From 50bfd755d730f9b5d96666bf8d47355a31be84d8 Mon Sep 17 00:00:00 2001 From: Radon Rosborough Date: Fri, 21 Apr 2023 16:41:28 -0700 Subject: [PATCH] Adapt docker registry to work on DigitalOcean --- env.yaml.bash | 8 ++++ k8s/00-base/secrets.in.yaml | 30 ++++++++++++++ k8s/02-services/riju-docker-registry.yaml | 48 +++++++++++++++++------ 3 files changed, 73 insertions(+), 13 deletions(-) diff --git a/env.yaml.bash b/env.yaml.bash index ebd6c24..e4b4696 100755 --- a/env.yaml.bash +++ b/env.yaml.bash @@ -12,6 +12,13 @@ networking: domain: riju.example.com # FIXME ip: x.y.z.w # FIXME +s3: + accessKeyId: fixme + accessKeySecret: fixme + bucket: fixme + region: fixme + endpoint: fixme.digitaloceanspaces.com + contact: letsEncryptEmail: ops@example.com # FIXME letsEncryptProductionEnabled: false @@ -22,6 +29,7 @@ metallb: registry: password: "${registry_password}" htpasswd: "$(htpasswd -nbB admin "${registry_password}")" + httpSecret: "$(pwgen -s 16 1)" minio: accessKey: "$(head -c16 /dev/urandom | xxd -p)" diff --git a/k8s/00-base/secrets.in.yaml b/k8s/00-base/secrets.in.yaml index 7cffa97..0517abb 100644 --- a/k8s/00-base/secrets.in.yaml +++ b/k8s/00-base/secrets.in.yaml @@ -7,6 +7,36 @@ metadata: data: secretkey: "{{ .metallb.secretkey | b64enc }}" +--- +kind: Secret +apiVersion: v1 +metadata: + namespace: riju + name: s3-auth +stringData: + access-key: "{{ .s3.accessKey }}" + secret-key: "{{ .s3.secretKey }}" + +--- +kind: ConfigMap +apiVersion: v1 +metadata: + namespace: riju + name: s3-config +data: + bucket: "{{ .s3.bucket }}" + region: "{{ .s3.region }}" + endpoint: "{{ .s3.endpoint }}" + +--- +kind: Secret +apiVersion: v1 +metadata: + namespace: riju + name: registry-http-secret +stringData: + http-secret: "{{ .registry.httpSecret }}" + --- kind: Secret apiVersion: v1 diff --git a/k8s/02-services/riju-docker-registry.yaml b/k8s/02-services/riju-docker-registry.yaml index 4eb007d..f5c4c20 100644 --- a/k8s/02-services/riju-docker-registry.yaml +++ b/k8s/02-services/riju-docker-registry.yaml @@ -1,24 +1,14 @@ --- -kind: StatefulSet +kind: Deployment apiVersion: apps/v1 metadata: namespace: riju name: docker-registry spec: replicas: 1 - serviceName: docker-registry selector: matchLabels: app: docker-registry - volumeClaimTemplates: - - metadata: - name: data - spec: - accessModes: [ReadWriteOnce] - resources: - requests: - storage: 128Gi - storageClassName: openebs-hostpath template: metadata: labels: @@ -59,14 +49,46 @@ spec: value: "Registry Realm" - name: REGISTRY_AUTH_HTPASSWD_PATH value: /var/run/registry/auth/htpasswd + - name: REGISTRY_HTTP_SECRET + valueFrom: + secretKeyRef: + name: registry-http-secret + key: http-secret + - name: REGISTRY_STORAGE + value: s3 + - name: REGISTRY_STORAGE_S3_REGIONENDPOINT + valueFrom: + configMapKeyRef: + name: s3-config + key: endpoint + - name: REGISTRY_STORAGE_S3_REGION + valueFrom: + configMapKeyRef: + name: s3-config + key: region + - name: REGISTRY_STORAGE_S3_BUCKET + valueFrom: + configMapKeyRef: + name: s3-config + key: bucket + - name: REGISTRY_STORAGE_S3_ACCESSKEY + valueFrom: + secretKeyRef: + name: s3-auth + key: access-key + - name: REGISTRY_STORAGE_S3_SECRETKEY + valueFrom: + secretKeyRef: + name: s3-auth + key: secret-key + - name: REGISTRY_STORAGE_S3_SECURE + value: "true" ports: - name: api containerPort: 5000 volumeMounts: - name: auth mountPath: /var/run/registry/auth - - name: data - mountPath: /var/lib/registry --- kind: Service