- docker-registry (mirror of dockerhub, backed by S3 and redis)
- docker-auth (restricts access to images unauthenticated users can pull)
- Ingress that sets both up behind a common domain
Last active
November 5, 2020 14:45
-
-
Save mjpitz/53e1d92cb0f2dc68e06e5c405f67e04f to your computer and use it in GitHub Desktop.
Simple docker-registry deployment
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| replicaCount: 2 | |
| updateStrategy: | |
| type: RollingUpdate | |
| rollingUpdate: | |
| maxSurge: 1 | |
| maxUnavailable: 0 | |
| storage: "s3" | |
| secrets: | |
| s3: | |
| accessKey: xxxx | |
| secretKey: xxxx | |
| s3: | |
| region: xxxx | |
| regionEndpoint: xxxx | |
| bucket: xxxx-docker-images | |
| encrypt: false | |
| securet: true | |
| # see https://docs.docker.com/registry/configuration/ | |
| configData: | |
| http: | |
| addr: :5000 | |
| debug: | |
| addr: :5001 | |
| prometheus: | |
| enabled: true | |
| path: /metrics | |
| headers: | |
| X-Content-Type-Options: [nosniff] | |
| storage: | |
| cache: | |
| blobdescriptor: redis | |
| maintenance: | |
| readonly: | |
| enabled: true | |
| redis: | |
| addr: redis-headless:6379 | |
| password: xxxx | |
| db: 0 | |
| dialtimeout: 10ms | |
| readtimeout: 10ms | |
| writetimeout: 10ms | |
| pool: | |
| maxidle: 16 | |
| maxactive: 64 | |
| idletimeout: 300s | |
| # obtained from https://hub.docker.com/settings/security | |
| proxy: | |
| remoteurl: https://registry-1.docker.io/ | |
| username: xxxx | |
| password: xxxx | |
| health: | |
| storagedriver: | |
| enabled: true | |
| interval: 10s | |
| threshold: 3 | |
| tcp: | |
| - addr: redis-headless:6379 | |
| timeout: 3s | |
| interval: 10s | |
| threshold: 3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| replicaCount: 2 | |
| secret: | |
| secretName: "auth-credentials" | |
| configmap: | |
| data: | |
| token: | |
| issuer: "My Auth" | |
| expiration: 900 | |
| users: | |
| "": {} # allow anonymous access | |
| acl: | |
| - match: { account: "", name: "GROUP/*" } | |
| actions: [ "pull" ] | |
| comment: "Anonymous users can pull GROUP" | |
| ingress: | |
| enabled: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: networking.k8s.io/v1beta1 | |
| kind: Ingress | |
| metadata: | |
| name: registry | |
| annotations: | |
| kubernetes.io/ingress.class: "nginx" | |
| kubernetes.io/tls-acme: "true" | |
| cert-manager.io/cluster-issuer: "letsencrypt-prod" | |
| nginx.ingress.kubernetes.io/ssl-redirect: "true" | |
| # these configuration settings are needed for docker pull to work | |
| nginx.ingress.kubernetes.io/proxy-body-size: "0" | |
| nginx.ingress.kubernetes.io/proxy-read-timeout: "600" | |
| nginx.ingress.kubernetes.io/proxy-send-timeout: "600" | |
| spec: | |
| tls: | |
| - secretName: registry-certs | |
| hosts: | |
| - ocr.sh | |
| rules: | |
| - host: ocr.sh | |
| http: | |
| paths: | |
| # /.*auth routes go to docker-auth | |
| - path: /auth | |
| backend: | |
| serviceName: docker-auth | |
| servicePort: 5001 | |
| - path: /google_auth | |
| backend: | |
| serviceName: docker-auth | |
| servicePort: 5001 | |
| - path: /github_auth | |
| backend: | |
| serviceName: docker-auth | |
| servicePort: 5001 | |
| # /v2/ must go to the docker-registry | |
| - path: /v2/ | |
| backend: | |
| serviceName: docker-registry | |
| servicePort: 5000 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| replicaCount: 2 | |
| updateStrategy: | |
| type: RollingUpdate | |
| rollingUpdate: | |
| maxSurge: 1 | |
| maxUnavailable: 0 | |
| storage: "s3" | |
| secrets: | |
| s3: | |
| accessKey: xxxx | |
| secretKey: xxxx | |
| s3: | |
| region: xxxx | |
| regionEndpoint: xxxx | |
| bucket: xxxx-docker-images | |
| encrypt: false | |
| securet: true | |
| extraVolumeMounts: | |
| - name: auth | |
| mountPath: "/etc/docker-auth/ssl/" | |
| readOnly: true | |
| extraVolumes: | |
| - name: auth | |
| secret: | |
| secretName: auth-credentials | |
| # see https://docs.docker.com/registry/configuration/ | |
| configData: | |
| auth: | |
| token: | |
| realm: "https://ocr.sh/auth" | |
| service: "ocr.sh" | |
| issuer: "My Auth" # must match issuer from docker-auth | |
| rootcertbundle: /etc/docker-auth/ssl/tls.crt | |
| http: | |
| addr: :5000 | |
| debug: | |
| addr: :5001 | |
| prometheus: | |
| enabled: true | |
| path: /metrics | |
| headers: | |
| X-Content-Type-Options: [nosniff] | |
| storage: | |
| cache: | |
| blobdescriptor: redis | |
| maintenance: | |
| readonly: | |
| enabled: true | |
| redis: | |
| addr: redis-headless:6379 | |
| password: xxxx | |
| db: 0 | |
| dialtimeout: 10ms | |
| readtimeout: 10ms | |
| writetimeout: 10ms | |
| pool: | |
| maxidle: 16 | |
| maxactive: 64 | |
| idletimeout: 300s | |
| # obtained from https://hub.docker.com/settings/security | |
| proxy: | |
| remoteurl: https://registry-1.docker.io/ | |
| username: xxxx | |
| password: xxxx | |
| health: | |
| storagedriver: | |
| enabled: true | |
| interval: 10s | |
| threshold: 3 | |
| tcp: | |
| - addr: redis-headless:6379 | |
| timeout: 3s | |
| interval: 10s | |
| threshold: 3 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment