Merge pull request #2332 from hswong3i/registry_fixup
Registry Addon Fixup
This commit is contained in:
commit
4175431dcd
23 changed files with 137 additions and 696 deletions
|
@ -171,6 +171,9 @@ istio_enabled: false
|
|||
|
||||
# Registry deployment
|
||||
registry_enabled: false
|
||||
# registry_namespace: "{{ system_namespace }}"
|
||||
# registry_storage_class: ""
|
||||
# registry_disk_size: "10Gi"
|
||||
|
||||
# Local volume provisioner deployment
|
||||
local_volume_provisioner_enabled: false
|
||||
|
|
|
@ -1,10 +1,12 @@
|
|||
# Private Docker Registry in Kubernetes
|
||||
Private Docker Registry in Kubernetes
|
||||
=====================================
|
||||
|
||||
Kubernetes offers an optional private Docker registry addon, which you can turn
|
||||
on when you bring up a cluster or install later. This gives you a place to
|
||||
store truly private Docker images for your cluster.
|
||||
|
||||
## How it works
|
||||
How it works
|
||||
------------
|
||||
|
||||
The private registry runs as a `Pod` in your cluster. It does not currently
|
||||
support SSL or authentication, which triggers Docker's "insecure registry"
|
||||
|
@ -12,7 +14,8 @@ logic. To work around this, we run a proxy on each node in the cluster,
|
|||
exposing a port onto the node (via a hostPort), which Docker accepts as
|
||||
"secure", since it is accessed by `localhost`.
|
||||
|
||||
## Turning it on
|
||||
Turning it on
|
||||
-------------
|
||||
|
||||
Some cluster installs (e.g. GCE) support this as a cluster-birth flag. The
|
||||
`ENABLE_CLUSTER_REGISTRY` variable in `cluster/gce/config-default.sh` governs
|
||||
|
@ -30,7 +33,7 @@ expanded by `salt` in the GCE cluster turnup, but can easily be adapted to
|
|||
other situations:
|
||||
|
||||
<!-- BEGIN MUNGE: EXAMPLE registry-pv.yaml.in -->
|
||||
```yaml
|
||||
``` yaml
|
||||
kind: PersistentVolume
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
|
@ -64,14 +67,15 @@ just want to kick the tires on this without committing to it, you can easily
|
|||
adapt the `ReplicationController` specification below to use a simple
|
||||
`emptyDir` volume instead of a `persistentVolumeClaim`.
|
||||
|
||||
## Claim the storage
|
||||
Claim the storage
|
||||
-----------------
|
||||
|
||||
Now that the Kubernetes cluster knows that some storage exists, you can put a
|
||||
claim on that storage. As with the `PersistentVolume` above, you can start
|
||||
with the `salt` template:
|
||||
|
||||
<!-- BEGIN MUNGE: EXAMPLE registry-pvc.yaml.in -->
|
||||
```yaml
|
||||
``` yaml
|
||||
kind: PersistentVolumeClaim
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
|
@ -93,12 +97,13 @@ you created before will be bound to this claim (unless you have other
|
|||
`PersistentVolumes` in which case those might get bound instead). This claim
|
||||
gives you the right to use this storage until you release the claim.
|
||||
|
||||
## Run the registry
|
||||
Run the registry
|
||||
----------------
|
||||
|
||||
Now we can run a Docker registry:
|
||||
|
||||
<!-- BEGIN MUNGE: EXAMPLE registry-rc.yaml -->
|
||||
```yaml
|
||||
``` yaml
|
||||
apiVersion: v1
|
||||
kind: ReplicationController
|
||||
metadata:
|
||||
|
@ -146,12 +151,13 @@ spec:
|
|||
```
|
||||
<!-- END MUNGE: EXAMPLE registry-rc.yaml -->
|
||||
|
||||
## Expose the registry in the cluster
|
||||
Expose the registry in the cluster
|
||||
----------------------------------
|
||||
|
||||
Now that we have a registry `Pod` running, we can expose it as a Service:
|
||||
|
||||
<!-- BEGIN MUNGE: EXAMPLE registry-svc.yaml -->
|
||||
```yaml
|
||||
``` yaml
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
|
@ -171,14 +177,15 @@ spec:
|
|||
```
|
||||
<!-- END MUNGE: EXAMPLE registry-svc.yaml -->
|
||||
|
||||
## Expose the registry on each node
|
||||
Expose the registry on each node
|
||||
--------------------------------
|
||||
|
||||
Now that we have a running `Service`, we need to expose it onto each Kubernetes
|
||||
`Node` so that Docker will see it as `localhost`. We can load a `Pod` on every
|
||||
node by creating following daemonset.
|
||||
|
||||
<!-- BEGIN MUNGE: EXAMPLE ../../saltbase/salt/kube-registry-proxy/kube-registry-proxy.yaml -->
|
||||
```yaml
|
||||
``` yaml
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
|
@ -217,7 +224,7 @@ spec:
|
|||
<!-- END MUNGE: EXAMPLE ../../saltbase/salt/kube-registry-proxy/kube-registry-proxy.yaml -->
|
||||
|
||||
When modifying replication-controller, service and daemon-set defintions, take
|
||||
care to ensure _unique_ identifiers for the rc-svc couple and the daemon-set.
|
||||
care to ensure *unique* identifiers for the rc-svc couple and the daemon-set.
|
||||
Failing to do so will have register the localhost proxy daemon-sets to the
|
||||
upstream service. As a result they will then try to proxy themselves, which
|
||||
will, for obvious reasons, not work.
|
||||
|
@ -226,17 +233,18 @@ This ensures that port 5000 on each node is directed to the registry `Service`.
|
|||
You should be able to verify that it is running by hitting port 5000 with a web
|
||||
browser and getting a 404 error:
|
||||
|
||||
```console
|
||||
``` console
|
||||
$ curl localhost:5000
|
||||
404 page not found
|
||||
```
|
||||
|
||||
## Using the registry
|
||||
Using the registry
|
||||
------------------
|
||||
|
||||
To use an image hosted by this registry, simply say this in your `Pod`'s
|
||||
`spec.containers[].image` field:
|
||||
|
||||
```yaml
|
||||
``` yaml
|
||||
image: localhost:5000/user/container
|
||||
```
|
||||
|
||||
|
@ -248,7 +256,7 @@ building locally and want to push to your cluster.
|
|||
You can use `kubectl` to set up a port-forward from your local node to a
|
||||
running Pod:
|
||||
|
||||
```console
|
||||
``` console
|
||||
$ POD=$(kubectl get pods --namespace kube-system -l k8s-app=kube-registry-upstream \
|
||||
-o template --template '{{range .items}}{{.metadata.name}} {{.status.phase}}{{"\n"}}{{end}}' \
|
||||
| grep Running | head -1 | cut -f1 -d' ')
|
||||
|
@ -260,15 +268,14 @@ Now you can build and push images on your local computer as
|
|||
`localhost:5000/yourname/container` and those images will be available inside
|
||||
your kubernetes cluster with the same name.
|
||||
|
||||
# More Extensions
|
||||
More Extensions
|
||||
===============
|
||||
|
||||
- [Use GCS as storage backend](gcs/README.md)
|
||||
- [Enable TLS/SSL](tls/README.md)
|
||||
- [Enable Authentication](auth/README.md)
|
||||
|
||||
## Future improvements
|
||||
Future improvements
|
||||
-------------------
|
||||
|
||||
* Allow port-forwarding to a Service rather than a pod (#15180)
|
||||
|
||||
|
||||
[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/registry/README.md?pixel)]()
|
||||
- Allow port-forwarding to a Service rather than a pod (\#15180)
|
||||
|
|
|
@ -3,3 +3,7 @@ registry_image_repo: registry
|
|||
registry_image_tag: 2.6
|
||||
registry_proxy_image_repo: gcr.io/google_containers/kube-registry-proxy
|
||||
registry_proxy_image_tag: 0.4
|
||||
|
||||
registry_namespace: "{{ system_namespace }}"
|
||||
registry_storage_class: ""
|
||||
registry_disk_size: "10Gi"
|
||||
|
|
|
@ -1,26 +0,0 @@
|
|||
# Copyright 2016 The Kubernetes Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
FROM nginx:1.12
|
||||
|
||||
RUN apt-get update \
|
||||
&& apt-get install -y \
|
||||
curl \
|
||||
--no-install-recommends \
|
||||
&& apt-get clean \
|
||||
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/man /usr/share/doc
|
||||
|
||||
COPY rootfs /
|
||||
|
||||
CMD ["/bin/boot"]
|
|
@ -1,24 +0,0 @@
|
|||
# Copyright 2016 The Kubernetes Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
.PHONY: build push vet test clean
|
||||
|
||||
TAG = 0.4
|
||||
REPO = gcr.io/google_containers/kube-registry-proxy
|
||||
|
||||
build:
|
||||
docker build --pull -t $(REPO):$(TAG) .
|
||||
|
||||
push:
|
||||
gcloud docker -- push $(REPO):$(TAG)
|
|
@ -1,23 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# fail if no hostname is provided
|
||||
REGISTRY_HOST=${REGISTRY_HOST:?no host}
|
||||
REGISTRY_PORT=${REGISTRY_PORT:-5000}
|
||||
|
||||
# we are always listening on port 80
|
||||
# https://github.com/nginxinc/docker-nginx/blob/43c112100750cbd1e9f2160324c64988e7920ac9/stable/jessie/Dockerfile#L25
|
||||
PORT=80
|
||||
|
||||
sed -e "s/%HOST%/$REGISTRY_HOST/g" \
|
||||
-e "s/%PORT%/$REGISTRY_PORT/g" \
|
||||
-e "s/%BIND_PORT%/$PORT/g" \
|
||||
</etc/nginx/conf.d/default.conf.in >/etc/nginx/conf.d/default.conf
|
||||
|
||||
# wait for registry to come online
|
||||
while ! curl -sS "$REGISTRY_HOST:$REGISTRY_PORT" &>/dev/null; do
|
||||
printf "waiting for the registry (%s:%s) to come online...\n" "$REGISTRY_HOST" "$REGISTRY_PORT"
|
||||
sleep 1
|
||||
done
|
||||
|
||||
printf "starting proxy...\n"
|
||||
exec nginx -g "daemon off;" "$@"
|
|
@ -1,28 +0,0 @@
|
|||
# Docker registry proxy for api version 2
|
||||
|
||||
upstream docker-registry {
|
||||
server %HOST%:%PORT%;
|
||||
}
|
||||
|
||||
# No client auth or TLS
|
||||
# TODO(bacongobbler): experiment with authenticating the registry if it's using TLS
|
||||
server {
|
||||
listen %BIND_PORT%;
|
||||
server_name localhost;
|
||||
|
||||
# disable any limits to avoid HTTP 413 for large image uploads
|
||||
client_max_body_size 0;
|
||||
|
||||
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
|
||||
chunked_transfer_encoding on;
|
||||
|
||||
location / {
|
||||
# Do not allow connections from docker 1.5 and earlier
|
||||
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
|
||||
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
|
||||
return 404;
|
||||
}
|
||||
|
||||
include docker-registry.conf;
|
||||
}
|
||||
}
|
|
@ -1,6 +0,0 @@
|
|||
proxy_pass http://docker-registry;
|
||||
proxy_set_header Host $http_host; # required for docker client's sake
|
||||
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_read_timeout 900;
|
|
@ -1,26 +0,0 @@
|
|||
user nginx;
|
||||
worker_processes auto;
|
||||
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
pid /var/run/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
http {
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
access_log /var/log/nginx/access.log main;
|
||||
|
||||
sendfile on;
|
||||
|
||||
keepalive_timeout 65;
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
}
|
|
@ -3,29 +3,56 @@
|
|||
- name: Registry | Create addon dir
|
||||
file:
|
||||
path: "{{ kube_config_dir }}/addons/registry"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
recurse: true
|
||||
|
||||
- name: Registry | Create manifests
|
||||
template:
|
||||
src: "{{ item.file }}.j2"
|
||||
dest: "{{ kube_config_dir }}/addons/registry/{{ item.file }}"
|
||||
with_items:
|
||||
- { name: registry-svc, file: registry-svc.yml, type: service }
|
||||
- { name: registry-rc, file: registry-rc.yml, type: replicationcontroller }
|
||||
- { name: registry-ds, file: registry-ds.yml, type: daemonset }
|
||||
- { name: registry-ns, file: registry-ns.yml, type: ns }
|
||||
- { name: registry-svc, file: registry-svc.yml, type: svc }
|
||||
- { name: registry-rs, file: registry-rs.yml, type: rs }
|
||||
- { name: registry-proxy-ds, file: registry-proxy-ds.yml, type: ds }
|
||||
register: registry_manifests
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
- name: Registry | Apply manifests
|
||||
kube:
|
||||
name: "{{ item.item.name }}"
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "{{ registry_namespace }}"
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
resource: "{{ item.item.type }}"
|
||||
filename: "{{ kube_config_dir }}/addons/registry/{{ item.item.file }}"
|
||||
state: "latest"
|
||||
with_items: "{{ registry_manifests.results }}"
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
- name: Registry | Create PVC manifests
|
||||
template:
|
||||
src: "{{ item.file }}.j2"
|
||||
dest: "{{ kube_config_dir }}/addons/registry/{{ item.file }}"
|
||||
with_items:
|
||||
- { name: registry-pvc, file: registry-pvc.yml, type: pvc }
|
||||
register: registry_manifests
|
||||
when:
|
||||
- registry_storage_class != none
|
||||
- registry_disk_size != none
|
||||
- inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
- name: Registry | Apply PVC manifests
|
||||
kube:
|
||||
name: "{{ item.item.name }}"
|
||||
namespace: "{{ registry_namespace }}"
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
resource: "{{ item.item.type }}"
|
||||
filename: "{{ kube_config_dir }}/addons/registry/{{ item.item.file }}"
|
||||
state: "latest"
|
||||
with_items: "{{ registry_manifests.results }}"
|
||||
when:
|
||||
- registry_storage_class != none
|
||||
- registry_disk_size != none
|
||||
- inventory_hostname == groups['kube-master'][0]
|
||||
|
|
|
@ -1,92 +0,0 @@
|
|||
# Enable Authentication with Htpasswd for Kube-Registry
|
||||
|
||||
Docker registry support a few authentication providers. Full list of supported provider can be found [here](https://docs.docker.com/registry/configuration/#auth). This document describes how to enable authentication with htpasswd for kube-registry.
|
||||
|
||||
### Prepare Htpasswd Secret
|
||||
|
||||
Please generate your own htpasswd file. Assuming the file you generated is `htpasswd`.
|
||||
Creating secret to hold htpasswd...
|
||||
```console
|
||||
$ kubectl --namespace=kube-system create secret generic registry-auth-secret --from-file=htpasswd=htpasswd
|
||||
```
|
||||
|
||||
### Run Registry
|
||||
|
||||
Please be noted that this sample rc is using emptyDir as storage backend for simplicity.
|
||||
|
||||
<!-- BEGIN MUNGE: EXAMPLE registry-auth-rc.yaml -->
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: ReplicationController
|
||||
metadata:
|
||||
name: kube-registry-v0
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: kube-registry
|
||||
version: v0
|
||||
# kubernetes.io/cluster-service: "true"
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
k8s-app: kube-registry
|
||||
version: v0
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kube-registry
|
||||
version: v0
|
||||
# kubernetes.io/cluster-service: "true"
|
||||
spec:
|
||||
containers:
|
||||
- name: registry
|
||||
image: registry:2
|
||||
resources:
|
||||
# keep request = limit to keep this container in guaranteed class
|
||||
limits:
|
||||
cpu: 100m
|
||||
memory: 100Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 100Mi
|
||||
env:
|
||||
- name: REGISTRY_HTTP_ADDR
|
||||
value: :5000
|
||||
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
|
||||
value: /var/lib/registry
|
||||
- name: REGISTRY_AUTH_HTPASSWD_REALM
|
||||
value: basic_realm
|
||||
- name: REGISTRY_AUTH_HTPASSWD_PATH
|
||||
value: /auth/htpasswd
|
||||
volumeMounts:
|
||||
- name: image-store
|
||||
mountPath: /var/lib/registry
|
||||
- name: auth-dir
|
||||
mountPath: /auth
|
||||
ports:
|
||||
- containerPort: 5000
|
||||
name: registry
|
||||
protocol: TCP
|
||||
volumes:
|
||||
- name: image-store
|
||||
emptyDir: {}
|
||||
- name: auth-dir
|
||||
secret:
|
||||
secretName: registry-auth-secret
|
||||
```
|
||||
<!-- END MUNGE: EXAMPLE registry-auth-rc.yaml -->
|
||||
|
||||
No changes are needed for other components (kube-registry service and proxy).
|
||||
|
||||
### To Verify
|
||||
|
||||
Setup proxy or port-forwarding to the kube-registry. Image push/pull should fail without authentication. Then use `docker login` to authenticate with kube-registry and see if it works.
|
||||
|
||||
### Configure Nodes to Authenticate with Kube-Registry
|
||||
|
||||
By default, nodes assume no authentication is required by kube-registry. Without authentication, nodes cannot pull images from kube-registry. To solve this, more documentation can be found [Here](https://github.com/kubernetes/kubernetes.github.io/blob/master/docs/concepts/containers/images.md#configuring-nodes-to-authenticate-to-a-private-repository).
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/registry/auth/README.md?pixel)]()
|
|
@ -1,56 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: ReplicationController
|
||||
metadata:
|
||||
name: kube-registry-v0
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: kube-registry
|
||||
version: v0
|
||||
# kubernetes.io/cluster-service: "true"
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
k8s-app: kube-registry
|
||||
version: v0
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kube-registry
|
||||
version: v0
|
||||
# kubernetes.io/cluster-service: "true"
|
||||
spec:
|
||||
containers:
|
||||
- name: registry
|
||||
image: registry:2
|
||||
resources:
|
||||
# keep request = limit to keep this container in guaranteed class
|
||||
limits:
|
||||
cpu: 100m
|
||||
memory: 100Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 100Mi
|
||||
env:
|
||||
- name: REGISTRY_HTTP_ADDR
|
||||
value: :5000
|
||||
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
|
||||
value: /var/lib/registry
|
||||
- name: REGISTRY_AUTH_HTPASSWD_REALM
|
||||
value: basic_realm
|
||||
- name: REGISTRY_AUTH_HTPASSWD_PATH
|
||||
value: /auth/htpasswd
|
||||
volumeMounts:
|
||||
- name: image-store
|
||||
mountPath: /var/lib/registry
|
||||
- name: auth-dir
|
||||
mountPath: /auth
|
||||
ports:
|
||||
- containerPort: 5000
|
||||
name: registry
|
||||
protocol: TCP
|
||||
volumes:
|
||||
- name: image-store
|
||||
emptyDir: {}
|
||||
- name: auth-dir
|
||||
secret:
|
||||
secretName: registry-auth-secret
|
|
@ -1,81 +0,0 @@
|
|||
# Kube-Registry with GCS storage backend
|
||||
|
||||
Besides local file system, docker registry also supports a number of cloud storage backends. Full list of supported backend can be found [here](https://docs.docker.com/registry/configuration/#storage). This document describes how to enable GCS for kube-registry as storage backend.
|
||||
|
||||
A few preparation steps are needed.
|
||||
1. Create a bucket named kube-registry in GCS.
|
||||
1. Create a service account for GCS access and create key file in json format. Detail instruction can be found [here](https://cloud.google.com/storage/docs/authentication#service_accounts).
|
||||
|
||||
|
||||
### Pack Keyfile into a Secret
|
||||
|
||||
Assuming you have downloaded the keyfile as `keyfile.json`. Create secret with the `keyfile.json`...
|
||||
```console
|
||||
$ kubectl --namespace=kube-system create secret generic gcs-key-secret --from-file=keyfile=keyfile.json
|
||||
```
|
||||
|
||||
|
||||
### Run Registry
|
||||
|
||||
<!-- BEGIN MUNGE: EXAMPLE registry-gcs-rc.yaml -->
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: ReplicationController
|
||||
metadata:
|
||||
name: kube-registry-v0
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: kube-registry
|
||||
version: v0
|
||||
# kubernetes.io/cluster-service: "true"
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
k8s-app: kube-registry
|
||||
version: v0
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kube-registry
|
||||
version: v0
|
||||
# kubernetes.io/cluster-service: "true"
|
||||
spec:
|
||||
containers:
|
||||
- name: registry
|
||||
image: registry:2
|
||||
resources:
|
||||
# keep request = limit to keep this container in guaranteed class
|
||||
limits:
|
||||
cpu: 100m
|
||||
memory: 100Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 100Mi
|
||||
env:
|
||||
- name: REGISTRY_HTTP_ADDR
|
||||
value: :5000
|
||||
- name: REGISTRY_STORAGE
|
||||
value: gcs
|
||||
- name: REGISTRY_STORAGE_GCS_BUCKET
|
||||
value: kube-registry
|
||||
- name: REGISTRY_STORAGE_GCS_KEYFILE
|
||||
value: /gcs/keyfile
|
||||
ports:
|
||||
- containerPort: 5000
|
||||
name: registry
|
||||
protocol: TCP
|
||||
volumeMounts:
|
||||
- name: gcs-key
|
||||
mountPath: /gcs
|
||||
volumes:
|
||||
- name: gcs-key
|
||||
secret:
|
||||
secretName: gcs-key-secret
|
||||
```
|
||||
<!-- END MUNGE: EXAMPLE registry-gcs-rc.yaml -->
|
||||
|
||||
|
||||
No changes are needed for other components (kube-registry service and proxy).
|
||||
|
||||
|
||||
[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/registry/gcs/README.md?pixel)]()
|
|
@ -1,52 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: ReplicationController
|
||||
metadata:
|
||||
name: kube-registry-v0
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: kube-registry
|
||||
version: v0
|
||||
# kubernetes.io/cluster-service: "true"
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
k8s-app: kube-registry
|
||||
version: v0
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kube-registry
|
||||
version: v0
|
||||
# kubernetes.io/cluster-service: "true"
|
||||
spec:
|
||||
containers:
|
||||
- name: registry
|
||||
image: registry:2
|
||||
resources:
|
||||
# keep request = limit to keep this container in guaranteed class
|
||||
limits:
|
||||
cpu: 100m
|
||||
memory: 100Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 100Mi
|
||||
env:
|
||||
- name: REGISTRY_HTTP_ADDR
|
||||
value: :5000
|
||||
- name: REGISTRY_STORAGE
|
||||
value: gcs
|
||||
- name: REGISTRY_STORAGE_GCS_BUCKET
|
||||
value: kube-registry
|
||||
- name: REGISTRY_STORAGE_GCS_KEYFILE
|
||||
value: /gcs/keyfile
|
||||
ports:
|
||||
- containerPort: 5000
|
||||
name: registry
|
||||
protocol: TCP
|
||||
volumeMounts:
|
||||
- name: gcs-key
|
||||
mountPath: /gcs
|
||||
volumes:
|
||||
- name: gcs-key
|
||||
secret:
|
||||
secretName: gcs-key-secret
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: {{ registry_namespace }}
|
||||
labels:
|
||||
name: {{ registry_namespace }}
|
|
@ -1,28 +1,33 @@
|
|||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: kube-registry-proxy
|
||||
namespace: {{ system_namespace }}
|
||||
name: registry-proxy
|
||||
namespace: {{ registry_namespace }}
|
||||
labels:
|
||||
k8s-app: kube-registry-proxy
|
||||
k8s-app: registry-proxy
|
||||
kubernetes.io/cluster-service: "true"
|
||||
version: v{{ registry_proxy_image_tag }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: registry-proxy
|
||||
version: v{{ registry_proxy_image_tag }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kube-registry-proxy
|
||||
kubernetes.io/name: "kube-registry-proxy"
|
||||
k8s-app: registry-proxy
|
||||
kubernetes.io/name: "registry-proxy"
|
||||
kubernetes.io/cluster-service: "true"
|
||||
version: v{{ registry_proxy_image_tag }}
|
||||
spec:
|
||||
containers:
|
||||
- name: kube-registry-proxy
|
||||
- name: registry-proxy
|
||||
image: {{ registry_proxy_image_repo }}:{{ registry_proxy_image_tag }}
|
||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||
env:
|
||||
- name: REGISTRY_HOST
|
||||
value: kube-registry.kube-system.svc.cluster.local
|
||||
value: registry.{{ registry_namespace }}.svc.{{ cluster_name }}
|
||||
- name: REGISTRY_PORT
|
||||
value: "5000"
|
||||
ports:
|
|
@ -1,17 +0,0 @@
|
|||
kind: PersistentVolume
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: kube-system-kube-registry-pv
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
spec:
|
||||
{% if pillar.get('cluster_registry_disk_type', '') == 'gce' %}
|
||||
capacity:
|
||||
storage: {{ pillar['cluster_registry_disk_size'] }}
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
gcePersistentDisk:
|
||||
pdName: "{{ pillar['cluster_registry_disk_name'] }}"
|
||||
fsType: "ext4"
|
||||
{% endif %}
|
|
@ -1,14 +1,16 @@
|
|||
kind: PersistentVolumeClaim
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: kube-registry-pvc
|
||||
namespace: kube-system
|
||||
name: registry-pvc
|
||||
namespace: {{ registry_namespace }}
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: {{ registry_storage_class }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ pillar['cluster_registry_disk_size'] }}
|
||||
storage: {{ registry_disk_size }}
|
||||
|
|
|
@ -1,41 +1,48 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: ReplicationController
|
||||
apiVersion: apps/v1
|
||||
kind: ReplicaSet
|
||||
metadata:
|
||||
name: kube-registry-v{{ registry_image_tag }}
|
||||
namespace: {{ system_namespace }}
|
||||
name: registry-v{{ registry_image_tag }}
|
||||
namespace: {{ registry_namespace }}
|
||||
labels:
|
||||
k8s-app: kube-registry-upstream
|
||||
k8s-app: registry
|
||||
version: v{{ registry_image_tag }}
|
||||
kubernetes.io/cluster-service: "true"
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
k8s-app: kube-registry-upstream
|
||||
matchLabels:
|
||||
k8s-app: registry
|
||||
version: v{{ registry_image_tag }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kube-registry-upstream
|
||||
k8s-app: registry
|
||||
version: v{{ registry_image_tag }}
|
||||
kubernetes.io/cluster-service: "true"
|
||||
spec:
|
||||
containers:
|
||||
- name: registry
|
||||
image: {{ registry_image_repo }}:{{ registry_image_tag }}
|
||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||
env:
|
||||
- name: REGISTRY_HTTP_ADDR
|
||||
value: :5000
|
||||
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
|
||||
value: /var/lib/registry
|
||||
volumeMounts:
|
||||
- name: image-store
|
||||
- name: registry-pvc
|
||||
mountPath: /var/lib/registry
|
||||
ports:
|
||||
- containerPort: 5000
|
||||
name: registry
|
||||
protocol: TCP
|
||||
volumes:
|
||||
- name: image-store
|
||||
- name: registry-pvc
|
||||
{% if registry_storage_class != none %}
|
||||
persistentVolumeClaim:
|
||||
claimName: registry-pvc
|
||||
{% else %}
|
||||
emptyDir: {}
|
||||
{% endif %}
|
|
@ -2,16 +2,16 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: kube-registry
|
||||
namespace: {{ system_namespace }}
|
||||
name: registry
|
||||
namespace: {{ registry_namespace }}
|
||||
labels:
|
||||
k8s-app: kube-registry-upstream
|
||||
k8s-app: registry
|
||||
kubernetes.io/cluster-service: "true"
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
kubernetes.io/name: "KubeRegistry"
|
||||
spec:
|
||||
selector:
|
||||
k8s-app: kube-registry-upstream
|
||||
k8s-app: registry
|
||||
ports:
|
||||
- name: registry
|
||||
port: 5000
|
||||
|
|
|
@ -1,116 +0,0 @@
|
|||
# Enable TLS for Kube-Registry
|
||||
|
||||
This document describes how to enable TLS for kube-registry. Before you start, please check if you have all the prerequisite:
|
||||
|
||||
- A domain for kube-registry. Assuming it is ` myregistrydomain.com`.
|
||||
- Domain certificate and key. Assuming they are `domain.crt` and `domain.key`
|
||||
|
||||
### Pack domain.crt and domain.key into a Secret
|
||||
|
||||
```console
|
||||
$ kubectl --namespace=kube-system create secret generic registry-tls-secret --from-file=domain.crt=domain.crt --from-file=domain.key=domain.key
|
||||
```
|
||||
|
||||
### Run Registry
|
||||
|
||||
Please be noted that this sample rc is using emptyDir as storage backend for simplicity.
|
||||
|
||||
<!-- BEGIN MUNGE: EXAMPLE registry-tls-rc.yaml -->
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: ReplicationController
|
||||
metadata:
|
||||
name: kube-registry-v0
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: kube-registry
|
||||
version: v0
|
||||
# kubernetes.io/cluster-service: "true"
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
k8s-app: kube-registry
|
||||
version: v0
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kube-registry
|
||||
version: v0
|
||||
# kubernetes.io/cluster-service: "true"
|
||||
spec:
|
||||
containers:
|
||||
- name: registry
|
||||
image: registry:2
|
||||
resources:
|
||||
# keep request = limit to keep this container in guaranteed class
|
||||
limits:
|
||||
cpu: 100m
|
||||
memory: 100Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 100Mi
|
||||
env:
|
||||
- name: REGISTRY_HTTP_ADDR
|
||||
value: :5000
|
||||
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
|
||||
value: /var/lib/registry
|
||||
- name: REGISTRY_HTTP_TLS_CERTIFICATE
|
||||
value: /certs/domain.crt
|
||||
- name: REGISTRY_HTTP_TLS_KEY
|
||||
value: /certs/domain.key
|
||||
volumeMounts:
|
||||
- name: image-store
|
||||
mountPath: /var/lib/registry
|
||||
- name: cert-dir
|
||||
mountPath: /certs
|
||||
ports:
|
||||
- containerPort: 5000
|
||||
name: registry
|
||||
protocol: TCP
|
||||
volumes:
|
||||
- name: image-store
|
||||
emptyDir: {}
|
||||
- name: cert-dir
|
||||
secret:
|
||||
secretName: registry-tls-secret
|
||||
```
|
||||
<!-- END MUNGE: EXAMPLE registry-tls-rc.yaml -->
|
||||
|
||||
### Expose External IP for Kube-Registry
|
||||
|
||||
Modify the default kube-registry service to `LoadBalancer` type and point the DNS record of `myregistrydomain.com` to the service external ip.
|
||||
|
||||
<!-- BEGIN MUNGE: EXAMPLE registry-tls-svc.yaml -->
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: kube-registry
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: kube-registry
|
||||
# kubernetes.io/cluster-service: "true"
|
||||
kubernetes.io/name: "KubeRegistry"
|
||||
spec:
|
||||
selector:
|
||||
k8s-app: kube-registry
|
||||
type: LoadBalancer
|
||||
ports:
|
||||
- name: registry
|
||||
port: 5000
|
||||
protocol: TCP
|
||||
```
|
||||
<!-- END MUNGE: EXAMPLE registry-tls-svc.yaml -->
|
||||
|
||||
### To Verify
|
||||
|
||||
Now you should be able to access your kube-registry from another docker host.
|
||||
```console
|
||||
docker pull busybox
|
||||
docker tag busybox myregistrydomain.com:5000/busybox
|
||||
docker push myregistrydomain.com:5000/busybox
|
||||
docker pull myregistrydomain.com:5000/busybox
|
||||
```
|
||||
|
||||
|
||||
[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/registry/tls/README.md?pixel)]()
|
|
@ -1,57 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: ReplicationController
|
||||
metadata:
|
||||
name: kube-registry-v0
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: kube-registry
|
||||
version: v0
|
||||
# kubernetes.io/cluster-service: "true"
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
k8s-app: kube-registry
|
||||
version: v0
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kube-registry
|
||||
version: v0
|
||||
# kubernetes.io/cluster-service: "true"
|
||||
spec:
|
||||
containers:
|
||||
- name: registry
|
||||
image: registry:2
|
||||
resources:
|
||||
# keep request = limit to keep this container in guaranteed class
|
||||
limits:
|
||||
cpu: 100m
|
||||
memory: 100Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 100Mi
|
||||
env:
|
||||
- name: REGISTRY_HTTP_ADDR
|
||||
value: :5000
|
||||
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
|
||||
value: /var/lib/registry
|
||||
- name: REGISTRY_HTTP_TLS_CERTIFICATE
|
||||
value: /certs/domain.crt
|
||||
- name: REGISTRY_HTTP_TLS_KEY
|
||||
value: /certs/domain.key
|
||||
volumeMounts:
|
||||
- name: image-store
|
||||
mountPath: /var/lib/registry
|
||||
- name: cert-dir
|
||||
mountPath: /certs
|
||||
ports:
|
||||
- containerPort: 5000
|
||||
name: registry
|
||||
protocol: TCP
|
||||
volumes:
|
||||
- name: image-store
|
||||
emptyDir: {}
|
||||
- name: cert-dir
|
||||
secret:
|
||||
secretName: registry-tls-secret
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: kube-registry
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: kube-registry
|
||||
# kubernetes.io/cluster-service: "true"
|
||||
kubernetes.io/name: "KubeRegistry"
|
||||
spec:
|
||||
selector:
|
||||
k8s-app: kube-registry
|
||||
type: LoadBalancer
|
||||
ports:
|
||||
- name: registry
|
||||
port: 5000
|
||||
protocol: TCP
|
Loading…
Reference in a new issue