Skip to content

Instantly share code, notes, and snippets.

@mjpitz
Last active November 5, 2020 14:45
Show Gist options
  • Save mjpitz/53e1d92cb0f2dc68e06e5c405f67e04f to your computer and use it in GitHub Desktop.
Save mjpitz/53e1d92cb0f2dc68e06e5c405f67e04f to your computer and use it in GitHub Desktop.
Simple docker-registry deployment

Simple docker registry deployment

  • docker-registry (mirror of dockerhub, backed by S3 and redis)
  • docker-auth (restricts access to images unauthenticated users can pull)
  • Ingress that sets both up behind a common domain
replicaCount: 2
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
storage: "s3"
secrets:
s3:
accessKey: xxxx
secretKey: xxxx
s3:
region: xxxx
regionEndpoint: xxxx
bucket: xxxx-docker-images
encrypt: false
securet: true
# see https://docs.docker.com/registry/configuration/
configData:
http:
addr: :5000
debug:
addr: :5001
prometheus:
enabled: true
path: /metrics
headers:
X-Content-Type-Options: [nosniff]
storage:
cache:
blobdescriptor: redis
maintenance:
readonly:
enabled: true
redis:
addr: redis-headless:6379
password: xxxx
db: 0
dialtimeout: 10ms
readtimeout: 10ms
writetimeout: 10ms
pool:
maxidle: 16
maxactive: 64
idletimeout: 300s
# obtained from https://hub.docker.com/settings/security
proxy:
remoteurl: https://registry-1.docker.io/
username: xxxx
password: xxxx
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
tcp:
- addr: redis-headless:6379
timeout: 3s
interval: 10s
threshold: 3
replicaCount: 2
secret:
secretName: "auth-credentials"
configmap:
data:
token:
issuer: "My Auth"
expiration: 900
users:
"": {} # allow anonymous access
acl:
- match: { account: "", name: "GROUP/*" }
actions: [ "pull" ]
comment: "Anonymous users can pull GROUP"
ingress:
enabled: false
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: registry
annotations:
kubernetes.io/ingress.class: "nginx"
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
# these configuration settings are needed for docker pull to work
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
spec:
tls:
- secretName: registry-certs
hosts:
- ocr.sh
rules:
- host: ocr.sh
http:
paths:
# /.*auth routes go to docker-auth
- path: /auth
backend:
serviceName: docker-auth
servicePort: 5001
- path: /google_auth
backend:
serviceName: docker-auth
servicePort: 5001
- path: /github_auth
backend:
serviceName: docker-auth
servicePort: 5001
# /v2/ must go to the docker-registry
- path: /v2/
backend:
serviceName: docker-registry
servicePort: 5000
replicaCount: 2
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
storage: "s3"
secrets:
s3:
accessKey: xxxx
secretKey: xxxx
s3:
region: xxxx
regionEndpoint: xxxx
bucket: xxxx-docker-images
encrypt: false
securet: true
extraVolumeMounts:
- name: auth
mountPath: "/etc/docker-auth/ssl/"
readOnly: true
extraVolumes:
- name: auth
secret:
secretName: auth-credentials
# see https://docs.docker.com/registry/configuration/
configData:
auth:
token:
realm: "https://ocr.sh/auth"
service: "ocr.sh"
issuer: "My Auth" # must match issuer from docker-auth
rootcertbundle: /etc/docker-auth/ssl/tls.crt
http:
addr: :5000
debug:
addr: :5001
prometheus:
enabled: true
path: /metrics
headers:
X-Content-Type-Options: [nosniff]
storage:
cache:
blobdescriptor: redis
maintenance:
readonly:
enabled: true
redis:
addr: redis-headless:6379
password: xxxx
db: 0
dialtimeout: 10ms
readtimeout: 10ms
writetimeout: 10ms
pool:
maxidle: 16
maxactive: 64
idletimeout: 300s
# obtained from https://hub.docker.com/settings/security
proxy:
remoteurl: https://registry-1.docker.io/
username: xxxx
password: xxxx
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
tcp:
- addr: redis-headless:6379
timeout: 3s
interval: 10s
threshold: 3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment