27 @@
                     },
                     "type": "object"
                 },
+                "registry": {
+                    "properties": {
+                        "cncfDistribution": {
+                            "properties": {
+                                "defaultValueTemplateConfigMap": {
+                                    "properties": {
+                                        "create": {
+                                            "type": "boolean"
+                                        },
+                                        "name": {
+                                            "type": "string"
+                                        }
+                                    },
+                                    "type": "object"
+                                }
+                            },
+                            "type": "object"
+                        }
+                    },
+                    "type": "object"
+                },
                 "serviceLoadBalancer": {
                     "properties": {
                         "metalLB": {

charts/cluster-api-runtime-extensions-nutanix/values.schema.json

@@ -111,6 +111,11 @@ hooks:
         defaultValueTemplateConfigMap:
           create: true
           name: default-cosi-controller-helm-values-template
+  registry:
+    cncfDistribution:
+      defaultValueTemplateConfigMap:
+        create: true
+        name: default-cncf-distribution-registry-helm-values-template
 
 helmAddonsConfigMap: default-helm-addons-config
 

charts/cluster-api-runtime-extensions-nutanix/values.yaml

@@ -0,0 +1,36 @@
++++
+title = "Registry"
+icon = "fa-solid fa-eye"
++++
+
+By leveraging CAPI cluster lifecycle hooks, this handler deploys an OCI [Distribution] registry,
+at the `AfterControlPlaneInitialized` phase and configures it as a mirror on the new cluster.
+The registry will be deployed as a StatefulSet with a persistent volume claim for storage
+and multiple replicas for high availability.
+A sidecar container in each Pod running [Regsync] will periodically sync the OCI artifacts across all replicas.
+
+Deployment of this registry is opt-in via the [provider-specific cluster configuration]({{< ref ".." >}}).
+
+The hook will use the [Cluster API Add-on Provider for Helm] to deploy the registry resources.
+
+## Example
+
+To enable deployment of the registry on a cluster, specify the following values:
+
+```yaml
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: Cluster
+metadata:
+  name: <NAME>
+spec:
+  topology:
+    variables:
+      - name: clusterConfig
+        value:
+          addons:
+            registry: {}
+```
+
+[Distribution]: https://github.com/distribution/distribution
+[Cluster API Add-on Provider for Helm]: https://github.com/kubernetes-sigs/cluster-api-addon-provider-helm
+[Regsync]: https://regclient.org/usage/regsync/

docs/content/addons/registry.md

@@ -41,6 +41,7 @@ spec:
               strategy: ClusterResourceSet
           nfd:
             strategy: ClusterResourceSet
+          registry: {}
           serviceLoadBalancer:
             configuration:
               addressRanges:

examples/capi-quick-start/docker-cluster-calico-crs.yaml

@@ -36,6 +36,7 @@ spec:
                   default: {}
             snapshotController: {}
           nfd: {}
+          registry: {}
           serviceLoadBalancer:
             configuration:
               addressRanges:

examples/capi-quick-start/docker-cluster-calico-helm-addon.yaml

@@ -41,6 +41,7 @@ spec:
               strategy: ClusterResourceSet
           nfd:
             strategy: ClusterResourceSet
+          registry: {}
           serviceLoadBalancer:
             configuration:
               addressRanges:

examples/capi-quick-start/docker-cluster-cilium-crs.yaml

@@ -36,6 +36,7 @@ spec:
                   default: {}
             snapshotController: {}
           nfd: {}
+          registry: {}
           serviceLoadBalancer:
             configuration:
               addressRanges:

examples/capi-quick-start/docker-cluster-cilium-helm-addon.yaml

@@ -31,6 +31,11 @@ repositories:
     charts:
       cosi:
       - 0.0.1-alpha.5
+  docker-registry:
+    repoURL: https://mesosphere.github.io/charts/staging/
+    charts:
+      docker-registry:
+      - 2.3.1
   local-path-provisioner:
     repoURL: https://charts.containeroo.ch
     charts:

hack/addons/helm-chart-bundler/repos.yaml

@@ -0,0 +1,27 @@
+# Copyright 2025 Nutanix. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# NOTE This file is used by the tool in `hack/tools/helm-cm` to add
+# docker-registry chart metadata to the "helm-addons" ConfigMap. The tool takes
+# a kustomization as input. We do not use this file with kustomize.
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+metadata:
+  name: registry-distribution
+
+sortOptions:
+  order: fifo
+
+helmCharts:
+- name: docker-registry
+  repo: https://mesosphere.github.io/charts/staging/
+  releaseName: cncf-distribution-registry
+  version: 2.3.1
+  valuesFile: helm-values.yaml
+  includeCRDs: true
+  skipTests: true
+  namespace: registry-system
+
+namespace: registry-system

hack/addons/kustomize/cncf-distribution-registry/kustomization.yaml.tmpl

@@ -40,7 +40,10 @@ patches:
   path: ../../../patches/docker/csi.yaml
 - target:
     kind: Cluster
-  path: ../../../patches/nutanix/cosi.yaml
+  path: ../../../patches/docker/cosi.yaml
+- target:
+    kind: Cluster
+  path: ../../../patches/docker/registry.yaml
 - target:
     kind: Cluster
   path: ../../../patches/encryption.yaml

hack/examples/bases/docker/cluster/kustomization.yaml.tmpl

@@ -0,0 +1,6 @@
+# Copyright 2025 Nutanix. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+- op: "add"
+  path: "/spec/topology/variables/0/value/addons/registry"
+  value: {}

hack/examples/patches/docker/registry.yaml

@@ -17,18 +17,19 @@ import (
 type Component string
 
 const (
-	Autoscaler              Component = "cluster-autoscaler"
-	Tigera                  Component = "tigera-operator"
-	Cilium                  Component = "cilium"
-	NFD                     Component = "nfd"
-	NutanixStorageCSI       Component = "nutanix-storage-csi"
-	SnapshotController      Component = "snapshot-controller"
-	NutanixCCM              Component = "nutanix-ccm"
-	MetalLB                 Component = "metallb"
-	LocalPathProvisionerCSI Component = "local-path-provisioner-csi"
-	AWSEBSCSI               Component = "aws-ebs-csi"
-	AWSCCM                  Component = "aws-ccm"
-	COSIController          Component = "cosi-controller"
+	Autoscaler               Component = "cluster-autoscaler"
+	Tigera                   Component = "tigera-operator"
+	Cilium                   Component = "cilium"
+	NFD                      Component = "nfd"
+	NutanixStorageCSI        Component = "nutanix-storage-csi"
+	SnapshotController       Component = "snapshot-controller"
+	NutanixCCM               Component = "nutanix-ccm"
+	MetalLB                  Component = "metallb"
+	LocalPathProvisionerCSI  Component = "local-path-provisioner-csi"
+	AWSEBSCSI                Component = "aws-ebs-csi"
+	AWSCCM                   Component = "aws-ccm"
+	COSIController           Component = "cosi-controller"
+	CNCFDistributionRegistry Component = "cncf-distribution-registry"
 )
 
 type HelmChartGetter struct {