apiVersion: v1
kind: Namespace
metadata:
name: container-registry
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
namespace: container-registry
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: florian@nocodelytics.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: traefik
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: container-registry-server
namespace: container-registry
spec:
secretName: container-registry-server-net-tls
issuerRef:
name: letsencrypt-prod
kind: Issuer
commonName: container-registry.nocodelytics.com
dnsNames:
- container-registry.nocodelytics.com
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: container-registry-server-pvc
namespace: container-registry
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 1Gi
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
namespace: container-registry
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: florian@nocodelytics.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: traefik
---
apiVersion: v1
kind: ConfigMap
metadata:
name: container-registry-server-config
namespace: container-registry
data:
config.yml: |
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
s3:
region: eu-west-1
bucket: container-registry
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: container-registry-server
namespace: container-registry
spec:
replicas: 1
selector:
matchLabels:
ms: container-registry-server
template:
metadata:
labels:
ms: container-registry-server
spec:
containers:
- name: container-registry-server
image: registry:2
volumeMounts:
- name: volv
mountPath: /var/lib/registry
- name: config-volume
mountPath: /etc/docker/registry/config.yml
subPath: config.yml
- name: secrets-volume
mountPath: /auth
readOnly: true
env:
- name: REGISTRY_AUTH
value: htpasswd
- name: REGISTRY_AUTH_HTPASSWD_REALM
value: Registry Realm
- name: REGISTRY_AUTH_HTPASSWD_PATH
value: /auth/htpasswd
- name: REGISTRY_STORAGE_S3_ACCESSKEY
valueFrom:
secretKeyRef:
name: secrets
key: AWS_ACCESS_KEY_ID
- name: REGISTRY_STORAGE_S3_SECRETKEY
valueFrom:
secretKeyRef:
name: secrets
key: AWS_SECRET_ACCESS_KEY
resources:
limits:
memory: "512Mi"
cpu: "100m"
volumes:
- name: volv
persistentVolumeClaim:
claimName: container-registry-server-pvc
- name: config-volume
configMap:
name: container-registry-server-config
- name: secrets-volume
secret:
secretName: container-registry
optional: false
---
apiVersion: v1
kind: Service
metadata:
name: container-registry-server
namespace: container-registry
spec:
type: NodePort
selector:
ms: container-registry-server
ports:
- port: 5000
targetPort: 5000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: container-registry-nginx-ingress
namespace: container-registry
annotations:
kubernetes.io/ingress.class: "traefik"
cert-manager.io/issuer: letsencrypt-prod
traefik.ingress.kubernetes.io/redirect-entry-point: https
cert-manager.io/acme-challenge-type: http01
spec:
rules:
- host: container-registry.nocodelytics.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ssl-redirect
port:
name: use-annotation
- path: /
pathType: Prefix
backend:
service:
name: container-registry-server
port:
number: 5000
tls:
- hosts:
- container-registry.nocodelytics.com
secretName: container-registry-server-net-tls