Adapt docker registry to work on DigitalOcean

2023-04-21 16:41:28 -07:00 · 2023-04-21 16:41:28 -07:00 · 50bfd755d7
parent f0ab2399b9
commit 50bfd755d7
3 changed files with 73 additions and 13 deletions
--- a/env.yaml.bash
+++ b/env.yaml.bash
@ -12,6 +12,13 @@ networking:
  domain: riju.example.com  # FIXME
  ip: x.y.z.w  # FIXME

+s3:
+  accessKeyId: fixme
+  accessKeySecret: fixme
+  bucket: fixme
+  region: fixme
+  endpoint: fixme.digitaloceanspaces.com
+
 contact:
  letsEncryptEmail: ops@example.com  # FIXME
  letsEncryptProductionEnabled: false
@ -22,6 +29,7 @@ metallb:
 registry:
  password: "${registry_password}"
  htpasswd: "$(htpasswd -nbB admin "${registry_password}")"
+  httpSecret: "$(pwgen -s 16 1)"

 minio:
  accessKey: "$(head -c16 /dev/urandom | xxd -p)"
--- a/k8s/00-base/secrets.in.yaml
+++ b/k8s/00-base/secrets.in.yaml
@ -7,6 +7,36 @@ metadata:
 data:
  secretkey: "{{ .metallb.secretkey | b64enc }}"

+---
+kind: Secret
+apiVersion: v1
+metadata:
+  namespace: riju
+  name: s3-auth
+stringData:
+  access-key: "{{ .s3.accessKey }}"
+  secret-key: "{{ .s3.secretKey }}"
+
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  namespace: riju
+  name: s3-config
+data:
+  bucket: "{{ .s3.bucket }}"
+  region: "{{ .s3.region }}"
+  endpoint: "{{ .s3.endpoint }}"
+
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  namespace: riju
+  name: registry-http-secret
+stringData:
+  http-secret: "{{ .registry.httpSecret }}"
+
 ---
 kind: Secret
 apiVersion: v1
--- a/k8s/02-services/riju-docker-registry.yaml
+++ b/k8s/02-services/riju-docker-registry.yaml
@ -1,24 +1,14 @@
 ---
-kind: StatefulSet
+kind: Deployment
 apiVersion: apps/v1
 metadata:
  namespace: riju
  name: docker-registry
 spec:
  replicas: 1
-  serviceName: docker-registry
  selector:
    matchLabels:
      app: docker-registry
-  volumeClaimTemplates:
-    - metadata:
-        name: data
-      spec:
-        accessModes: [ReadWriteOnce]
-        resources:
-          requests:
-            storage: 128Gi
-        storageClassName: openebs-hostpath
  template:
    metadata:
      labels:
@ -59,14 +49,46 @@ spec:
              value: "Registry Realm"
            - name: REGISTRY_AUTH_HTPASSWD_PATH
              value: /var/run/registry/auth/htpasswd
+            - name: REGISTRY_HTTP_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: registry-http-secret
+                  key: http-secret
+            - name: REGISTRY_STORAGE
+              value: s3
+            - name: REGISTRY_STORAGE_S3_REGIONENDPOINT
+              valueFrom:
+                configMapKeyRef:
+                  name: s3-config
+                  key: endpoint
+            - name: REGISTRY_STORAGE_S3_REGION
+              valueFrom:
+                configMapKeyRef:
+                  name: s3-config
+                  key: region
+            - name: REGISTRY_STORAGE_S3_BUCKET
+              valueFrom:
+                configMapKeyRef:
+                  name: s3-config
+                  key: bucket
+            - name: REGISTRY_STORAGE_S3_ACCESSKEY
+              valueFrom:
+                secretKeyRef:
+                  name: s3-auth
+                  key: access-key
+            - name: REGISTRY_STORAGE_S3_SECRETKEY
+              valueFrom:
+                secretKeyRef:
+                  name: s3-auth
+                  key: secret-key
+            - name: REGISTRY_STORAGE_S3_SECURE
+              value: "true"
          ports:
            - name: api
              containerPort: 5000
          volumeMounts:
            - name: auth
              mountPath: /var/run/registry/auth
-            - name: data
-              mountPath: /var/lib/registry

 ---
 kind: Service