ketches
diff --git a/‎.gitignore
Lines changed: 0 additions & 3 deletions b/‎.gitignore
Lines changed: 0 additions & 3 deletions
diff --git a/‎Makefile
Lines changed: 3 additions & 4 deletions b/‎Makefile
Lines changed: 3 additions & 4 deletions
diff --git a/‎README.md
Lines changed: 62 additions & 46 deletions b/‎README.md
Lines changed: 62 additions & 46 deletions
diff --git a/‎deploy/manifests.yaml
Lines changed: 24 additions & 24 deletions b/‎deploy/manifests.yaml
Lines changed: 24 additions & 24 deletions
diff --git a/‎examples/dockerhub-nginx.yaml
Lines changed: 1 addition & 1 deletion b/‎examples/dockerhub-nginx.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎go.mod
Lines changed: 34 additions & 36 deletions b/‎go.mod
Lines changed: 34 additions & 36 deletions
@@ -23,6 +23,3 @@ go.work
 .idea/
 .vscode/
 bin/
-
-tls.crt
-tls.key
@@ -1,14 +1,13 @@
 DOCKER_IMAGE := ketches/registry-proxy
 ALIYUN_IMAGE := registry.cn-hangzhou.aliyuncs.com/ketches/registry-proxy
-VERSION := v1.2.0
+VERSION := v1.2.1
 
 .PHONY: build
 build:
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/amd64/registry-proxy main.go
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/arm64/registry-proxy main.go
-	- docker buildx use gobuilder
-	- docker buildx create --use --name gobuilder
-	docker buildx build --platform linux/amd64,linux/arm64 -t $(DOCKER_IMAGE):$(VERSION) -t $(ALIYUN_IMAGE):$(VERSION)  --push .
+	docker buildx create --use --name gobuilder 2>/dev/null || docker buildx use gobuilder
+	docker buildx build --platform linux/amd64,linux/arm64 -t $(DOCKER_IMAGE):$(VERSION) -t $(ALIYUN_IMAGE):$(VERSION) --push .
 
 .PHONY: deploy
 deploy:
 
@@ -5,26 +5,26 @@
 
 在 Kubernetes 集群中部署 Registry Proxy，自动帮助您使用镜像代理服务拉取新创建的 Pod 中的外网容器镜像（仅限公有镜像）。
 
-**适用场景**：
+**适用场景：**
 
-1. 无法拉取例如 K8s (registry.k8s.io) 、谷歌 (gcr.io) 等镜像；
-2. 龟速拉取例如 GitHub(ghcr.io)、RedHat(quay.io) 等镜像；
+1. 无法拉取例如 K8s (`registry.k8s.io`) 、谷歌 (`gcr.io`) 等镜像；
+2. 龟速拉取例如 GitHub(`ghcr.io`)、RedHat(`quay.io`) 等镜像；
 
-**代理清单**：
+**代理清单：**
 
 默认镜像代理服务支持的外网镜像仓库：
 
-- docker.io
-- registry.k8s.io
-- quay.io
-- ghcr.io
-- gcr.io
-- k8s.gcr.io
-- docker.cloudsmith.io
+- `docker.io`
+- `registry.k8s.io`
+- `quay.io`
+- `ghcr.io`
+- `gcr.io`
+- `k8s.gcr.io`
+- `docker.cloudsmith.io`
 
 ## 快速安装
 
-执行以下命令安装 registry-proxy（v1.1.0+ 版本）：
+执行以下命令安装 `registry-proxy`（`v1.1.0+` 版本）：
 
 ```bash
 export VERSION=$(curl -s https://api.github.com/repos/ketches/registry-proxy/releases/latest | jq -r .tag_name)
@@ -37,9 +37,9 @@ kubectl apply -f https://ghproxy.ketches.cn/https://raw.githubusercontent.com/ke
 
 ## 配置
 
-registry-proxy 安装后自动创建 ConfigMap `registry-proxy-config`，ConfigMap 内容为默认配置，可以通过修改 ConfigMap 来修改默认配置。
+`registry-proxy` 安装后自动创建 ConfigMap `registry-proxy-config`，ConfigMap 内容为默认配置，可以通过修改 ConfigMap 来修改默认配置。
 
-默认配置：
+### 默认配置
 
 ```yaml
 apiVersion: v1
@@ -65,28 +65,53 @@ data:
     - registry-proxy
     includeNamespaces:
     - *
+    podSelector: {}
+    namespaceSelector: {}
 ```
 
-> Notes：
+### 配置说明
+
+**enabled：**
+
+是否开启 registry-proxy 代理功能，boolean 类型，默认为 `true`, 可选值为 `true` 或 `false`；
+
+**proxies：**
+
+镜像代理地址，键为需要代理的镜像地址，值为代理地址，键值对形式，默认使用 [ketches/cloudflare-registry-proxy](https://github.com/ketches/cloudflare-registry-proxy) 镜像代理服务；
+
+> Note：
 >
-> 1. 默认使用 [ketches/cloudflare-registry-proxy](https://github.com/ketches/cloudflare-registry-proxy) 镜像代理服务；
-> 2. `enabled` 为 `true` 时，开启 registry-proxy 代理功能，为 `false` 时，关闭 registry-proxy 代理功能；
-> 2. 默认排除 `kube-system`、`kube-public`、`kube-node-lease`、`registry-proxy` 命名空间下的 Pod 容器镜像代理；
-> 3. 修改上述配置实时生效，无需重启 registry-proxy；
-> 4. 可以自定义代理地址，例如：`docker.io: docker.m.daocloud.io`;
-> 5. 可以去除代理地址，免去代理；
-> 6. 可以增加代理地址，例如：`mcr.microsoft.com: mcr.dockerproxy.com`；
-> 7. 可以通过向 [ketches/cloudflare-registry-proxy](https://github.com/ketches/cloudflare-registry-proxy) 项目 [提交 Issue](https://github.com/ketches/cloudflare-registry-proxy/issues/new) 来申请添加新的国外镜像代理服务
+> 可以通过向 [ketches/cloudflare-registry-proxy](https://github.com/ketches/cloudflare-registry-proxy) 项目 [提交 Issue](https://github.com/ketches/cloudflare-registry-proxy/issues/new) 来申请添加新的国外镜像代理服务
+
+**excludeNamespaces：**
+
+排除的命名空间，数组形式，默认排除 `kube-system`、`kube-public`、`kube-node-lease`、`registry-proxy` 命名空间下的 Pod 容器镜像代理；
+
+**includeNamespaces：**
+
+包含的命名空间，数组形式，默认 (`*`) 来包含被排除以外的所有命名空间下的 Pod 容器镜像代理；
+
+**podSelector：**
+
+Pod 选择器，键值对形式，默认为空，支持 Pod 选择器，例如：`app: nginx`；
+
+**namespaceSelector：**
+
+命名空间选择器，键值对形式，默认为空，支持命名空间选择器，例如：`owner: johndoe`；
 
 ## 实现原理
 
 使用 Mutating Webhook 准入控制器实现。 当集群中 Pod 创建时，Mutating Webhook 的工作流程如下：
 
-1. 判断 Pod 是否属于排除的命名空间，如果是，结束流程；
-2. 判断 Pod 是否属于包含的命名空间，如果不是，结束流程；
-3. 依次判断 Pod 中的容器镜像是否匹配代理仓库，如果是，替换为代理镜像；
+1. 当 Pod 创建时，Mutating Webhook 会拦截请求；
+2. 通过 `enabled` 参数判断是否开启代理功能，如果开启，继续流程；
+3. 通过 `excludeNamespaces` 和 `includeNamespaces` 参数判断 Pod 所在命名空间是否需要代理，如果是，继续流程；
+4. 通过 `namespaceSelector` 参数命名空间标签，如果匹配，继续流程；
+5. 通过 `podSelector` 参数匹配 Pod 标签，如果匹配，继续流程；
+6. 通过 `proxies` 参数判断 Pod 中的容器镜像是否需要代理，如果是，继续流程；
+7. 通过 `proxies` 参数替换容器镜像地址，完成代理，Mutating Webhook 响应请求，结束流程。
 
-![202311071243391](https://fs.poneding.com/images/202311071243391.png)
+![202410211328755.png](https://images.poneding.com/2024/10/202410211328755.png)
 
 ## 使用示例
 
@@ -99,7 +124,7 @@ kubectl apply -f https://raw.githubusercontent.com/ketches/registry-proxy/$VERSI
 kubectl apply -f https://ghproxy.ketches.cn/https://raw.githubusercontent.com/ketches/registry-proxy/$VERSION/examples/dockerhub-nginx.yaml
 ```
 
-示例中的 Pod 镜像为 `nginx:latest`，经过 registry-proxy 自动代理后，容器镜像变为 `docker.ketches.cn/library/nginx:latest`。
+示例中的 Pod 镜像为 `nginx:latest`，经过 `registry-proxy` 自动代理后，容器镜像变为 `docker.ketches.cn/library/nginx:latest`。
 
 验证：
 
@@ -109,7 +134,7 @@ kubectl get pod dockerhub-nginx -o=jsonpath='{.spec.containers[*].image}'
 
 ## 卸载&清理
 
-**卸载 registry-proxy**：
+**卸载**：
 
 ```bash
 # uninstall v1.0.0 version for example
@@ -131,22 +156,13 @@ kubectl delete -f https://ghproxy.ketches.cn/https://raw.githubusercontent.com/k
 
 ## 代理参考
 
-### Docker Hub 镜像代理
-
-常规镜像代理
-
-- ketches/registry-proxy:latest => docker.ketches.cn/ketches/registry-proxy:latest
-
-根镜像代理
-
-- nginx:latest => docker.ketches.cn/library/nginx:latest
-
-### Kubernetes 镜像代理
-
-常规镜像代理
-
-- registry.k8s.io/ingress-nginx/controller:v1.8.2 => k8s.ketches.cn/ingress-nginx/controller:v1.8.2
+| 镜像地址 | 代理地址 |
+| --- | --- |
+| nginx:latest | docker.ketches.cn/library/nginx:latest |
+| ketches/registry-proxy:latest | docker.ketches.cn/ketches/registry-proxy:latest |
+| registry.k8s.io/pause:3.9 | k8s.ketches.cn/pause:3.9 |
+| registry.k8s.io/ingress-nginx/controller:v1.8.2 | k8s.ketches.cn/ingress-nginx/controller:v1.8.2 |
 
-根镜像代理
+## ✨ Stars
 
-- registry.k8s.io/pause:3.9 => k8s.ketches.cn/pause:3.9
+[![Stars](https://starchart.cc/ketches/registry-proxy.svg)](https://starchart.cc/ketches/registry-proxy)
@@ -16,12 +16,12 @@ kind: ClusterRole
 metadata:
   name: registry-proxy
 rules:
-- apiGroups: [""]
-  resources: ["namespaces", "configmaps", "secrets"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-- apiGroups: ["admissionregistration.k8s.io"]
-  resources: ["mutatingwebhookconfigurations"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["namespaces", "configmaps", "secrets"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -33,9 +33,9 @@ roleRef:
   kind: ClusterRole
   name: registry-proxy
 subjects:
-- kind: ServiceAccount
-  name: registry-proxy
-  namespace: registry-proxy
+  - kind: ServiceAccount
+    name: registry-proxy
+    namespace: registry-proxy
 
 ---
 apiVersion: apps/v1
@@ -54,18 +54,18 @@ spec:
     spec:
       serviceAccountName: registry-proxy
       containers:
-      - name: registry-proxy
-        image: registry.cn-hangzhou.aliyuncs.com/ketches/registry-proxy:v1.2.0
-        imagePullPolicy: Always
-        resources:
-          requests:
-            memory: "64Mi"
-            cpu: "50m"
-          limits:
-            memory: "256Mi"
-            cpu: "200m"
-        ports:
-        - containerPort: 443
+        - name: registry-proxy
+          image: registry.cn-hangzhou.aliyuncs.com/ketches/registry-proxy:v1.2.1
+          imagePullPolicy: Always
+          resources:
+            requests:
+              memory: "64Mi"
+              cpu: "50m"
+            limits:
+              memory: "256Mi"
+              cpu: "200m"
+          ports:
+            - containerPort: 443
 
 ---
 apiVersion: v1
@@ -77,6 +77,6 @@ spec:
   selector:
     app: registry-proxy
   ports:
-  - port: 443
-    targetPort: 443
-  type: ClusterIP
+    - port: 443
+      targetPort: 443
+  type: ClusterIP
@@ -11,4 +11,4 @@ spec:
       resources:
         limits:
           memory: "256Mi"
-          cpu: "200m"
+          cpu: "200m"
@@ -1,68 +1,66 @@
 module github.com/ketches/registry-proxy
 
-go 1.21.3
+go 1.23.2
 
 require (
 	github.com/containers/image v3.0.2+incompatible
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.28.2
-	k8s.io/apimachinery v0.28.2
-	k8s.io/client-go v0.28.2
-	sigs.k8s.io/controller-runtime v0.16.2
+	k8s.io/api v0.31.1
+	k8s.io/apimachinery v0.31.1
+	k8s.io/client-go v0.31.1
+	sigs.k8s.io/controller-runtime v0.19.0
 )
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
-	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
-	github.com/fsnotify/fsnotify v1.6.0 // indirect
-	github.com/go-logr/logr v1.2.4 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-openapi/swag v0.22.4 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/uuid v1.3.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/imdario/mergo v0.3.6 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_golang v1.16.0 // indirect
-	github.com/prometheus/client_model v0.4.0 // indirect
-	github.com/prometheus/common v0.44.0 // indirect
-	github.com/prometheus/procfs v0.10.1 // indirect
+	github.com/prometheus/client_golang v1.19.1 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/testify v1.8.3 // indirect
-	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
-	golang.org/x/net v0.13.0 // indirect
-	golang.org/x/oauth2 v0.8.0 // indirect
-	golang.org/x/sys v0.11.0 // indirect
-	golang.org/x/term v0.10.0 // indirect
-	golang.org/x/text v0.11.0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc // indirect
+	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/oauth2 v0.21.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/term v0.21.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.30.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/apiextensions-apiserver v0.28.0 // indirect
-	k8s.io/component-base v0.28.1 // indirect
-	k8s.io/klog/v2 v2.100.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
-	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
+	k8s.io/apiextensions-apiserver v0.31.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
+	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )
-Original file line number
+Diff line change
 .idea/
 .vscode/
 bin/
+-
 -tls.crt
 -tls.key