feat(docker-registry): add registry

README.md

@@ -7,6 +7,7 @@ The private keys are:
 
 - K8s cluster as a secret
 - MacOS - `$HOME/Library/Application Support/sops/age/keys.txt`
+- Linux - `$HOME/.config/sops/age/keys.txt`
 
 ## 1. Create the resource
 

apps/docker-registry/base/config.yml

@@ -0,0 +1,24 @@
+health:
+  storagedriver:
+    enabled: true
+    interval: 10s
+    threshold: 3
+http:
+  addr: :5000
+  debug:
+    addr: :5001
+    prometheus:
+      enabled: false
+      path: /metrics
+  headers:
+    X-Content-Type-Options:
+    - nosniff
+log:
+  fields:
+    service: registry
+storage:
+  cache:
+    blobdescriptor: inmemory
+version: 0.1
+
+

apps/docker-registry/base/cronjob.yaml

@@ -0,0 +1,85 @@
+---
+# Source: docker-registry/templates/cronjob.yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: docker-registry-garbage-collector
+  namespace: gitops
+  labels:
+    app: docker-registry
+    chart: docker-registry-2.2.3
+    release: docker-registry
+    heritage: Helm
+spec:
+  schedule: "0 1 * * *"
+  jobTemplate:
+    metadata:
+      labels:
+        app: docker-registry
+        release: docker-registry
+      annotations:
+        checksum/config: 7768037b11264d8a85079c7389faa0b2846b55771ae7ea102d41f7ea868676fb
+        checksum/secret: cf8de4fbecd435bc3788328888b074e895540fd0a0681fa391ee2d3f42e1e599
+    spec:
+      template:
+        spec:
+          securityContext: 
+            fsGroup: 1000
+            runAsUser: 1000
+          containers:
+            - name: docker-registry
+              image: "registry:2.8.1"
+              imagePullPolicy: IfNotPresent
+              command:
+              - /bin/registry
+              - garbage-collect
+              - --delete-untagged=true
+              - /etc/docker/registry/config.yml
+              env: 
+                - name: REGISTRY_HTTP_SECRET
+                  valueFrom:
+                    secretKeyRef:
+                      name: docker-registry-secret
+                      key: haSharedSecret
+                - name: REGISTRY_AUTH
+                  value: "htpasswd"
+                - name: REGISTRY_AUTH_HTPASSWD_REALM
+                  value: "Registry Realm"
+                - name: REGISTRY_AUTH_HTPASSWD_PATH
+                  value: "/auth/htpasswd"
+                - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
+                  value: "/var/lib/registry"
+                - name: REGISTRY_PROXY_REMOTEURL
+                  value: https://registry-1.docker.io
+                - name: REGISTRY_PROXY_USERNAME
+                  valueFrom:
+                    secretKeyRef:
+                      name: docker-registry-secret
+                      key: proxyUsername
+                - name: REGISTRY_PROXY_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: docker-registry-secret
+                      key: proxyPassword
+              volumeMounts: 
+                - name: "docker-registry-config"
+                  mountPath: "/etc/docker/registry"
+                - name: auth
+                  mountPath: /auth
+                  readOnly: true
+                - name: data
+                  mountPath: /var/lib/registry/
+          restartPolicy: OnFailure
+          volumes: 
+            - name: docker-registry-config
+              configMap:
+                name: docker-registry-config
+            - name: auth
+              secret:
+                secretName: docker-registry-secret
+                items:
+                - key: htpasswd
+                  path: htpasswd
+            - name: data
+              emptyDir: {}
+

apps/docker-registry/base/deployment.yaml

@@ -0,0 +1,102 @@
+---
+# Source: docker-registry/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: docker-registry
+  namespace: gitops
+  labels:
+    app: docker-registry
+    chart: docker-registry-2.2.3
+    release: docker-registry
+    heritage: Helm
+spec:
+  selector:
+    matchLabels:
+      app: docker-registry
+      release: docker-registry
+  replicas: 1
+  strategy: 
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+    type: RollingUpdate
+  minReadySeconds: 5
+  template:
+    metadata:
+      labels:
+        app: docker-registry
+        release: docker-registry
+      annotations:
+        updated-at/secret: 2024-10-16T14:38:25-04:00
+    spec:
+      securityContext: 
+        fsGroup: 1000
+        runAsUser: 1000
+      containers:
+        - name: docker-registry
+          image: "registry:2.8.1"
+          imagePullPolicy: IfNotPresent
+          command:
+          - /bin/registry
+          - serve
+          - /etc/docker/registry/config.yml
+          ports:
+            - containerPort: 5000
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 5000
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 5000
+          resources: 
+            {}
+          env: 
+            - name: REGISTRY_HTTP_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: docker-registry-secret
+                  key: haSharedSecret
+            - name: REGISTRY_AUTH
+              value: "htpasswd"
+            - name: REGISTRY_AUTH_HTPASSWD_REALM
+              value: "Registry Realm"
+            - name: REGISTRY_AUTH_HTPASSWD_PATH
+              value: "/auth/htpasswd"
+            - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
+              value: "/var/lib/registry"
+            - name: REGISTRY_PROXY_REMOTEURL
+              value: https://registry-1.docker.io
+            - name: REGISTRY_PROXY_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: docker-registry-secret
+                  key: proxyUsername
+            - name: REGISTRY_PROXY_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: docker-registry-secret
+                  key: proxyPassword
+          volumeMounts: 
+            - name: "docker-registry-config"
+              mountPath: "/etc/docker/registry"
+            - name: auth
+              mountPath: /auth
+              readOnly: true
+            - name: data
+              mountPath: /var/lib/registry/
+      volumes: 
+        - name: docker-registry-config
+          configMap:
+            name: docker-registry-config
+        - name: auth
+          secret:
+            secretName: docker-registry-secret
+            items:
+            - key: htpasswd
+              path: htpasswd
+        - name: data
+          persistentVolumeClaim:
+            claimName: docker-registry

apps/docker-registry/base/ingress.yaml

@@ -0,0 +1,33 @@
+---
+# Source: docker-registry/templates/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: docker-registry
+  namespace: gitops
+  labels:
+    app: docker-registry
+    chart: docker-registry-2.2.3
+    release: docker-registry
+    heritage: Helm
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-issuer
+    nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.1.1/16
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: registry.int.nc.landry.land
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: docker-registry
+                port:
+                  name: http
+  tls:
+    - hosts:
+      - registry.int.nc.landry.land
+      secretName: registry-tls
+

apps/docker-registry/base/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - deployment.yaml
+  - ingress.yaml
+  - pvc.yaml
+  - secret.yaml
+  - service.yaml
+
+configMapGenerator:
+  - name: docker-registry-config
+    files:
+      - config.yml

apps/docker-registry/base/pdb.yaml

@@ -0,0 +1,19 @@
+---
+# Source: docker-registry/templates/poddisruptionbudget.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: docker-registry
+  namespace: gitops
+  labels:
+    app: docker-registry
+    chart: docker-registry-2.2.3
+    release: docker-registry
+    heritage: Helm
+spec:
+  selector:
+    matchLabels:
+      app: docker-registry
+      release: docker-registry
+  maxUnavailable: 1
+

apps/docker-registry/base/pvc.yaml

@@ -0,0 +1,19 @@
+---
+# Source: docker-registry/templates/pvc.yaml
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: docker-registry
+  namespace: gitops
+  labels:
+    app: docker-registry
+    chart: "docker-registry-2.2.3"
+    release: "docker-registry"
+    heritage: "Helm"
+spec:
+  accessModes:
+    - "ReadWriteOnce"
+  resources:
+    requests:
+      storage: "10Gi"
+

apps/docker-registry/base/service.yaml

@@ -0,0 +1,23 @@
+---
+# Source: docker-registry/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: docker-registry
+  namespace: gitops
+  labels:
+    app: docker-registry
+    chart: docker-registry-2.2.3
+    release: docker-registry
+    heritage: Helm
+spec:
+  type: ClusterIP
+  ports:
+    - port: 5000
+      protocol: TCP
+      name: http
+      targetPort: 5000
+  selector:
+    app: docker-registry
+    release: docker-registry
+

apps/docker-registry/overlays/system/config.json

@@ -0,0 +1,11 @@
+{
+  "appName": "docker-registry",
+  "userGivenName": "docker-registry",
+  "destNamespace": "gitops",
+  "destServer": "https://kubernetes.default.svc",
+  "srcPath": "apps/docker-registry/overlays/system",
+  "srcRepoURL": "ssh://git@gitea-ssh.gitops.svc.cluster.local:2222/davad/argo.git",
+  "srcTargetRevision": "",
+  "labels": null,
+  "annotations": null
+}

apps/docker-registry/overlays/system/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base
+
+generators:
+  - ./secret-generator.yaml

apps/docker-registry/overlays/system/secret-generator.yaml

@@ -0,0 +1,15 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  # Specify a name
+  name: example-secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+        exec:
+          # if the binary is in your PATH, you can do
+          path: ksops
+          # otherwise, path should be relative to manifest files, like
+          # path: ../../../ksops
+files:
+  - ./secret.enc.yaml
+

apps/docker-registry/overlays/system/secret.enc.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: docker-registry-secret
+    namespace: gitops
+    labels:
+        app: docker-registry
+        chart: docker-registry-2.2.3
+        heritage: Helm
+        release: docker-registry
+type: Opaque
+data:
+    haSharedSecret: ENC[AES256_GCM,data:dgRMWyF9kyMhMHynTYMWMxqTDL/6EYsO,iv:IGd+MNtxq0cibygkBsap/WZ8s44QoyJmSF9NMKOsEAo=,tag:1Zfu3XqafoSDgGj3ho+8hg==,type:str]
+    proxyUsername: ""
+    proxyPassword: ""
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1y26vr5qt6th3wu92rnsgkqcpxxah3pqkqa4khcjjycm3kg40aqyqjgfzx9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2a3RsN3BGemhkRktLdWNp
+            NWRHbFhabkNWTEMyVW9hWUhhbFJuOEJJMm5FCldNeUVLdkQ1VFhOVGEzWWo0Vzll
+            RHA5NzNmM1pWZUFvZ3pnckpBWXJLVEEKLS0tIENrRUhsVS9LMGg2a2JuRVJ0VlQ3
+            R3BETWo3ZHV3UUxBS09tYVJWczkra2MKOv4wJ8IjKUupgQe7YEN9dN0OnPUisLbd
+            aG7Goa1kbH7VwKY0QCnF0u63z6rqlrh5KxakyBZnfeWq9jJ6xJtmCQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-16T18:41:37Z"
+    mac: ENC[AES256_GCM,data:n9vZ2xMPoUngFkuSBuvBD7r0K4XIp5wiTAX+OzpO+Bt1uhp8b5Ob3b7SZ3qq/emhwrCj7xVzbK2OUBLenpR4R5PpzM3+S+0zqT7u51gSjCmlMFxsWIXuCqv2v80+VrerRhxDJln0BM2QgZRl4XyT71826l9YfBwYfybUnDpXkrE=,iv:GdrpuJOjB7EgBHw7ACEht8CNdDZ5mwO6kJH0a+C4Ji0=,tag:9+5wHUhwN/ybvyL8mKAIGQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.1