Alauda Container Platform

Registry v2: Image Registry Operator

The ACP Image Registry Operator installs and manages a single Registry v2 instance. It reconciles Registry runtime resources from Config/cluster and pruning resources from ImagePruner/cluster.

TOC

Main ComponentsInstall the OperatorChange the Registry Management StateConfigure Image PruningCheck Operator and Registry StatusCommon Operator Issues

Main Components

ComponentPurpose
cluster-image-registry-operator DeploymentReconciles the singleton Registry from Config/cluster and ImagePruner/cluster.
image-registry DeploymentServes OCI push and pull traffic, authentication, authorization, storage access, health checks, and metrics.
image-api-server DeploymentServes the ACP Image API through Kubernetes API aggregation.
APIService/v1.image.alauda.ioRegisters image.alauda.io/v1 with the Kubernetes API server.
node-ca DaemonSetDistributes Registry CA trust and Registry service host mappings to nodes.
image-pruner CronJobRuns scheduled prune and garbage-collection workflows.
Managed imagePullSecret controllerCreates, injects, refreshes, and removes ServiceAccount pull secrets for the internal Registry.

Install the Operator

Create the installation namespace:

kubectl get namespace image-registry-system >/dev/null 2>&1 || \
  kubectl create namespace image-registry-system

kubectl label namespace image-registry-system \
  cpaas.io/project=cpaas-system \
  pod-security.kubernetes.io/audit=privileged \
  pod-security.kubernetes.io/enforce=privileged \
  pod-security.kubernetes.io/warn=privileged \
  --overwrite

Create a Subscription:

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  annotations:
    cpaas.io/target-namespaces: ""
  name: cluster-image-registry-operator
  namespace: image-registry-system
spec:
  channel: stable
  installPlanApproval: Manual
  name: cluster-image-registry-operator
  source: platform
  sourceNamespace: cpaas-system

Approve the generated InstallPlan:

kubectl -n image-registry-system get installplan

kubectl -n image-registry-system patch installplan <installplan-name> \
  --type=merge \
  -p '{"spec":{"approved":true}}'

Wait for the Operator:

kubectl -n image-registry-system wait \
  --for=condition=Available \
  deployment/cluster-image-registry-operator \
  --timeout=300s

Change the Registry Management State

Enable the Registry by setting Config/cluster.spec.managementState to Managed:

kubectl patch configs.imageregistry.operator.alauda.io cluster \
  --type=merge \
  -p '{"spec":{"managementState":"Managed"}}'

To stop the Registry without deleting persistent data, set the management state to Removed:

kubectl patch configs.imageregistry.operator.alauda.io cluster \
  --type=merge \
  -p '{"spec":{"managementState":"Removed"}}'

Configure Image Pruning

Create or update the singleton ImagePruner/cluster:

apiVersion: imageregistry.operator.alauda.io/v1
kind: ImagePruner
metadata:
  name: cluster
spec:
  schedule: "0 0 * * *"
  suspend: false
  keepTagRevisions: 3
  keepYoungerThanDuration: 60m
  resources:
    requests:
      cpu: 500m
      memory: 500Mi
    limits:
      cpu: 500m
      memory: 500Mi

The Operator reconciles an image-pruner CronJob in image-registry-system. The CronJob uses the Registry v2 internal URL by default.

Check Operator and Registry Status

kubectl -n image-registry-system get subscription,csv,installplan
kubectl -n image-registry-system get deploy cluster-image-registry-operator image-registry image-api-server
kubectl -n image-registry-system get daemonset node-ca
kubectl -n image-registry-system get cronjob image-pruner
kubectl get apiservice v1.image.alauda.io
kubectl get configs.imageregistry.operator.alauda.io cluster -o yaml
kubectl get imagepruners.imageregistry.operator.alauda.io cluster -o yaml

Expected results:

  • The Operator CSV is Succeeded.
  • cluster-image-registry-operator, image-registry, and image-api-server are available.
  • node-ca is ready on target nodes.
  • APIService/v1.image.alauda.io is Available=True.
  • Config/cluster reports Available=True, Progressing=False, and Degraded=False.

Common Operator Issues

SymptomCheck
CSV is not SucceededSubscription, InstallPlan, CSV events, and the cpaas-system catalog source.
Config/cluster is Degraded=TrueConfig.status.conditions, Operator logs, Registry Pod events, storage, TLS Secret, and RBAC.
Registry Pod is pendingPVC binding, node resources, node selectors, taints, tolerations, and topology constraints.
node-ca is not readyDaemonSet scheduling, Pod logs, node trust configuration, and host mapping updates.