apiVersion: v1
kind: Namespace
metadata:
  name: container-registry
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-prod
  namespace: container-registry
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: florian@nocodelytics.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress:
            class: traefik
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: container-registry-server
  namespace: container-registry
spec:
  secretName: container-registry-server-net-tls
  issuerRef:
    name: letsencrypt-prod
    kind: Issuer
  commonName: container-registry.nocodelytics.com
  dnsNames:
    - container-registry.nocodelytics.com
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: container-registry-server-pvc
  namespace: container-registry
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: local-path
  resources:
    requests:
      storage: 1Gi
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-prod
  namespace: container-registry
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: florian@nocodelytics.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress:
            class: traefik
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: container-registry-server-config
  namespace: container-registry
data:
  config.yml: |
    version: 0.1
    log:
      fields:
        service: registry
    storage:
      cache:
        blobdescriptor: inmemory
      s3:
        region: eu-west-1
        bucket: container-registry
    http:
      addr: :5000
      headers:
        X-Content-Type-Options: [nosniff]
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: container-registry-server
  namespace: container-registry
spec:
  replicas: 1
  selector:
    matchLabels:
      ms: container-registry-server
  template:
    metadata:
      labels:
        ms: container-registry-server
    spec:
      containers:
        - name: container-registry-server
          image: registry:2
          volumeMounts:
            - name: volv
              mountPath: /var/lib/registry
            - name: config-volume
              mountPath: /etc/docker/registry/config.yml
              subPath: config.yml
            - name: secrets-volume
              mountPath: /auth
              readOnly: true
          env:
            - name: REGISTRY_AUTH
              value: htpasswd
            - name: REGISTRY_AUTH_HTPASSWD_REALM
              value: Registry Realm
            - name: REGISTRY_AUTH_HTPASSWD_PATH
              value: /auth/htpasswd
            - name: REGISTRY_STORAGE_S3_ACCESSKEY
              valueFrom:
                secretKeyRef:
                  name: secrets
                  key: AWS_ACCESS_KEY_ID
            - name: REGISTRY_STORAGE_S3_SECRETKEY
              valueFrom:
                secretKeyRef:
                  name: secrets
                  key: AWS_SECRET_ACCESS_KEY
          resources:
            limits:
              memory: "512Mi"
              cpu: "100m"
      volumes:
        - name: volv
          persistentVolumeClaim:
            claimName: container-registry-server-pvc
        - name: config-volume
          configMap:
            name: container-registry-server-config
        - name: secrets-volume
          secret:
            secretName: container-registry
            optional: false
---
apiVersion: v1
kind: Service
metadata:
  name: container-registry-server
  namespace: container-registry
spec:
  type: NodePort
  selector:
    ms: container-registry-server
  ports:
    - port: 5000
      targetPort: 5000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: container-registry-nginx-ingress
  namespace: container-registry
  annotations:
    kubernetes.io/ingress.class: "traefik"
    cert-manager.io/issuer: letsencrypt-prod
    traefik.ingress.kubernetes.io/redirect-entry-point: https
    cert-manager.io/acme-challenge-type: http01
spec:
  rules:
    - host: container-registry.nocodelytics.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: ssl-redirect
                port:
                  name: use-annotation
          - path: /
            pathType: Prefix
            backend:
              service:
                name: container-registry-server
                port:
                  number: 5000
  tls:
    - hosts:
        - container-registry.nocodelytics.com
      secretName: container-registry-server-net-tls