{{- if .Values.containerregistry.enabled }} --- apiVersion: v1 kind: Secret metadata: name: auth namespace: {{ .Release.Namespace }} stringData: # The only supported password format is bcrypt htpasswd: {{ htpasswd .Values.global.registryUsername .Values.global.registryPassword | quote }} --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: epinio-registry namespace: {{ .Release.Namespace }} spec: dnsNames: - registry.{{ .Release.Namespace }}.svc.cluster.local ipAddresses: - 127.0.0.1 issuerRef: kind: ClusterIssuer name: epinio-ca secretName: epinio-registry-tls --- apiVersion: v1 kind: Service metadata: name: registry namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: "epinio-registry" app.kubernetes.io/instance: "epinio-registry" spec: type: ClusterIP selector: app.kubernetes.io/name: "epinio-registry" app.kubernetes.io/instance: "epinio-registry" ports: - name: registry port: 5000 targetPort: 5000 {{ if .Values.containerregistry.enabled }} --- apiVersion: v1 kind: Service metadata: name: registry-node namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: "epinio-registry" app.kubernetes.io/instance: "epinio-registry" spec: type: NodePort selector: app.kubernetes.io/name: "epinio-registry" app.kubernetes.io/instance: "epinio-registry" ports: - name: registry-sidecar port: 30500 targetPort: 30500 nodePort: 30500 --- apiVersion: v1 kind: ConfigMap metadata: name: nginx-conf namespace: {{ .Release.Namespace }} data: nginx.conf: | server { listen 30500 default_server; server_name 127.0.0.1; location / { proxy_pass https://localhost:5000/; } } {{- end }} --- apiVersion: apps/v1 kind: Deployment metadata: name: registry namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: "epinio-registry" app.kubernetes.io/instance: "epinio-registry" spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: "epinio-registry" app.kubernetes.io/instance: "epinio-registry" template: metadata: labels: app.kubernetes.io/name: "epinio-registry" app.kubernetes.io/instance: "epinio-registry" spec: containers: {{ if .Values.containerregistry.enabled }} - name: nginx image: "{{ template "registry-url" . }}{{ .Values.containerregistry.image.nginx.repository}}:{{ .Values.containerregistry.image.nginx.tag }}" imagePullPolicy: IfNotPresent securityContext: runAsUser: 1000 runAsNonRoot: true allowPrivilegeEscalation: false readOnlyRootFilesystem: true livenessProbe: tcpSocket: port: 5000 initialDelaySeconds: 15 periodSeconds: 20 readinessProbe: tcpSocket: port: 5000 volumeMounts: - mountPath: /etc/nginx/conf.d name: nginx-conf - mountPath: /var/cache/nginx/ name: nginx-run - mountPath: /var/run/ name: nginx-run {{- end }} - name: registry image: "{{ template "registry-url" . }}{{ .Values.containerregistry.image.registry.repository}}:{{ .Values.containerregistry.image.registry.tag }}" imagePullPolicy: {{ .Values.containerregistry.imagePullPolicy }} env: - name: REGISTRY_AUTH value: htpasswd - name: REGISTRY_AUTH_HTPASSWD_REALM value: Registry Realm - name: REGISTRY_AUTH_HTPASSWD_PATH value: /etc/registry/auth/htpasswd - name: REGISTRY_HTTP_TLS_CERTIFICATE value: "/certs/tls.crt" - name: REGISTRY_HTTP_TLS_KEY value: "/certs/tls.key" volumeMounts: - name: registry mountPath: /var/lib/registry readOnly: false - name: auth mountPath: /etc/registry/auth readOnly: true - name: certs mountPath: /certs readOnly: true securityContext: runAsUser: 1000 runAsNonRoot: true allowPrivilegeEscalation: false readOnlyRootFilesystem: true livenessProbe: httpGet: port: 5000 scheme: HTTPS initialDelaySeconds: 15 periodSeconds: 20 readinessProbe: httpGet: port: 5000 scheme: HTTPS initialDelaySeconds: 5 periodSeconds: 5 volumes: - name: registry emptyDir: {} - name: auth secret: secretName: auth - name: certs secret: secretName: epinio-registry-tls {{ if .Values.containerregistry.enabled }} - name: nginx-conf configMap: name: nginx-conf - name: nginx-cache emptyDir: {} - name: nginx-run emptyDir: {} {{- end }} {{- end }}