feat: add registryMonitor.status.registryStatus to keep track of registries health

Author: plaffitt

api/kuik/v1alpha1/registrymonitor_types.go

@@ -22,13 +22,25 @@ type RegistryMonitorSpec struct {
 	Interval metav1.Duration `json:"interval"`
 }
 
+type RegistryStatus string
+
+const (
+	RegistryStatusUp   = RegistryStatus("Up")
+	RegistryStatusDown = RegistryStatus("Down")
+)
+
 // RegistryMonitorStatus defines the observed state of RegistryMonitor.
-type RegistryMonitorStatus struct{}
+type RegistryMonitorStatus struct {
+	// RegistryStatus is the status of the registry being monitored
+	// +kubebuilder:validation:Enum=Up;Down
+	RegistryStatus RegistryStatus `json:"registryStatus"`
+}
 
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
 // +kubebuilder:resource:scope=Cluster,shortName=regmon
 // +kubebuilder:printcolumn:name="Registry",type="string",JSONPath=".spec.registry"
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.registryStatus"
 // +kubebuilder:printcolumn:name="Parallel",type="integer",JSONPath=".spec.parallel"
 // +kubebuilder:printcolumn:name="MaxPerInterval",type="integer",JSONPath=".spec.maxPerInterval"
 // +kubebuilder:printcolumn:name="Interval",type="string",JSONPath=".spec.interval"

config/crd/bases/kuik.enix.io_registrymonitors.yaml

@@ -20,6 +20,9 @@ spec:
     - jsonPath: .spec.registry
       name: Registry
       type: string
+    - jsonPath: .status.registryStatus
+      name: Status
+      type: string
     - jsonPath: .spec.parallel
       name: Parallel
       type: integer
@@ -83,6 +86,15 @@ spec:
             type: object
           status:
             description: RegistryMonitorStatus defines the observed state of RegistryMonitor.
+            properties:
+              registryStatus:
+                description: RegistryStatus is the status of the registry being monitored
+                enum:
+                - Up
+                - Down
+                type: string
+            required:
+            - registryStatus
             type: object
         type: object
     served: true

helm/kube-image-keeper/crds/kuik.enix.io_registrymonitors.yaml

@@ -19,6 +19,9 @@ spec:
     - jsonPath: .spec.registry
       name: Registry
       type: string
+    - jsonPath: .status.registryStatus
+      name: Status
+      type: string
     - jsonPath: .spec.parallel
       name: Parallel
       type: integer
@@ -82,6 +85,15 @@ spec:
             type: object
           status:
             description: RegistryMonitorStatus defines the observed state of RegistryMonitor.
+            properties:
+              registryStatus:
+                description: RegistryStatus is the status of the registry being monitored
+                enum:
+                - Up
+                - Down
+                type: string
+            required:
+            - registryStatus
             type: object
         type: object
     served: true

internal/controller/kuik/registrymonitor_controller.go

@@ -20,6 +20,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )
 
 const (
@@ -87,6 +88,21 @@ func (r *RegistryMonitorReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 
 	log.Info("found images matching registry", "count", len(images.Items), "monitoredDuringInterval", monitoredDuringInterval)
 
+	patch := client.MergeFrom(registryMonitor.DeepCopy())
+	registryMonitor.Status.RegistryStatus = kuikv1alpha1.RegistryStatusUp
+	err := registry.HealthCheck(registryMonitor.Spec.Registry, nil, nil)
+	if err != nil {
+		registryMonitor.Status.RegistryStatus = kuikv1alpha1.RegistryStatusDown
+	}
+
+	if errStatus := r.Status().Patch(ctx, &registryMonitor, patch); errStatus != nil {
+		return reconcile.Result{}, fmt.Errorf("failed to patch registrymonitor status: %w", errStatus)
+	}
+
+	if err != nil {
+		return reconcile.Result{}, fmt.Errorf("registry seems to be down, skipping monitoring of images: %w", err)
+	}
+
 	for i := range min(min(registryMonitor.Spec.MaxPerInterval-monitoredDuringInterval, registryMonitor.Spec.Parallel), len(images.Items)) {
 		image := images.Items[i]
 		logImage := logf.Log.WithValues("controller", "imagemonitor", "image", klog.KObj(&image), "reference", image.Reference()).V(1)

internal/registry/registry.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net/http"
 	"slices"
+	"time"
 
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
@@ -37,17 +38,42 @@ func GetDescriptor(imageName string, insecureRegistries []string, rootCAs *x509.
 	return remote.Get(sourceRef, opts...)
 }
 
-func options(ref name.Reference, keychain authn.Keychain, insecureRegistries []string, rootCAs *x509.CertPool) []remote.Option {
-	auth := remote.WithAuthFromKeychain(keychain)
-	opts := []remote.Option{auth}
+func HealthCheck(registry string, insecureRegistries []string, rootCAs *x509.CertPool) error {
+	client := &http.Client{
+		Transport: unauthenticatedTransport(registry, insecureRegistries, rootCAs),
+		Timeout:   5 * time.Second, // TODO: make this configurable
+	}
+
+	url := "https://" + registry + "/v2/"
+
+	resp, err := client.Head(url)
+	if err != nil {
+		return err
+	}
+
+	_ = resp.Body.Close()
+
+	if slices.Contains([]int{http.StatusOK, http.StatusUnauthorized, http.StatusForbidden}, resp.StatusCode) {
+		return nil
+	}
+	return fmt.Errorf("unexpected status: %d", resp.StatusCode)
+}
+
+func unauthenticatedTransport(registry string, insecureRegistries []string, rootCAs *x509.CertPool) *http.Transport {
 	transport := http.DefaultTransport.(*http.Transport).Clone()
 	transport.TLSClientConfig = &tls.Config{RootCAs: rootCAs}
 
-	if slices.Contains(insecureRegistries, ref.Context().Registry.RegistryStr()) {
+	if slices.Contains(insecureRegistries, registry) {
 		transport.TLSClientConfig.InsecureSkipVerify = true
 	}
 
-	opts = append(opts, remote.WithTransport(transport))
+	return transport
+}
 
-	return opts
+func options(ref name.Reference, keychain authn.Keychain, insecureRegistries []string, rootCAs *x509.CertPool) []remote.Option {
+	transport := unauthenticatedTransport(ref.Context().RegistryStr(), insecureRegistries, rootCAs)
+	return []remote.Option{
+		remote.WithAuthFromKeychain(keychain),
+		remote.WithTransport(transport),
+	}
 }