From 2720a8b2217199537a1accd412ade19a17f238bc Mon Sep 17 00:00:00 2001 From: richard Date: Sun, 30 Oct 2022 13:52:42 -0400 Subject: [PATCH] docker-registry app setup --- .../roles/glusterfs-server/defaults/main.yaml | 4 +- ansible-5/roles/prod.k3s/defaults/main.yml | 14 +++- .../certificate.xai-corp.prod.yaml | 1 + .../prod.k3s/files/dkregistry/values.yaml | 27 +++++++ .../tasks/deployments/dkregistry.yaml | 79 +++++++++++++++++++ ansible-5/roles/prod.k3s/tasks/main.yml | 5 ++ .../templates/dkregistry/deployment.yaml | 41 ++++++++++ .../templates/dkregistry/ingress.yaml | 25 ++++++ .../templates/dkregistry/pv-auth-claim.yaml | 13 +++ .../templates/dkregistry/pv-auth.yaml | 17 ++++ .../templates/dkregistry/pv-claim.yaml | 13 +++ .../prod.k3s/templates/dkregistry/pv.yaml | 17 ++++ .../templates/dkregistry/service.yaml | 12 +++ 13 files changed, 262 insertions(+), 6 deletions(-) create mode 100644 ansible-5/roles/prod.k3s/files/dkregistry/values.yaml create mode 100644 ansible-5/roles/prod.k3s/tasks/deployments/dkregistry.yaml create mode 100644 ansible-5/roles/prod.k3s/templates/dkregistry/deployment.yaml create mode 100644 ansible-5/roles/prod.k3s/templates/dkregistry/ingress.yaml create mode 100644 ansible-5/roles/prod.k3s/templates/dkregistry/pv-auth-claim.yaml create mode 100644 ansible-5/roles/prod.k3s/templates/dkregistry/pv-auth.yaml create mode 100644 ansible-5/roles/prod.k3s/templates/dkregistry/pv-claim.yaml create mode 100644 ansible-5/roles/prod.k3s/templates/dkregistry/pv.yaml create mode 100644 ansible-5/roles/prod.k3s/templates/dkregistry/service.yaml diff --git a/ansible-5/roles/glusterfs-server/defaults/main.yaml b/ansible-5/roles/glusterfs-server/defaults/main.yaml index 3f3d782..1695e1b 100644 --- a/ansible-5/roles/glusterfs-server/defaults/main.yaml +++ b/ansible-5/roles/glusterfs-server/defaults/main.yaml @@ -23,10 +23,10 @@ volumes: replicated: - name: gitea # - name: jenkins -# - name: vmshares + - name: vmshares - name: mariadb - name: plex -# - name: nextcloud2 + - name: nextcloud2 # - name: prometheus # - name: tmp diff --git a/ansible-5/roles/prod.k3s/defaults/main.yml b/ansible-5/roles/prod.k3s/defaults/main.yml index 595fa4d..57efdf3 100644 --- a/ansible-5/roles/prod.k3s/defaults/main.yml +++ b/ansible-5/roles/prod.k3s/defaults/main.yml @@ -14,9 +14,9 @@ fstab: - name: gitea path: "/opt/data/gitea" state: mounted -# - name: vmshares -# path: "/opt/shared" -# state: mounted + - name: vmshares + path: "/opt/data/shared" + state: mounted - name: mariadb path: "/opt/data/db" state: mounted @@ -36,11 +36,12 @@ helm: apps: stash: + enabled: false state: present namespace: stashapp mariadb: - enabled: true + enabled: false namespace: mariadb pvc: data-mariadb-0 state: present @@ -54,3 +55,8 @@ apps: namespace: gitea state: present + dkregistry: + enabled: true + namespace: default + pvc: data-dkregistry-0 + state: present diff --git a/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.prod.yaml b/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.prod.yaml index 5ea8785..d56485e 100644 --- a/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.prod.yaml +++ b/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.prod.yaml @@ -20,6 +20,7 @@ spec: - sql.xai-corp.net - cik.xai-corp.net - stash.xai-corp.net + - dkregistry.xai-corp.net acme: config: - http01: diff --git a/ansible-5/roles/prod.k3s/files/dkregistry/values.yaml b/ansible-5/roles/prod.k3s/files/dkregistry/values.yaml new file mode 100644 index 0000000..167b179 --- /dev/null +++ b/ansible-5/roles/prod.k3s/files/dkregistry/values.yaml @@ -0,0 +1,27 @@ +--- +# Docker Registry values +# https://github.com/twuni/docker-registry.helm/blob/main/values.yaml + +image: + repository: registry + tag: 2.8.1 + +ingress: + enabled: true +# className: traefik + tls: + - secretName: xai-corp-production-tls + hosts: + - dkregistry.xai-corp.net +# annotations: +# cert-manager.io/cluster-issuer: letsencrypt-production +## kubernetes.io/ingress.class: traefik +# traefik.ingress.kubernetes.io/router.entrypoints: websecure +# traefik.ingress.kubernetes.io/router.tls: 'true' + +persistence: + enabled: true + existingClaim: data-dkregistry-0 + +secrets: + htpasswd: false diff --git a/ansible-5/roles/prod.k3s/tasks/deployments/dkregistry.yaml b/ansible-5/roles/prod.k3s/tasks/deployments/dkregistry.yaml new file mode 100644 index 0000000..dd98fe9 --- /dev/null +++ b/ansible-5/roles/prod.k3s/tasks/deployments/dkregistry.yaml @@ -0,0 +1,79 @@ +--- +#https://github.com/twuni/docker-registry.helm + + + +#- name: Create a namespace for docker registry +# k8s: +# kubeconfig: "/etc/rancher/k3s/k3s.yaml" +# name: "{{apps.dkregistry.namespace}}" +# api_version: v1 +# kind: Namespace +# state: "{{apps.dkregistry.state}}" +# become: true + +- name: create persistent volume resources + kubernetes.core.k8s: + kubeconfig: "/etc/rancher/k3s/k3s.yaml" + state: "{{apps.dkregistry.state}}" + definition: "{{ lookup('template', item) | from_yaml }}" + loop: + - dkregistry/pv.yaml + - dkregistry/pv-claim.yaml + - dkregistry/pv-auth.yaml + - dkregistry/pv-auth-claim.yaml + become: true + +- name: create secret for dkregistry + kubernetes.core.k8s: + kubeconfig: "/etc/rancher/k3s/k3s.yaml" + state: "{{apps.dkregistry.state}}" + definition: + apiVersion: v1 + kind: Secret + type: Opaque + metadata: + name: auth-secret + namespace: "{{apps.dkregistry.namespace}}" + stringData: + htpassword: "richard:$2y$05$Zp.GEiUbsGYYVOYWE71truuERCAE.D5wwGzU3Xi3wIVAWjH60t/U." + + become: true + +- name: create docker-registry resources + kubernetes.core.k8s: + kubeconfig: "/etc/rancher/k3s/k3s.yaml" + state: "{{apps.dkregistry.state}}" + definition: "{{ lookup('template', item) | from_yaml }}" + loop: +# - dkregistry/configmap.yaml + - dkregistry/ingress.yaml + - dkregistry/service.yaml + - dkregistry/deployment.yaml + become: true + + +#- name: Install dkregistry globally available +# block: +# - name: Add dkregistry chart helm repo +# local_action: +# module: kubernetes.core.helm_repository +# name: twuni +# repo_url: https://helm.twun.io +# +# - name: load variables files/dkregistry/values.yaml +# ansible.builtin.include_vars: +# file: files/dkregistry/values.yaml +# name: stash_values +# +# - name: Install dkregistry Release +# local_action: +# module: kubernetes.core.helm +# release_state: "{{apps.dkregistry.state}}" +# name: dkregistry +# namespace: "{{apps.dkregistry.namespace}}" +# create_namespace: yes +# update_repo_cache: True +# chart_ref: twuni/docker-registry +# values: "{{stash_values}}" +# wait: true diff --git a/ansible-5/roles/prod.k3s/tasks/main.yml b/ansible-5/roles/prod.k3s/tasks/main.yml index 440aa07..ac4b24b 100644 --- a/ansible-5/roles/prod.k3s/tasks/main.yml +++ b/ansible-5/roles/prod.k3s/tasks/main.yml @@ -15,6 +15,7 @@ - name: deploy stash include_tasks: deployments/stash.yaml + when: apps.stash.enabled - name: deploy mariadb include_tasks: deployments/mariadb.yaml @@ -24,6 +25,10 @@ include_tasks: deployments/gitea.yaml when: apps.gitea.enabled +- name: deploy dkregistry + include_tasks: deployments/dkregistry.yaml + when: apps.dkregistry.enabled + #----------------------------------------------------- #- include_tasks: mariadb.yaml # diff --git a/ansible-5/roles/prod.k3s/templates/dkregistry/deployment.yaml b/ansible-5/roles/prod.k3s/templates/dkregistry/deployment.yaml new file mode 100644 index 0000000..b5d81bd --- /dev/null +++ b/ansible-5/roles/prod.k3s/templates/dkregistry/deployment.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: Pod +metadata: + name: docker-registry-pod + namespace: "{{apps.dkregistry.namespace}}" + labels: + app: registry +spec: + containers: + - name: registry + image: registry:2.6.2 + volumeMounts: + - name: repo-vol + mountPath: "/var/lib/registry" +# - name: certs-vol +# mountPath: "/certs" +# readOnly: true + - name: auth-vol + mountPath: "/auth" + readOnly: true + env: + - name: REGISTRY_AUTH + value: "htpasswd" + - name: REGISTRY_AUTH_HTPASSWD_REALM + value: "Registry Realm" + - name: REGISTRY_AUTH_HTPASSWD_PATH + value: "/auth/htpasswd" +# - name: REGISTRY_HTTP_TLS_CERTIFICATE +# value: "/certs/tls.crt" +# - name: REGISTRY_HTTP_TLS_KEY +# value: "/certs/tls.key" + volumes: + - name: repo-vol + persistentVolumeClaim: + claimName: data-dkregistry-0 +# - name: certs-vol +# secret: +# secretName: default/xai-corp-production-tls + - name: auth-vol + persistentVolumeClaim: + claimName: data-dkregistry-auth-0 diff --git a/ansible-5/roles/prod.k3s/templates/dkregistry/ingress.yaml b/ansible-5/roles/prod.k3s/templates/dkregistry/ingress.yaml new file mode 100644 index 0000000..3c9a651 --- /dev/null +++ b/ansible-5/roles/prod.k3s/templates/dkregistry/ingress.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: dkregistry + namespace: "{{apps.dkregistry.namespace}}" + annotations: + kubernetes.io/ingress.class: "traefik" + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" +spec: + rules: + - host: www.xai-corp.net + http: + paths: + - path: /v2/ + pathType: Prefix + backend: + service: + name: docker-registry + port: + number: 5000 + + tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames + - secretName: xai-corp-production-tls diff --git a/ansible-5/roles/prod.k3s/templates/dkregistry/pv-auth-claim.yaml b/ansible-5/roles/prod.k3s/templates/dkregistry/pv-auth-claim.yaml new file mode 100644 index 0000000..6e813ff --- /dev/null +++ b/ansible-5/roles/prod.k3s/templates/dkregistry/pv-auth-claim.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: data-dkregistry-auth-0 + namespace: "{{apps.dkregistry.namespace}}" +spec: + storageClassName: manual + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi diff --git a/ansible-5/roles/prod.k3s/templates/dkregistry/pv-auth.yaml b/ansible-5/roles/prod.k3s/templates/dkregistry/pv-auth.yaml new file mode 100644 index 0000000..834309e --- /dev/null +++ b/ansible-5/roles/prod.k3s/templates/dkregistry/pv-auth.yaml @@ -0,0 +1,17 @@ +--- +# persistent volume +apiVersion: v1 +kind: PersistentVolume +metadata: + name: dkregistry-pv-auth-local + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 10Gi + accessModes: + - ReadWriteOnce + hostPath: + path: "/opt/data/shared/dkregistry/auth" + diff --git a/ansible-5/roles/prod.k3s/templates/dkregistry/pv-claim.yaml b/ansible-5/roles/prod.k3s/templates/dkregistry/pv-claim.yaml new file mode 100644 index 0000000..ef02f9e --- /dev/null +++ b/ansible-5/roles/prod.k3s/templates/dkregistry/pv-claim.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: "{{apps.dkregistry.pvc}}" + namespace: "{{apps.dkregistry.namespace}}" +spec: + storageClassName: manual + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi diff --git a/ansible-5/roles/prod.k3s/templates/dkregistry/pv.yaml b/ansible-5/roles/prod.k3s/templates/dkregistry/pv.yaml new file mode 100644 index 0000000..2a3380c --- /dev/null +++ b/ansible-5/roles/prod.k3s/templates/dkregistry/pv.yaml @@ -0,0 +1,17 @@ +--- +# persistent volume +apiVersion: v1 +kind: PersistentVolume +metadata: + name: dkregistry-pv-local + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 10Gi + accessModes: + - ReadWriteOnce + hostPath: + path: "/opt/data/shared/dkregistry/data" + diff --git a/ansible-5/roles/prod.k3s/templates/dkregistry/service.yaml b/ansible-5/roles/prod.k3s/templates/dkregistry/service.yaml new file mode 100644 index 0000000..8f1635f --- /dev/null +++ b/ansible-5/roles/prod.k3s/templates/dkregistry/service.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: docker-registry + namespace: "{{apps.dkregistry.namespace}}" +spec: + selector: + app: registry + ports: + - port: 5000 + targetPort: 5000