rancher-charts/charts/epinio/100.0.0+up1.2.1/templates/container-registry.yaml

192 lines
4.8 KiB
YAML

{{- if .Values.containerregistry.enabled }}
---
apiVersion: v1
kind: Secret
metadata:
name: auth
namespace: {{ .Release.Namespace }}
stringData:
# The only supported password format is bcrypt
htpasswd: {{ htpasswd .Values.global.registryUsername .Values.global.registryPassword | quote }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: epinio-registry
namespace: {{ .Release.Namespace }}
spec:
dnsNames:
- registry.{{ .Release.Namespace }}.svc.cluster.local
ipAddresses:
- 127.0.0.1
issuerRef:
kind: ClusterIssuer
name: epinio-ca
secretName: epinio-registry-tls
---
apiVersion: v1
kind: Service
metadata:
name: registry
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: "epinio-registry"
app.kubernetes.io/instance: "epinio-registry"
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: "epinio-registry"
app.kubernetes.io/instance: "epinio-registry"
ports:
- name: registry
port: 5000
targetPort: 5000
{{ if .Values.containerregistry.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: registry-node
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: "epinio-registry"
app.kubernetes.io/instance: "epinio-registry"
spec:
type: NodePort
selector:
app.kubernetes.io/name: "epinio-registry"
app.kubernetes.io/instance: "epinio-registry"
ports:
- name: registry-sidecar
port: 30500
targetPort: 30500
nodePort: 30500
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-conf
namespace: {{ .Release.Namespace }}
data:
nginx.conf: |
server {
listen 30500 default_server;
server_name 127.0.0.1;
location / {
proxy_pass https://localhost:5000/;
}
}
{{- end }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: registry
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: "epinio-registry"
app.kubernetes.io/instance: "epinio-registry"
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: "epinio-registry"
app.kubernetes.io/instance: "epinio-registry"
template:
metadata:
labels:
app.kubernetes.io/name: "epinio-registry"
app.kubernetes.io/instance: "epinio-registry"
spec:
containers:
{{ if .Values.containerregistry.enabled }}
- name: nginx
image: "{{ template "registry-url" . }}{{ .Values.containerregistry.image.nginx.repository}}:{{ .Values.containerregistry.image.nginx.tag }}"
imagePullPolicy: IfNotPresent
securityContext:
runAsUser: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
livenessProbe:
tcpSocket:
port: 5000
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
tcpSocket:
port: 5000
volumeMounts:
- mountPath: /etc/nginx/conf.d
name: nginx-conf
- mountPath: /var/cache/nginx/
name: nginx-run
- mountPath: /var/run/
name: nginx-run
{{- end }}
- name: registry
image: "{{ template "registry-url" . }}{{ .Values.containerregistry.image.registry.repository}}:{{ .Values.containerregistry.image.registry.tag }}"
imagePullPolicy: {{ .Values.containerregistry.imagePullPolicy }}
env:
- name: REGISTRY_AUTH
value: htpasswd
- name: REGISTRY_AUTH_HTPASSWD_REALM
value: Registry Realm
- name: REGISTRY_AUTH_HTPASSWD_PATH
value: /etc/registry/auth/htpasswd
- name: REGISTRY_HTTP_TLS_CERTIFICATE
value: "/certs/tls.crt"
- name: REGISTRY_HTTP_TLS_KEY
value: "/certs/tls.key"
volumeMounts:
- name: registry
mountPath: /var/lib/registry
readOnly: false
- name: auth
mountPath: /etc/registry/auth
readOnly: true
- name: certs
mountPath: /certs
readOnly: true
securityContext:
runAsUser: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
livenessProbe:
httpGet:
port: 5000
scheme: HTTPS
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
port: 5000
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: registry
emptyDir: {}
- name: auth
secret:
secretName: auth
- name: certs
secret:
secretName: epinio-registry-tls
{{ if .Values.containerregistry.enabled }}
- name: nginx-conf
configMap:
name: nginx-conf
- name: nginx-cache
emptyDir: {}
- name: nginx-run
emptyDir: {}
{{- end }}
{{- end }}