docker-registry app setup

ansible-5/roles/glusterfs-server/defaults/main.yaml

@@ -23,10 +23,10 @@ volumes:
   replicated:
     - name: gitea
 #    - name: jenkins
-#    - name: vmshares
+    - name: vmshares
     - name: mariadb
     - name: plex
-#    - name: nextcloud2
+    - name: nextcloud2
 #    - name: prometheus
 #    - name: tmp
 

ansible-5/roles/prod.k3s/defaults/main.yml

@@ -14,9 +14,9 @@ fstab:
     - name: gitea
       path: "/opt/data/gitea"
       state: mounted
-#    - name: vmshares
+    - name: vmshares
-#      path: "/opt/shared"
+      path: "/opt/data/shared"
-#      state: mounted
+      state: mounted
     - name: mariadb
       path: "/opt/data/db"
       state: mounted
@@ -36,11 +36,12 @@ helm:
 
 apps:
   stash:
+    enabled: false
     state: present
     namespace: stashapp
 
   mariadb:
-    enabled: true
+    enabled: false
     namespace: mariadb
     pvc: data-mariadb-0
     state: present
@@ -54,3 +55,8 @@ apps:
     namespace: gitea
     state: present
 
+  dkregistry:
+    enabled: true
+    namespace: default
+    pvc: data-dkregistry-0
+    state: present

ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.prod.yaml

@@ -20,6 +20,7 @@ spec:
     - sql.xai-corp.net
     - cik.xai-corp.net
     - stash.xai-corp.net
+    - dkregistry.xai-corp.net
   acme:
     config:
       - http01:

ansible-5/roles/prod.k3s/files/dkregistry/values.yaml

@@ -0,0 +1,27 @@
+---
+# Docker Registry values
+# https://github.com/twuni/docker-registry.helm/blob/main/values.yaml
+
+image:
+  repository: registry
+  tag: 2.8.1
+
+ingress:
+  enabled: true
+#  className: traefik
+  tls:
+    - secretName: xai-corp-production-tls
+  hosts:
+    - dkregistry.xai-corp.net
+#  annotations:
+#    cert-manager.io/cluster-issuer: letsencrypt-production
+##    kubernetes.io/ingress.class: traefik
+#    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+#    traefik.ingress.kubernetes.io/router.tls: 'true'
+
+persistence:
+  enabled: true
+  existingClaim: data-dkregistry-0
+
+secrets:
+  htpasswd: false

ansible-5/roles/prod.k3s/tasks/deployments/dkregistry.yaml

@@ -0,0 +1,79 @@
+---
+#https://github.com/twuni/docker-registry.helm
+
+
+
+#- name: Create a namespace for docker registry
+#  k8s:
+#    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
+#    name: "{{apps.dkregistry.namespace}}"
+#    api_version: v1
+#    kind: Namespace
+#    state: "{{apps.dkregistry.state}}"
+#  become: true
+
+- name: create persistent volume resources
+  kubernetes.core.k8s:
+    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
+    state: "{{apps.dkregistry.state}}"
+    definition: "{{ lookup('template', item) | from_yaml }}"
+  loop:
+    - dkregistry/pv.yaml
+    - dkregistry/pv-claim.yaml
+    - dkregistry/pv-auth.yaml
+    - dkregistry/pv-auth-claim.yaml
+  become: true
+
+- name: create secret for dkregistry
+  kubernetes.core.k8s:
+    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
+    state: "{{apps.dkregistry.state}}"
+    definition:
+      apiVersion: v1
+      kind: Secret
+      type: Opaque
+      metadata:
+        name: auth-secret
+        namespace: "{{apps.dkregistry.namespace}}"
+      stringData:
+        htpassword: "richard:$2y$05$Zp.GEiUbsGYYVOYWE71truuERCAE.D5wwGzU3Xi3wIVAWjH60t/U."
+
+  become: true
+
+- name: create docker-registry resources
+  kubernetes.core.k8s:
+    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
+    state: "{{apps.dkregistry.state}}"
+    definition: "{{ lookup('template', item) | from_yaml }}"
+  loop:
+#    - dkregistry/configmap.yaml
+    - dkregistry/ingress.yaml
+    - dkregistry/service.yaml
+    - dkregistry/deployment.yaml
+  become: true
+
+
+#- name: Install dkregistry globally available
+#  block:
+#    - name: Add dkregistry chart helm repo
+#      local_action:
+#        module: kubernetes.core.helm_repository
+#        name: twuni
+#        repo_url: https://helm.twun.io
+#
+#    - name: load variables files/dkregistry/values.yaml
+#      ansible.builtin.include_vars:
+#        file: files/dkregistry/values.yaml
+#        name: stash_values
+#
+#    - name: Install dkregistry Release
+#      local_action:
+#        module: kubernetes.core.helm
+#        release_state: "{{apps.dkregistry.state}}"
+#        name: dkregistry
+#        namespace: "{{apps.dkregistry.namespace}}"
+#        create_namespace: yes
+#        update_repo_cache: True
+#        chart_ref: twuni/docker-registry
+#        values: "{{stash_values}}"
+#        wait: true

ansible-5/roles/prod.k3s/tasks/main.yml

@@ -15,6 +15,7 @@
 
 - name: deploy stash
   include_tasks: deployments/stash.yaml
+  when: apps.stash.enabled
 
 - name: deploy mariadb
   include_tasks: deployments/mariadb.yaml
@@ -24,6 +25,10 @@
   include_tasks: deployments/gitea.yaml
   when: apps.gitea.enabled
 
+- name: deploy dkregistry
+  include_tasks: deployments/dkregistry.yaml
+  when: apps.dkregistry.enabled
+
 #-----------------------------------------------------
 #- include_tasks: mariadb.yaml
 #

ansible-5/roles/prod.k3s/templates/dkregistry/deployment.yaml

@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: docker-registry-pod
+  namespace: "{{apps.dkregistry.namespace}}"
+  labels:
+    app: registry
+spec:
+  containers:
+    - name: registry
+      image: registry:2.6.2
+      volumeMounts:
+        - name: repo-vol
+          mountPath: "/var/lib/registry"
+#        - name: certs-vol
+#          mountPath: "/certs"
+#          readOnly: true
+        - name: auth-vol
+          mountPath: "/auth"
+          readOnly: true
+      env:
+        - name: REGISTRY_AUTH
+          value: "htpasswd"
+        - name: REGISTRY_AUTH_HTPASSWD_REALM
+          value: "Registry Realm"
+        - name: REGISTRY_AUTH_HTPASSWD_PATH
+          value: "/auth/htpasswd"
+#        - name: REGISTRY_HTTP_TLS_CERTIFICATE
+#          value: "/certs/tls.crt"
+#        - name: REGISTRY_HTTP_TLS_KEY
+#          value: "/certs/tls.key"
+  volumes:
+    - name: repo-vol
+      persistentVolumeClaim:
+        claimName: data-dkregistry-0
+#    - name: certs-vol
+#      secret:
+#        secretName: default/xai-corp-production-tls
+    - name: auth-vol
+      persistentVolumeClaim:
+        claimName: data-dkregistry-auth-0

ansible-5/roles/prod.k3s/templates/dkregistry/ingress.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: dkregistry
+  namespace: "{{apps.dkregistry.namespace}}"
+  annotations:
+    kubernetes.io/ingress.class: "traefik"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+    - host: www.xai-corp.net
+      http:
+        paths:
+          - path: /v2/
+            pathType: Prefix
+            backend:
+              service:
+                name: docker-registry
+                port:
+                  number: 5000
+
+  tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
+    - secretName: xai-corp-production-tls

ansible-5/roles/prod.k3s/templates/dkregistry/pv-auth-claim.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: data-dkregistry-auth-0
+  namespace: "{{apps.dkregistry.namespace}}"
+spec:
+  storageClassName: manual
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi

ansible-5/roles/prod.k3s/templates/dkregistry/pv-auth.yaml

@@ -0,0 +1,17 @@
+---
+# persistent volume
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: dkregistry-pv-auth-local
+  labels:
+    type: local
+spec:
+  storageClassName: manual
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteOnce
+  hostPath:
+    path: "/opt/data/shared/dkregistry/auth"
+

ansible-5/roles/prod.k3s/templates/dkregistry/pv-claim.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: "{{apps.dkregistry.pvc}}"
+  namespace: "{{apps.dkregistry.namespace}}"
+spec:
+  storageClassName: manual
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi

ansible-5/roles/prod.k3s/templates/dkregistry/pv.yaml

@@ -0,0 +1,17 @@
+---
+# persistent volume
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: dkregistry-pv-local
+  labels:
+    type: local
+spec:
+  storageClassName: manual
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteOnce
+  hostPath:
+    path: "/opt/data/shared/dkregistry/data"
+

ansible-5/roles/prod.k3s/templates/dkregistry/service.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: docker-registry
+  namespace: "{{apps.dkregistry.namespace}}"
+spec:
+  selector:
+    app: registry
+  ports:
+    - port: 5000
+      targetPort: 5000