Skip to content

Instantly share code, notes, and snippets.

@MostafaGazar

MostafaGazar/Dockerfile in registry Secret

Created January 2, 2020 18:44
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save MostafaGazar/e434e8947055dd856e38c9b4c5cfba15 to your computer and use it in GitHub Desktop.
Save MostafaGazar/e434e8947055dd856e38c9b4c5cfba15 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
app.yaml
---
# ____ _ _
#| __ ) __ _ ___| | _____ _ __ __| |
#| _ \ / _` |/ __| |/ / _ \ '_ \ / _` |
#| |_) | (_| | (__| < __/ | | | (_| |
#|____/ \__,_|\___|_|\_\___|_| |_|\__,_|
apiVersion: v1
kind: Service
metadata:
name: mlstudio-backend
labels:
app: mlstudio-backend
tier: backend
spec:
type: NodePort
ports:
- port: 5050
targetPort: 5050
name: http
selector:
app: mlstudio-backend
tier: backend
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mlstudio-backend-deployment
labels:
app: mlstudio-backend
tier: backend
spec:
selector:
matchLabels:
app: mlstudio-backend
tier: backend
replicas: 1
template:
metadata:
labels:
app: mlstudio-backend
tier: backend
spec:
containers:
- name: mlstudio-backend
image: gcr.io/ml-studio-255800/backend-amd64:v0 # Based on `python:3.7.4-slim` with `curl -fsSL https://get.docker.com | sh` for debugging
imagePullPolicy: Always # FIXME :: Debug only
ports:
- containerPort: 5050
volumeMounts:
- name: mlstudio-shared-containers-storage
mountPath: /home/mlstudio/backend/shared
- name: dockersock # FIXME :: REMOVE
mountPath: "/var/run/docker.sock"
- name: mlstudio-buildah
image: gcr.io/ml-studio-255800/buildah-amd64:v0 # Based on `centos` with `yum install podman buildah`
imagePullPolicy: Always # FIXME :: Debug only
securityContext: # FIXME :: Debug only
privileged: true
command:
- cat
tty: true
resources:
requests:
cpu: 250m
memory: 500Mi
volumeMounts:
- name: mlstudio-buildah-containers
mountPath: /var/lib/containers
- name: mlstudio-shared-containers-storage
mountPath: /home/mlstudio/backend/shared
volumes:
- name: mlstudio-buildah-containers
- name: mlstudio-shared-containers-storage
emptyDir: {}
- name: dockersock # FIXME :: REMOVE
hostPath:
path: /var/run/docker.sock
---
# ____ _ _
#| _ \ ___ __ _(_)___| |_ _ __ _ _
#| |_) / _ \/ _` | / __| __| '__| | | |
#| _ < __/ (_| | \__ \ |_| | | |_| |
#|_| \_\___|\__, |_|___/\__|_| \__, |
# |___/ |___/
apiVersion: v1
kind: Service
metadata:
name: mlstudio-registry
labels:
app: mlstudio-registry
tier: backend
spec:
type: NodePort
ports:
- port: 5000
targetPort: 5000
name: tcp
selector:
app: mlstudio-registry
tier: backend
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mlstudio-registry-deployment
labels:
app: mlstudio-registry
tier: backend
spec:
selector:
matchLabels:
app: mlstudio-registry
tier: backend
replicas: 1
template:
metadata:
labels:
app: mlstudio-registry
tier: backend
spec:
containers:
- name: mlstudio-registry
image: gcr.io/ml-studio-255800/registry-amd64:v0 # Docker file above
imagePullPolicy: Always # FIXME :: Debug only
env:
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
value: /var/lib/registry
- name: REGISTRY_HTTP_TLS_CERTIFICATE
value: /certs/domain.crt
- name: REGISTRY_HTTP_TLS_KEY
value: /certs/domain.key
ports:
- containerPort: 5000
volumeMounts:
- name: mlstudio-registry-pv-storage
mountPath: /var/lib/registry
volumes:
- name: mlstudio-registry-pv-storage
persistentVolumeClaim:
claimName: mlstudio-registry-pv-claim
Raw
Dockerfile in registry
FROM registry:2
LABEL maintainer="mostafa@mlstudioapp.com"
COPY certs/ /certs/
Raw
Dockerfile.ca in registry
FROM busybox
LABEL maintainer="mostafa@mlstudioapp.com"
COPY certs/ /certs/
Raw
generate_selfsigned_certificate.sh in registry
#!/bin/bash
openssl req \
-x509 -newkey rsa:4096 -days 1460 -config openssl.conf \
-keyout certs/domain.key -out certs/domain.crt
Raw
Makefile in registry
IMAGE_NAME = registry
TAG = v0
REGISTRY = gcr.io/ml-studio-255800
ARCH = amd64
IMAGE = $(REGISTRY)/$(IMAGE_NAME)
MULTI_ARCH_IMG = $(IMAGE)-$(ARCH)
MULTI_ARCH_IMG_CA = $(IMAGE)-ca-$(ARCH)
$(shell chmod +x generate_selfsigned_certificate.sh)
# https://stackoverflow.com/a/45868323/2874139
_dummy := $(shell ./generate_selfsigned_certificate.sh)
build:
docker build -f Dockerfile -t $(MULTI_ARCH_IMG):$(TAG) .
docker build -f Dockerfile.ca -t $(MULTI_ARCH_IMG_CA):$(TAG) .
push: build
docker push $(MULTI_ARCH_IMG):$(TAG)
docker push $(MULTI_ARCH_IMG_CA):$(TAG)
Raw
openssl.conf in registry
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = req_ext
default_md = sha256
prompt = no
encrypt_key = no
[ req_distinguished_name ]
countryName = "NZ"
localityName = "Auckland"
organizationName = "ML Studio"
organizationalUnitName = "Registry"
commonName = "mlstudio-registry.default.svc.cluster.local"
emailAddress = "app@mlstudioapp.com"
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS = "mlstudio-registry.default.svc.cluster.local"
Raw
registry-ca-daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: registry-ca
labels:
k8s-app: registry-ca
annotations:
sidecar.istio.io/inject: "false"
spec:
selector:
matchLabels:
name: registry-ca
template:
metadata:
labels:
name: registry-ca
spec:
containers:
- name: registry-ca
image: gcr.io/ml-studio-255800/registry-ca-amd64:v0
command: [ "sh" ]
args: [ "-c", "cp /certs/domain.crt /etc/docker/certs.d/mlstudio-registry.default.svc.cluster.local/ca.crt && exec tail -f /dev/null" ]
volumeMounts:
- name: etc-docker
mountPath: /etc/docker/certs.d/mlstudio-registry.default.svc.cluster.local
- name: ca-cert
mountPath: /home/core
terminationGracePeriodSeconds: 30
volumes:
- name: etc-docker
hostPath:
path: /etc/docker/certs.d/mlstudio-registry.default.svc.cluster.local
- name: ca-cert
secret:
secretName: registry-ca
Raw
registry-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: registry-ca
type: Opaque
data:
# Generated using `cat certs/domain.crt | base64`
registry-ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdERENDQS9TZ0F3SUJBZ0lVTDUwblUyMHI0K0VRNzdqQjhTSnluYndYQTlzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dhRXhDekFKQmdOVkJBWVRBazVhTVJFd0R3WURWUVFIREFoQmRXTnJiR0Z1WkRFU01CQUdBMVVFQ2d3SgpUVXdnVTNSMVpHbHZNUkV3RHdZRFZRUUxEQWhTWldkcGMzUnllVEUwTURJR0ExVUVBd3dyYld4emRIVmthVzh0CmNtVm5hWE4wY25rdVpHVm1ZWFZzZEM1emRtTXVZMngxYzNSbGNpNXNiMk5oYkRFaU1DQUdDU3FHU0liM0RRRUoKQVJZVFlYQndRRzFzYzNSMVpHbHZZWEJ3TG1OdmJUQWVGdzB5TURBeE1ESXhOekUzTkRWYUZ3MHlNVEF4TURFeApOekUzTkRWYU1JR2hNUXN3Q1FZRFZRUUdFd0pPV2pFUk1BOEdBMVVFQnd3SVFYVmphMnhoYm1ReEVqQVFCZ05WCkJBb01DVTFNSUZOMGRXUnBiekVSTUE4R0ExVUVDd3dJVW1WbmFYTjBjbmt4TkRBeUJnTlZCQU1NSzIxc2MzUjEKWkdsdkxYSmxaMmx6ZEhKNUxtUmxabUYxYkhRdWMzWmpMbU5zZFhOMFpYSXViRzlqWVd3eElqQWdCZ2txaGtpRwo5dzBCQ1FFV0UyRndjRUJ0YkhOMGRXUnBiMkZ3Y0M1amIyMHdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDCkR3QXdnZ0lLQW9JQ0FRQzRVZThpS2JCL3dicGdtU0dGUTFZc3ZDNnJqOWRTcUxzemVZdjVFTjVvc2RnbkRNRXcKTUJoM1M2MndnK1ZqK3NCdmZpbVlweHBma1JPMmlQU1MxdWdKM1hIc1U4bjRLQitSbnRyb2hYbTFYaXN4VEJWOApoU2NXbVBUZ2lrZXRuN2JPYTlFaUVISnhJZDcweXBzZHBGODdWWlZzL2FSU2tkcDZ4Vm9nSmxBa3JrbjNOWHBRClZxN0RrWEVLcXJicTdzd3Z5cTlER28rOGJ5b0NNY1huMlV2Vm9QSXl5TCtmemdzc2lDZ3lmUUN3aUp6dzRlSEEKMTFibGhaZ2x2VzVTcStkK1o2UzVuY0NremN4aEpzcXRSeitTeW5hT0tlTkJuYlV3eXQzMmtCTXlsUGhwMDAzSQpBZUkrb2s3aEZVSjBGV00za1NWeUdFbXVRdTErelpSQWY3TTkwK1hBOHJZcFNPMVlFWGpCUEl1enBPMUkvMWpDCnMwYkxQc3cyYW5ZUFRVNlV3bE9hUGpNcnEwNzdwYW9BbjZDSFk2UVYvTThvRE40UG0xb1A2TXR4RjNHc1JKdnYKMk82UkU4NGMveU5yMTVqRHhUOXExTjNvZ1lEeWI3VVlpaGJuNWJiUEZKcHVxamdKUHBXOWVadEJ4WWhSeXc5cQprZUIyT3dWM3VvcGZlam9aMUlkM25yZWgrR3h1T0pnY2JlRVR4NFZUTzdJNTdERWg3N0I4UHQ3WW9KckFvSlB6CkU0alV0amRNUE8rRitSeU9KQnNYMlcvSFRUQVhBTjh5N1FuSHhzcHVDR0dPbDZsSElHaVRRaW50YVpUS0grMWMKVjZWSkdHeEMwLzZnckpEdWEwUWNlNjdNOXVXdk9kR1UxQWszN2pKaTFYUUtBbmJDa1RqeFZMazZTd0lEQVFBQgpvem93T0RBMkJnTlZIUkVFTHpBdGdpdHRiSE4wZFdScGJ5MXlaV2RwYzNSeWVTNWtaV1poZFd4MExuTjJZeTVqCmJIVnpkR1Z5TG14dlkyRnNNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUNBUUNhN1lWZk1pZHBiWUNJMkZVdy8ybTgKdjR6U05DeXpkbWxhWi82cGpOdUMzYXM3b2xqblFoMUJnWFhRcnhOaVNuNHdIdG04dzgvQnRKZkdrUmtCdkhtZgo4bVZpc1h1K3NiMUk5QTBJazlpbEFmS2FVZXVBSGZFN2t2MVRndVdoT0FBZ250dmJlclpSdVQ5Qi9Hbnlja2twCnlpRmRBQVlvTm5NSzFtWTBlK3VjWHg2N1dyaXdsSVJ0WHJwaGZBMFFxMXdSeUo0S2c4Z09MV0Iyc2o2dmJuaHUKWndKRkMvZC9tT2ZLbnN2Rm1nNlhsOVU3ZnA1M3JKUDhyZC8rMEVUWVUxTk1ZRzRjWmJJaGY3N1FNMWRhUUR3NAp0S05pRWU2ZVhNaEVBYUNpSVBTYWlvTFRMbHA4N0Y3Z0d2Y0FldVRIU25IdjFmeExwbEdmWVYzOFNJUHBtbk5ICkwwY2RlL0hmREVBVTFiWGFIQ2ppWmxWYnhsUGV0eXBpOXd1TktQT3VmR2l0dU5vTG1vR1FzTmthQ3ZRYkZlVHgKZm5OYkxFYlo4dmM0akE1QUk4TXZJTitlRzNQd2F4TlR0MDRBSDhDelM1SHZpYzBUdXpROEQzWTZ0Z0xLZXVyWgp2VlBjU0twcTY4Zk5nbDZoc3Mrck5MWXVwRzVoRUhLRnVCRkNJb1Y1RFV4V1JYa085WDcyM21ZSUp4TkFjYmYwCm5nWld5ZzFOUkpTOUVSbEVLSHNvdXNFamVzdTJ0SHV3QjFZczJrSEFRQWVjWExDV1daOVRKZEVSeUY1Y2REZXcKT1QwR2hkSWdpWVJMcEJDbklacDRWaVIzcERRVmNHUWVXVXJPdExCUC9Vc0U5Y3NFak1CK3luVGJpODFnWElELwp4MHdONzZheC92MkFuaDNFWGRpUmVRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment