davad/argo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat(docker-registry): add registry

Browse source
This commit is contained in:
David Landry 2024-10-16 15:13:35 -04:00
parent 5832b208f3
commit 68b63e6a53
13 changed files with 388 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
README.md
View file

@ -7,6 +7,7 @@ The private keys are:
- K8s cluster as a secret - K8s cluster as a secret
- MacOS - `$HOME/Library/Application Support/sops/age/keys.txt` - MacOS - `$HOME/Library/Application Support/sops/age/keys.txt`
- Linux - `$HOME/.config/sops/age/keys.txt`
## 1. Create the resource ## 1. Create the resource

24
apps/docker-registry/base/config.yml Normal file
View file

@ -0,0 +1,24 @@
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
http:
addr: :5000
debug:
addr: :5001
prometheus:
enabled: false
path: /metrics
headers:
X-Content-Type-Options:
- nosniff
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
version: 0.1

85
apps/docker-registry/base/cronjob.yaml Normal file
View file

@ -0,0 +1,85 @@
---
# Source: docker-registry/templates/cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
name: docker-registry-garbage-collector
namespace: gitops
labels:
app: docker-registry
chart: docker-registry-2.2.3
release: docker-registry
heritage: Helm
spec:
schedule: "0 1 * * *"
jobTemplate:
metadata:
labels:
app: docker-registry
release: docker-registry
annotations:
checksum/config: 7768037b11264d8a85079c7389faa0b2846b55771ae7ea102d41f7ea868676fb
checksum/secret: cf8de4fbecd435bc3788328888b074e895540fd0a0681fa391ee2d3f42e1e599
spec:
template:
spec:
securityContext:
fsGroup: 1000
runAsUser: 1000
containers:
- name: docker-registry
image: "registry:2.8.1"
imagePullPolicy: IfNotPresent
command:
- /bin/registry
- garbage-collect
- --delete-untagged=true
- /etc/docker/registry/config.yml
env:
- name: REGISTRY_HTTP_SECRET
valueFrom:
secretKeyRef:
name: docker-registry-secret
key: haSharedSecret
- name: REGISTRY_AUTH
value: "htpasswd"
- name: REGISTRY_AUTH_HTPASSWD_REALM
value: "Registry Realm"
- name: REGISTRY_AUTH_HTPASSWD_PATH
value: "/auth/htpasswd"
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
value: "/var/lib/registry"
- name: REGISTRY_PROXY_REMOTEURL
value: https://registry-1.docker.io
- name: REGISTRY_PROXY_USERNAME
valueFrom:
secretKeyRef:
name: docker-registry-secret
key: proxyUsername
- name: REGISTRY_PROXY_PASSWORD
valueFrom:
secretKeyRef:
name: docker-registry-secret
key: proxyPassword
volumeMounts:
- name: "docker-registry-config"
mountPath: "/etc/docker/registry"
- name: auth
mountPath: /auth
readOnly: true
- name: data
mountPath: /var/lib/registry/
restartPolicy: OnFailure
volumes:
- name: docker-registry-config
configMap:
name: docker-registry-config
- name: auth
secret:
secretName: docker-registry-secret
items:
- key: htpasswd
path: htpasswd
- name: data
emptyDir: {}

102
apps/docker-registry/base/deployment.yaml Normal file
View file

@ -0,0 +1,102 @@
---
# Source: docker-registry/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: docker-registry
namespace: gitops
labels:
app: docker-registry
chart: docker-registry-2.2.3
release: docker-registry
heritage: Helm
spec:
selector:
matchLabels:
app: docker-registry
release: docker-registry
replicas: 1
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
minReadySeconds: 5
template:
metadata:
labels:
app: docker-registry
release: docker-registry
annotations:
updated-at/secret: 2024-10-16T14:38:25-04:00
spec:
securityContext:
fsGroup: 1000
runAsUser: 1000
containers:
- name: docker-registry
image: "registry:2.8.1"
imagePullPolicy: IfNotPresent
command:
- /bin/registry
- serve
- /etc/docker/registry/config.yml
ports:
- containerPort: 5000
livenessProbe:
httpGet:
path: /
port: 5000
readinessProbe:
httpGet:
path: /
port: 5000
resources:
{}
env:
- name: REGISTRY_HTTP_SECRET
valueFrom:
secretKeyRef:
name: docker-registry-secret
key: haSharedSecret
- name: REGISTRY_AUTH
value: "htpasswd"
- name: REGISTRY_AUTH_HTPASSWD_REALM
value: "Registry Realm"
- name: REGISTRY_AUTH_HTPASSWD_PATH
value: "/auth/htpasswd"
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
value: "/var/lib/registry"
- name: REGISTRY_PROXY_REMOTEURL
value: https://registry-1.docker.io
- name: REGISTRY_PROXY_USERNAME
valueFrom:
secretKeyRef:
name: docker-registry-secret
key: proxyUsername
- name: REGISTRY_PROXY_PASSWORD
valueFrom:
secretKeyRef:
name: docker-registry-secret
key: proxyPassword
volumeMounts:
- name: "docker-registry-config"
mountPath: "/etc/docker/registry"
- name: auth
mountPath: /auth
readOnly: true
- name: data
mountPath: /var/lib/registry/
volumes:
- name: docker-registry-config
configMap:
name: docker-registry-config
- name: auth
secret:
secretName: docker-registry-secret
items:
- key: htpasswd
path: htpasswd
- name: data
persistentVolumeClaim:
claimName: docker-registry

33
apps/docker-registry/base/ingress.yaml Normal file
View file

@ -0,0 +1,33 @@
---
# Source: docker-registry/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: docker-registry
namespace: gitops
labels:
app: docker-registry
chart: docker-registry-2.2.3
release: docker-registry
heritage: Helm
annotations:
cert-manager.io/cluster-issuer: letsencrypt-issuer
nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.1.1/16
spec:
ingressClassName: nginx
rules:
- host: registry.int.nc.landry.land
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: docker-registry
port:
name: http
tls:
- hosts:
- registry.int.nc.landry.land
secretName: registry-tls

14
apps/docker-registry/base/kustomization.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- deployment.yaml
- ingress.yaml
- pvc.yaml
- secret.yaml
- service.yaml
configMapGenerator:
- name: docker-registry-config
files:
- config.yml

19
apps/docker-registry/base/pdb.yaml Normal file
View file

@ -0,0 +1,19 @@
---
# Source: docker-registry/templates/poddisruptionbudget.yaml
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: docker-registry
namespace: gitops
labels:
app: docker-registry
chart: docker-registry-2.2.3
release: docker-registry
heritage: Helm
spec:
selector:
matchLabels:
app: docker-registry
release: docker-registry
maxUnavailable: 1

19
apps/docker-registry/base/pvc.yaml Normal file
View file

@ -0,0 +1,19 @@
---
# Source: docker-registry/templates/pvc.yaml
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: docker-registry
namespace: gitops
labels:
app: docker-registry
chart: "docker-registry-2.2.3"
release: "docker-registry"
heritage: "Helm"
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: "10Gi"

23
apps/docker-registry/base/service.yaml Normal file
View file

@ -0,0 +1,23 @@
---
# Source: docker-registry/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: docker-registry
namespace: gitops
labels:
app: docker-registry
chart: docker-registry-2.2.3
release: docker-registry
heritage: Helm
spec:
type: ClusterIP
ports:
- port: 5000
protocol: TCP
name: http
targetPort: 5000
selector:
app: docker-registry
release: docker-registry

11
apps/docker-registry/overlays/system/config.json Normal file
View file

@ -0,0 +1,11 @@
{
"appName": "docker-registry",
"userGivenName": "docker-registry",
"destNamespace": "gitops",
"destServer": "https://kubernetes.default.svc",
"srcPath": "apps/docker-registry/overlays/system",
"srcRepoURL": "ssh://git@gitea-ssh.gitops.svc.cluster.local:2222/davad/argo.git",
"srcTargetRevision": "",
"labels": null,
"annotations": null
}

7
apps/docker-registry/overlays/system/kustomization.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base
generators:
- ./secret-generator.yaml

15
apps/docker-registry/overlays/system/secret-generator.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
# Specify a name
name: example-secret-generator
annotations:
config.kubernetes.io/function: |
exec:
# if the binary is in your PATH, you can do
path: ksops
# otherwise, path should be relative to manifest files, like
# path: ../../../ksops
files:
- ./secret.enc.yaml

35
apps/docker-registry/overlays/system/secret.enc.yaml Normal file
View file

@ -0,0 +1,35 @@
apiVersion: v1
kind: Secret
metadata:
name: docker-registry-secret
namespace: gitops
labels:
app: docker-registry
chart: docker-registry-2.2.3
heritage: Helm
release: docker-registry
type: Opaque
data:
haSharedSecret: ENC[AES256_GCM,data:dgRMWyF9kyMhMHynTYMWMxqTDL/6EYsO,iv:IGd+MNtxq0cibygkBsap/WZ8s44QoyJmSF9NMKOsEAo=,tag:1Zfu3XqafoSDgGj3ho+8hg==,type:str]
proxyUsername: ""
proxyPassword: ""
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1y26vr5qt6th3wu92rnsgkqcpxxah3pqkqa4khcjjycm3kg40aqyqjgfzx9
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2a3RsN3BGemhkRktLdWNp
NWRHbFhabkNWTEMyVW9hWUhhbFJuOEJJMm5FCldNeUVLdkQ1VFhOVGEzWWo0Vzll
RHA5NzNmM1pWZUFvZ3pnckpBWXJLVEEKLS0tIENrRUhsVS9LMGg2a2JuRVJ0VlQ3
R3BETWo3ZHV3UUxBS09tYVJWczkra2MKOv4wJ8IjKUupgQe7YEN9dN0OnPUisLbd
aG7Goa1kbH7VwKY0QCnF0u63z6rqlrh5KxakyBZnfeWq9jJ6xJtmCQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-16T18:41:37Z"
mac: ENC[AES256_GCM,data:n9vZ2xMPoUngFkuSBuvBD7r0K4XIp5wiTAX+OzpO+Bt1uhp8b5Ob3b7SZ3qq/emhwrCj7xVzbK2OUBLenpR4R5PpzM3+S+0zqT7u51gSjCmlMFxsWIXuCqv2v80+VrerRhxDJln0BM2QgZRl4XyT71826l9YfBwYfybUnDpXkrE=,iv:GdrpuJOjB7EgBHw7ACEht8CNdDZ5mwO6kJH0a+C4Ji0=,tag:9+5wHUhwN/ybvyL8mKAIGQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.9.1