feat(greenhouse): adds local registry sample

Makefile

@@ -355,13 +355,18 @@ cert-manager: kustomize
 	-$(KUSTOMIZE) build config/samples/cert-manager | kubectl apply -f -
 
 .PHONY: flux
-flux: kustomize
+flux: kustomize registry
 	-$(KUSTOMIZE) build config/samples/flux | kubectl apply -f -
 
 .PHONY: license
 license:
 	docker run --rm -v $(shell pwd):/github/workspace $(IMG_LICENSE_EYE) -c .github/licenserc.yaml header fix
 
+.PHONY: registry
+registry: kustomize
+	kubectl create namespace flux-system --dry-run=client -o yaml | kubectl apply -f -
+	-$(KUSTOMIZE) build config/samples/registry | kubectl apply -f -
+
 .PHONY: show-e2e-logs
 show-e2e-logs:
 	@for f in $(E2E_RESULT_DIR)/greenhouse-$(SCENARIO)-*.txt; do \

config/samples/flux/kustomization.yaml

@@ -31,6 +31,27 @@ patches:
             matchLabels:
               app.kubernetes.io/name: greenhouse
 
+  - target:
+      kind: Deployment
+      name: source-controller
+    patch: |
+      - op: add
+        path: /spec/template/spec/volumes/-
+        value:
+          name: registry-ca
+          secret:
+            secretName: local-registry-tls-certs
+            items:
+              - key: ca.crt
+                path: ca-certificates.crt
+      - op: add
+        path: /spec/template/spec/containers/0/volumeMounts/-
+        value:
+          name: registry-ca
+          mountPath: /etc/ssl/certs/ca-certificates.crt
+          subPath: ca-certificates.crt
+          readOnly: true          
+
   # do not apply image-reflector-controller and image-automation-controller
   - target:
       kind: Deployment
@@ -42,7 +63,7 @@ patches:
 
   - target:
       kind: Deployment
-      name: (image-reflector-controller|image-automation-controller)
+      name: (image-automation-controller|image-reflector-controller)
     patch: |
       apiVersion: apps/v1
       kind: Deployment

config/samples/registry/deployment/deployment.yaml

@@ -0,0 +1,94 @@
+# SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and Greenhouse contributors
+# SPDX-License-Identifier: Apache-2.0
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: registry
+  namespace: flux-system
+spec:
+  selector:
+    app: registry
+  ports:
+    - name: registry
+      port: 5000
+      targetPort: 5000
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: registry
+  namespace: flux-system
+  labels:
+    app: registry
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: registry
+  template:
+    metadata:
+      labels:
+        app: registry
+    spec:
+      enableServiceLinks: true
+      containers:
+        - name: registry
+          image: "registry:3"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 5000
+          env:
+            - name: REGISTRY_STORAGE_DELETE_ENABLED
+              value: "true"
+            - name: REGISTRY_HTTP_TLS_CERTIFICATE
+              value: /certs/cert.pem
+            - name: REGISTRY_HTTP_TLS_KEY
+              value: /certs/key.pem
+            - name: REGISTRY_LOG_LEVEL
+              value: info
+            - name: OTEL_TRACES_EXPORTER
+              value: none
+          volumeMounts:
+            - mountPath: /certs
+              name: local-registry-tls-certs
+          readinessProbe:
+            httpGet:
+              path: /v2/
+              port: 5000
+              scheme: HTTPS
+            initialDelaySeconds: 10
+            timeoutSeconds: 2
+            periodSeconds: 25
+            failureThreshold: 3
+          livenessProbe:
+            httpGet:
+              path: /v2/
+              port: 5000
+              scheme: HTTPS
+            initialDelaySeconds: 15
+            timeoutSeconds: 2
+            periodSeconds: 25
+            failureThreshold: 3
+          resources:
+            limits:
+              memory: 1024Mi
+            requests:
+              cpu: 200m
+              memory: 512Mi
+      volumes:
+        - name: registry
+          emptyDir: {}
+        - name: local-registry-tls-certs
+          secret:
+            items:
+              - key: tls.crt
+                path: cert.pem
+              - key: tls.key
+                path: key.pem
+              - key: ca.crt
+                path: ca.pem
+            secretName: local-registry-tls-certs

config/samples/registry/deployment/kustomization.yaml

@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and Greenhouse contributors
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - deployment.yaml
+  - registry-tls.yaml

config/samples/registry/deployment/registry-tls.yaml

@@ -0,0 +1,73 @@
+# SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and Greenhouse contributors
+# SPDX-License-Identifier: Apache-2.0
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: local-registry-certificate
+  namespace: cert-manager
+spec:
+  commonName: cert-manager-registry-tls
+  isCA: true
+  secretName: local-registry-tls-certs
+  subject:
+    organizations:
+      - greenhouse
+  dnsNames:
+    - registry.flux-system.svc.cluster.local
+    - localhost
+  ipAddresses:
+    - 127.0.0.1
+    - ::1
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS8
+    size: 2048
+  issuerRef:
+    name: local-registry-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: local-registry-tls-certs
+  namespace: flux-system
+spec:
+  secretName: local-registry-tls-certs
+  dnsNames:
+    - registry.flux-system.svc.cluster.local
+    - localhost
+  ipAddresses:
+    - 127.0.0.1
+    - ::1
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS8
+    size: 2048
+  issuerRef:
+    name: registry-certificate-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: local-registry-issuer
+spec:
+  selfSigned: {}
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: registry-certificate-issuer
+spec:
+  ca:
+    secretName: local-registry-tls-certs

config/samples/registry/kustomization.yaml

@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and Greenhouse contributors
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./deployment

internal/flux/utils.go

@@ -15,6 +15,7 @@ import (
 
 const (
 	HelmRepositoryDefaultNamespace = "greenhouse" // TODO: make this configurable via args or env var
+	localHelmRepositoryName        = "registry-local"
 )
 
 const (
@@ -44,6 +45,10 @@ func ChartURLToName(repositoryURL string) (repositoryName string) {
 		}
 	}
 
+	if strings.Contains(repositoryName, "svc.cluster.local") {
+		return localHelmRepositoryName
+	}
+
 	repositoryName = strings.ReplaceAll(repositoryName, ".", "-")
 	repositoryName = strings.ReplaceAll(repositoryName, "/", "-")
 	return