Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Registry add TLS and authentication support #8229

Merged
merged 2 commits into from
Dec 7, 2021
+98 −0
Merged

Registry add TLS and authentication support #8229

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b8f4638
Add registry TLS support
zhengtianbao Nov 25, 2021
9de5010
Add registry configmap and htpasswd auth
zhengtianbao Nov 25, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions roles/kubernetes-apps/registry/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,27 @@ registry_storage_access_mode: "ReadWriteOnce"
registry_disk_size: "10Gi"
registry_port: 5000
registry_replica_count: 1
# name of kubernetes secret for registry TLS certs
registry_tls_secret: ""

registry_htpasswd: ""

# registry configuration
# see: https://docs.docker.com/registry/configuration/#list-of-configuration-options
registry_config:
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
http:
addr: :{{ registry_port }}
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
2 changes: 2 additions & 0 deletions roles/kubernetes-apps/registry/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@
- { name: registry-sa, file: registry-sa.yml, type: sa }
- { name: registry-proxy-sa, file: registry-proxy-sa.yml, type: sa }
- { name: registry-svc, file: registry-svc.yml, type: svc }
- { name: registry-secrets, file: registry-secrets.yml, type: secrets }
- { name: registry-cm, file: registry-cm.yml, type: cm }
- { name: registry-rs, file: registry-rs.yml, type: rs }
- { name: registry-proxy-ds, file: registry-proxy-ds.yml, type: ds }
registry_templates_for_psp:
Expand Down
10 changes: 10 additions & 0 deletions roles/kubernetes-apps/registry/templates/registry-cm.yml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: registry-config
namespace: {{ registry_namespace }}
{% if registry_config %}
data:
config.yml: |-
{{ registry_config | to_yaml(indent=2, width=1337) | indent(width=4) }}
{% endif %}
52 changes: 52 additions & 0 deletions roles/kubernetes-apps/registry/templates/registry-rs.yml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,24 +33,60 @@ spec:
- name: registry
image: {{ registry_image_repo }}:{{ registry_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }}
command:
- /bin/registry
- serve
- /etc/docker/registry/config.yml
env:
- name: REGISTRY_HTTP_ADDR
value: :{{ registry_port }}
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
value: /var/lib/registry
{% if registry_htpasswd != "" %}
- name: REGISTRY_AUTH
value: "htpasswd"
- name: REGISTRY_AUTH_HTPASSWD_REALM
value: "Registry Realm"
- name: REGISTRY_AUTH_HTPASSWD_PATH
value: "/auth/htpasswd"
{% endif %}
{% if registry_tls_secret != "" %}
- name: REGISTRY_HTTP_TLS_CERTIFICATE
value: /etc/ssl/docker/tls.crt
- name: REGISTRY_HTTP_TLS_KEY
value: /etc/ssl/docker/tls.key
{% endif %}
volumeMounts:
- name: registry-pvc
mountPath: /var/lib/registry
- name: registry-config
mountPath: /etc/docker/registry
{% if registry_htpasswd != "" %}
- name: auth
mountPath: /auth
readOnly: true
{% endif %}
{% if registry_tls_secret != "" %}
- name: tls-cert
mountPath: /etc/ssl/docker
readOnly: true
{% endif %}
ports:
- containerPort: {{ registry_port }}
name: registry
protocol: TCP
livenessProbe:
httpGet:
{% if registry_tls_secret != "" %}
scheme: HTTPS
{% endif %}
path: /
port: {{ registry_port }}
readinessProbe:
httpGet:
{% if registry_tls_secret != "" %}
scheme: HTTPS
{% endif %}
path: /
port: {{ registry_port }}
volumes:
Expand All @@ -60,4 +96,20 @@ spec:
claimName: registry-pvc
{% else %}
emptyDir: {}
{% endif %}
- name: registry-config
configMap:
name: registry-config
{% if registry_htpasswd != "" %}
- name: auth
secret:
secretName: registry-secret
items:
- key: htpasswd
path: htpasswd
{% endif %}
{% if registry_tls_secret != "" %}
- name: tls-cert
secret:
secretName: {{ registry_tls_secret }}
{% endif %}
10 changes: 10 additions & 0 deletions roles/kubernetes-apps/registry/templates/registry-secrets.yml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: v1
kind: Secret
metadata:
name: registry-secret
namespace: {{ registry_namespace }}
type: Opaque
data:
{% if registry_htpasswd != "" %}
htpasswd: {{ registry_htpasswd | b64encode }}
{% endif %}