Skip to content
Snippets Groups Projects
Commit f8ebd08e authored by Wong Hoi Sing Edison's avatar Wong Hoi Sing Edison
Browse files

Registry Addon Fixup

parent 6ac78401
No related branches found
No related tags found
No related merge requests found
Showing
with 135 additions and 506 deletions
...@@ -171,6 +171,9 @@ istio_enabled: false ...@@ -171,6 +171,9 @@ istio_enabled: false
# Registry deployment # Registry deployment
registry_enabled: false registry_enabled: false
# registry_namespace: "{{ system_namespace }}"
# registry_storage_class: ""
# registry_disk_size: "10Gi"
# Local volume provisioner deployment # Local volume provisioner deployment
local_volume_provisioner_enabled: false local_volume_provisioner_enabled: false
......
# Private Docker Registry in Kubernetes Private Docker Registry in Kubernetes
=====================================
Kubernetes offers an optional private Docker registry addon, which you can turn Kubernetes offers an optional private Docker registry addon, which you can turn
on when you bring up a cluster or install later. This gives you a place to on when you bring up a cluster or install later. This gives you a place to
store truly private Docker images for your cluster. store truly private Docker images for your cluster.
## How it works How it works
------------
The private registry runs as a `Pod` in your cluster. It does not currently The private registry runs as a `Pod` in your cluster. It does not currently
support SSL or authentication, which triggers Docker's "insecure registry" support SSL or authentication, which triggers Docker's "insecure registry"
...@@ -12,7 +14,8 @@ logic. To work around this, we run a proxy on each node in the cluster, ...@@ -12,7 +14,8 @@ logic. To work around this, we run a proxy on each node in the cluster,
exposing a port onto the node (via a hostPort), which Docker accepts as exposing a port onto the node (via a hostPort), which Docker accepts as
"secure", since it is accessed by `localhost`. "secure", since it is accessed by `localhost`.
## Turning it on Turning it on
-------------
Some cluster installs (e.g. GCE) support this as a cluster-birth flag. The Some cluster installs (e.g. GCE) support this as a cluster-birth flag. The
`ENABLE_CLUSTER_REGISTRY` variable in `cluster/gce/config-default.sh` governs `ENABLE_CLUSTER_REGISTRY` variable in `cluster/gce/config-default.sh` governs
...@@ -64,7 +67,8 @@ just want to kick the tires on this without committing to it, you can easily ...@@ -64,7 +67,8 @@ just want to kick the tires on this without committing to it, you can easily
adapt the `ReplicationController` specification below to use a simple adapt the `ReplicationController` specification below to use a simple
`emptyDir` volume instead of a `persistentVolumeClaim`. `emptyDir` volume instead of a `persistentVolumeClaim`.
## Claim the storage Claim the storage
-----------------
Now that the Kubernetes cluster knows that some storage exists, you can put a Now that the Kubernetes cluster knows that some storage exists, you can put a
claim on that storage. As with the `PersistentVolume` above, you can start claim on that storage. As with the `PersistentVolume` above, you can start
...@@ -93,7 +97,8 @@ you created before will be bound to this claim (unless you have other ...@@ -93,7 +97,8 @@ you created before will be bound to this claim (unless you have other
`PersistentVolumes` in which case those might get bound instead). This claim `PersistentVolumes` in which case those might get bound instead). This claim
gives you the right to use this storage until you release the claim. gives you the right to use this storage until you release the claim.
## Run the registry Run the registry
----------------
Now we can run a Docker registry: Now we can run a Docker registry:
...@@ -146,7 +151,8 @@ spec: ...@@ -146,7 +151,8 @@ spec:
``` ```
<!-- END MUNGE: EXAMPLE registry-rc.yaml --> <!-- END MUNGE: EXAMPLE registry-rc.yaml -->
## Expose the registry in the cluster Expose the registry in the cluster
----------------------------------
Now that we have a registry `Pod` running, we can expose it as a Service: Now that we have a registry `Pod` running, we can expose it as a Service:
...@@ -171,7 +177,8 @@ spec: ...@@ -171,7 +177,8 @@ spec:
``` ```
<!-- END MUNGE: EXAMPLE registry-svc.yaml --> <!-- END MUNGE: EXAMPLE registry-svc.yaml -->
## Expose the registry on each node Expose the registry on each node
--------------------------------
Now that we have a running `Service`, we need to expose it onto each Kubernetes Now that we have a running `Service`, we need to expose it onto each Kubernetes
`Node` so that Docker will see it as `localhost`. We can load a `Pod` on every `Node` so that Docker will see it as `localhost`. We can load a `Pod` on every
...@@ -217,7 +224,7 @@ spec: ...@@ -217,7 +224,7 @@ spec:
<!-- END MUNGE: EXAMPLE ../../saltbase/salt/kube-registry-proxy/kube-registry-proxy.yaml --> <!-- END MUNGE: EXAMPLE ../../saltbase/salt/kube-registry-proxy/kube-registry-proxy.yaml -->
When modifying replication-controller, service and daemon-set defintions, take When modifying replication-controller, service and daemon-set defintions, take
care to ensure _unique_ identifiers for the rc-svc couple and the daemon-set. care to ensure *unique* identifiers for the rc-svc couple and the daemon-set.
Failing to do so will have register the localhost proxy daemon-sets to the Failing to do so will have register the localhost proxy daemon-sets to the
upstream service. As a result they will then try to proxy themselves, which upstream service. As a result they will then try to proxy themselves, which
will, for obvious reasons, not work. will, for obvious reasons, not work.
...@@ -231,7 +238,8 @@ $ curl localhost:5000 ...@@ -231,7 +238,8 @@ $ curl localhost:5000
404 page not found 404 page not found
``` ```
## Using the registry Using the registry
------------------
To use an image hosted by this registry, simply say this in your `Pod`'s To use an image hosted by this registry, simply say this in your `Pod`'s
`spec.containers[].image` field: `spec.containers[].image` field:
...@@ -260,15 +268,14 @@ Now you can build and push images on your local computer as ...@@ -260,15 +268,14 @@ Now you can build and push images on your local computer as
`localhost:5000/yourname/container` and those images will be available inside `localhost:5000/yourname/container` and those images will be available inside
your kubernetes cluster with the same name. your kubernetes cluster with the same name.
# More Extensions More Extensions
===============
- [Use GCS as storage backend](gcs/README.md) - [Use GCS as storage backend](gcs/README.md)
- [Enable TLS/SSL](tls/README.md) - [Enable TLS/SSL](tls/README.md)
- [Enable Authentication](auth/README.md) - [Enable Authentication](auth/README.md)
## Future improvements Future improvements
-------------------
* Allow port-forwarding to a Service rather than a pod (#15180) - Allow port-forwarding to a Service rather than a pod (\#15180)
[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/registry/README.md?pixel)]()
...@@ -3,3 +3,7 @@ registry_image_repo: registry ...@@ -3,3 +3,7 @@ registry_image_repo: registry
registry_image_tag: 2.6 registry_image_tag: 2.6
registry_proxy_image_repo: gcr.io/google_containers/kube-registry-proxy registry_proxy_image_repo: gcr.io/google_containers/kube-registry-proxy
registry_proxy_image_tag: 0.4 registry_proxy_image_tag: 0.4
registry_namespace: "{{ system_namespace }}"
registry_storage_class: ""
registry_disk_size: "10Gi"
# Copyright 2016 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
FROM nginx:1.12
RUN apt-get update \
&& apt-get install -y \
curl \
--no-install-recommends \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/man /usr/share/doc
COPY rootfs /
CMD ["/bin/boot"]
# Copyright 2016 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
.PHONY: build push vet test clean
TAG = 0.4
REPO = gcr.io/google_containers/kube-registry-proxy
build:
docker build --pull -t $(REPO):$(TAG) .
push:
gcloud docker -- push $(REPO):$(TAG)
#!/usr/bin/env bash
# fail if no hostname is provided
REGISTRY_HOST=${REGISTRY_HOST:?no host}
REGISTRY_PORT=${REGISTRY_PORT:-5000}
# we are always listening on port 80
# https://github.com/nginxinc/docker-nginx/blob/43c112100750cbd1e9f2160324c64988e7920ac9/stable/jessie/Dockerfile#L25
PORT=80
sed -e "s/%HOST%/$REGISTRY_HOST/g" \
-e "s/%PORT%/$REGISTRY_PORT/g" \
-e "s/%BIND_PORT%/$PORT/g" \
</etc/nginx/conf.d/default.conf.in >/etc/nginx/conf.d/default.conf
# wait for registry to come online
while ! curl -sS "$REGISTRY_HOST:$REGISTRY_PORT" &>/dev/null; do
printf "waiting for the registry (%s:%s) to come online...\n" "$REGISTRY_HOST" "$REGISTRY_PORT"
sleep 1
done
printf "starting proxy...\n"
exec nginx -g "daemon off;" "$@"
# Docker registry proxy for api version 2
upstream docker-registry {
server %HOST%:%PORT%;
}
# No client auth or TLS
# TODO(bacongobbler): experiment with authenticating the registry if it's using TLS
server {
listen %BIND_PORT%;
server_name localhost;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
location / {
# Do not allow connections from docker 1.5 and earlier
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
include docker-registry.conf;
}
}
proxy_pass http://docker-registry;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
include /etc/nginx/conf.d/*.conf;
}
...@@ -3,29 +3,56 @@ ...@@ -3,29 +3,56 @@
- name: Registry | Create addon dir - name: Registry | Create addon dir
file: file:
path: "{{ kube_config_dir }}/addons/registry" path: "{{ kube_config_dir }}/addons/registry"
state: directory
owner: root owner: root
group: root group: root
mode: 0755 mode: 0755
recurse: true
- name: Registry | Create manifests - name: Registry | Create manifests
template: template:
src: "{{ item.file }}.j2" src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/addons/registry/{{ item.file }}" dest: "{{ kube_config_dir }}/addons/registry/{{ item.file }}"
with_items: with_items:
- { name: registry-svc, file: registry-svc.yml, type: service } - { name: registry-ns, file: registry-ns.yml, type: ns }
- { name: registry-rc, file: registry-rc.yml, type: replicationcontroller } - { name: registry-svc, file: registry-svc.yml, type: svc }
- { name: registry-ds, file: registry-ds.yml, type: daemonset } - { name: registry-rs, file: registry-rs.yml, type: rs }
- { name: registry-proxy-ds, file: registry-proxy-ds.yml, type: ds }
register: registry_manifests register: registry_manifests
when: inventory_hostname == groups['kube-master'][0] when: inventory_hostname == groups['kube-master'][0]
- name: Registry | Apply manifests - name: Registry | Apply manifests
kube: kube:
name: "{{ item.item.name }}" name: "{{ item.item.name }}"
namespace: "{{ system_namespace }}" namespace: "{{ registry_namespace }}"
kubectl: "{{ bin_dir }}/kubectl" kubectl: "{{ bin_dir }}/kubectl"
resource: "{{ item.item.type }}" resource: "{{ item.item.type }}"
filename: "{{ kube_config_dir }}/addons/registry/{{ item.item.file }}" filename: "{{ kube_config_dir }}/addons/registry/{{ item.item.file }}"
state: "latest" state: "latest"
with_items: "{{ registry_manifests.results }}" with_items: "{{ registry_manifests.results }}"
when: inventory_hostname == groups['kube-master'][0] when: inventory_hostname == groups['kube-master'][0]
- name: Registry | Create PVC manifests
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/addons/registry/{{ item.file }}"
with_items:
- { name: registry-pvc, file: registry-pvc.yml, type: pvc }
register: registry_manifests
when:
- registry_storage_class != none
- registry_disk_size != none
- inventory_hostname == groups['kube-master'][0]
- name: Registry | Apply PVC manifests
kube:
name: "{{ item.item.name }}"
namespace: "{{ registry_namespace }}"
kubectl: "{{ bin_dir }}/kubectl"
resource: "{{ item.item.type }}"
filename: "{{ kube_config_dir }}/addons/registry/{{ item.item.file }}"
state: "latest"
with_items: "{{ registry_manifests.results }}"
when:
- registry_storage_class != none
- registry_disk_size != none
- inventory_hostname == groups['kube-master'][0]
# Enable Authentication with Htpasswd for Kube-Registry
Docker registry support a few authentication providers. Full list of supported provider can be found [here](https://docs.docker.com/registry/configuration/#auth). This document describes how to enable authentication with htpasswd for kube-registry.
### Prepare Htpasswd Secret
Please generate your own htpasswd file. Assuming the file you generated is `htpasswd`.
Creating secret to hold htpasswd...
```console
$ kubectl --namespace=kube-system create secret generic registry-auth-secret --from-file=htpasswd=htpasswd
```
### Run Registry
Please be noted that this sample rc is using emptyDir as storage backend for simplicity.
<!-- BEGIN MUNGE: EXAMPLE registry-auth-rc.yaml -->
```yaml
apiVersion: v1
kind: ReplicationController
metadata:
name: kube-registry-v0
namespace: kube-system
labels:
k8s-app: kube-registry
version: v0
# kubernetes.io/cluster-service: "true"
spec:
replicas: 1
selector:
k8s-app: kube-registry
version: v0
template:
metadata:
labels:
k8s-app: kube-registry
version: v0
# kubernetes.io/cluster-service: "true"
spec:
containers:
- name: registry
image: registry:2
resources:
# keep request = limit to keep this container in guaranteed class
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 100m
memory: 100Mi
env:
- name: REGISTRY_HTTP_ADDR
value: :5000
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
value: /var/lib/registry
- name: REGISTRY_AUTH_HTPASSWD_REALM
value: basic_realm
- name: REGISTRY_AUTH_HTPASSWD_PATH
value: /auth/htpasswd
volumeMounts:
- name: image-store
mountPath: /var/lib/registry
- name: auth-dir
mountPath: /auth
ports:
- containerPort: 5000
name: registry
protocol: TCP
volumes:
- name: image-store
emptyDir: {}
- name: auth-dir
secret:
secretName: registry-auth-secret
```
<!-- END MUNGE: EXAMPLE registry-auth-rc.yaml -->
No changes are needed for other components (kube-registry service and proxy).
### To Verify
Setup proxy or port-forwarding to the kube-registry. Image push/pull should fail without authentication. Then use `docker login` to authenticate with kube-registry and see if it works.
### Configure Nodes to Authenticate with Kube-Registry
By default, nodes assume no authentication is required by kube-registry. Without authentication, nodes cannot pull images from kube-registry. To solve this, more documentation can be found [Here](https://github.com/kubernetes/kubernetes.github.io/blob/master/docs/concepts/containers/images.md#configuring-nodes-to-authenticate-to-a-private-repository).
[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/registry/auth/README.md?pixel)]()
apiVersion: v1
kind: ReplicationController
metadata:
name: kube-registry-v0
namespace: kube-system
labels:
k8s-app: kube-registry
version: v0
# kubernetes.io/cluster-service: "true"
spec:
replicas: 1
selector:
k8s-app: kube-registry
version: v0
template:
metadata:
labels:
k8s-app: kube-registry
version: v0
# kubernetes.io/cluster-service: "true"
spec:
containers:
- name: registry
image: registry:2
resources:
# keep request = limit to keep this container in guaranteed class
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 100m
memory: 100Mi
env:
- name: REGISTRY_HTTP_ADDR
value: :5000
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
value: /var/lib/registry
- name: REGISTRY_AUTH_HTPASSWD_REALM
value: basic_realm
- name: REGISTRY_AUTH_HTPASSWD_PATH
value: /auth/htpasswd
volumeMounts:
- name: image-store
mountPath: /var/lib/registry
- name: auth-dir
mountPath: /auth
ports:
- containerPort: 5000
name: registry
protocol: TCP
volumes:
- name: image-store
emptyDir: {}
- name: auth-dir
secret:
secretName: registry-auth-secret
\ No newline at end of file
# Kube-Registry with GCS storage backend
Besides local file system, docker registry also supports a number of cloud storage backends. Full list of supported backend can be found [here](https://docs.docker.com/registry/configuration/#storage). This document describes how to enable GCS for kube-registry as storage backend.
A few preparation steps are needed.
1. Create a bucket named kube-registry in GCS.
1. Create a service account for GCS access and create key file in json format. Detail instruction can be found [here](https://cloud.google.com/storage/docs/authentication#service_accounts).
### Pack Keyfile into a Secret
Assuming you have downloaded the keyfile as `keyfile.json`. Create secret with the `keyfile.json`...
```console
$ kubectl --namespace=kube-system create secret generic gcs-key-secret --from-file=keyfile=keyfile.json
```
### Run Registry
<!-- BEGIN MUNGE: EXAMPLE registry-gcs-rc.yaml -->
```yaml
apiVersion: v1
kind: ReplicationController
metadata:
name: kube-registry-v0
namespace: kube-system
labels:
k8s-app: kube-registry
version: v0
# kubernetes.io/cluster-service: "true"
spec:
replicas: 1
selector:
k8s-app: kube-registry
version: v0
template:
metadata:
labels:
k8s-app: kube-registry
version: v0
# kubernetes.io/cluster-service: "true"
spec:
containers:
- name: registry
image: registry:2
resources:
# keep request = limit to keep this container in guaranteed class
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 100m
memory: 100Mi
env:
- name: REGISTRY_HTTP_ADDR
value: :5000
- name: REGISTRY_STORAGE
value: gcs
- name: REGISTRY_STORAGE_GCS_BUCKET
value: kube-registry
- name: REGISTRY_STORAGE_GCS_KEYFILE
value: /gcs/keyfile
ports:
- containerPort: 5000
name: registry
protocol: TCP
volumeMounts:
- name: gcs-key
mountPath: /gcs
volumes:
- name: gcs-key
secret:
secretName: gcs-key-secret
```
<!-- END MUNGE: EXAMPLE registry-gcs-rc.yaml -->
No changes are needed for other components (kube-registry service and proxy).
[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/registry/gcs/README.md?pixel)]()
apiVersion: v1
kind: ReplicationController
metadata:
name: kube-registry-v0
namespace: kube-system
labels:
k8s-app: kube-registry
version: v0
# kubernetes.io/cluster-service: "true"
spec:
replicas: 1
selector:
k8s-app: kube-registry
version: v0
template:
metadata:
labels:
k8s-app: kube-registry
version: v0
# kubernetes.io/cluster-service: "true"
spec:
containers:
- name: registry
image: registry:2
resources:
# keep request = limit to keep this container in guaranteed class
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 100m
memory: 100Mi
env:
- name: REGISTRY_HTTP_ADDR
value: :5000
- name: REGISTRY_STORAGE
value: gcs
- name: REGISTRY_STORAGE_GCS_BUCKET
value: kube-registry
- name: REGISTRY_STORAGE_GCS_KEYFILE
value: /gcs/keyfile
ports:
- containerPort: 5000
name: registry
protocol: TCP
volumeMounts:
- name: gcs-key
mountPath: /gcs
volumes:
- name: gcs-key
secret:
secretName: gcs-key-secret
---
apiVersion: v1
kind: Namespace
metadata:
name: {{ registry_namespace }}
--- ---
apiVersion: extensions/v1beta1 apiVersion: apps/v1
kind: DaemonSet kind: DaemonSet
metadata: metadata:
name: kube-registry-proxy name: registry-proxy
namespace: {{ system_namespace }} namespace: {{ registry_namespace }}
labels: labels:
k8s-app: kube-registry-proxy k8s-app: registry-proxy
kubernetes.io/cluster-service: "true" kubernetes.io/cluster-service: "true"
version: v{{ registry_proxy_image_tag }} version: v{{ registry_proxy_image_tag }}
spec: spec:
selector:
matchLabels:
k8s-app: registry-proxy
version: v{{ registry_proxy_image_tag }}
template: template:
metadata: metadata:
labels: labels:
k8s-app: kube-registry-proxy k8s-app: registry-proxy
kubernetes.io/name: "kube-registry-proxy" kubernetes.io/name: "registry-proxy"
kubernetes.io/cluster-service: "true" kubernetes.io/cluster-service: "true"
version: v{{ registry_proxy_image_tag }} version: v{{ registry_proxy_image_tag }}
spec: spec:
containers: containers:
- name: kube-registry-proxy - name: registry-proxy
image: {{ registry_proxy_image_repo }}:{{ registry_proxy_image_tag }} image: {{ registry_proxy_image_repo }}:{{ registry_proxy_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }}
env: env:
- name: REGISTRY_HOST - name: REGISTRY_HOST
value: kube-registry.kube-system.svc.cluster.local value: registry.{{ registry_namespace }}.svc.cluster.local
- name: REGISTRY_PORT - name: REGISTRY_PORT
value: "5000" value: "5000"
ports: ports:
......
kind: PersistentVolume
apiVersion: v1
metadata:
name: kube-system-kube-registry-pv
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
{% if pillar.get('cluster_registry_disk_type', '') == 'gce' %}
capacity:
storage: {{ pillar['cluster_registry_disk_size'] }}
accessModes:
- ReadWriteOnce
gcePersistentDisk:
pdName: "{{ pillar['cluster_registry_disk_name'] }}"
fsType: "ext4"
{% endif %}
kind: PersistentVolumeClaim ---
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim
metadata: metadata:
name: kube-registry-pvc name: registry-pvc
namespace: kube-system namespace: {{ registry_namespace }}
labels: labels:
kubernetes.io/cluster-service: "true" kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile addonmanager.kubernetes.io/mode: Reconcile
spec: spec:
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
storageClassName: {{ registry_storage_class }}
resources: resources:
requests: requests:
storage: {{ pillar['cluster_registry_disk_size'] }} storage: {{ registry_disk_size }}
--- ---
apiVersion: v1 apiVersion: apps/v1
kind: ReplicationController kind: ReplicaSet
metadata: metadata:
name: kube-registry-v{{ registry_image_tag }} name: registry-v{{ registry_image_tag }}
namespace: {{ system_namespace }} namespace: {{ registry_namespace }}
labels: labels:
k8s-app: kube-registry-upstream k8s-app: registry
version: v{{ registry_image_tag }} version: v{{ registry_image_tag }}
kubernetes.io/cluster-service: "true" kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile addonmanager.kubernetes.io/mode: Reconcile
spec: spec:
replicas: 1 replicas: 1
selector: selector:
k8s-app: kube-registry-upstream matchLabels:
k8s-app: registry
version: v{{ registry_image_tag }} version: v{{ registry_image_tag }}
template: template:
metadata: metadata:
labels: labels:
k8s-app: kube-registry-upstream k8s-app: registry
version: v{{ registry_image_tag }} version: v{{ registry_image_tag }}
kubernetes.io/cluster-service: "true" kubernetes.io/cluster-service: "true"
spec: spec:
containers: containers:
- name: registry - name: registry
image: {{ registry_image_repo }}:{{ registry_image_tag }} image: {{ registry_image_repo }}:{{ registry_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }}
env: env:
- name: REGISTRY_HTTP_ADDR - name: REGISTRY_HTTP_ADDR
value: :5000 value: :5000
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
value: /var/lib/registry value: /var/lib/registry
volumeMounts: volumeMounts:
- name: image-store - name: registry-pvc
mountPath: /var/lib/registry mountPath: /var/lib/registry
ports: ports:
- containerPort: 5000 - containerPort: 5000
name: registry name: registry
protocol: TCP protocol: TCP
volumes: volumes:
- name: image-store - name: registry-pvc
{% if registry_storage_class != none %}
persistentVolumeClaim:
claimName: registry-pvc
{% else %}
emptyDir: {} emptyDir: {}
{% endif %}
...@@ -2,16 +2,16 @@ ...@@ -2,16 +2,16 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: kube-registry name: registry
namespace: {{ system_namespace }} namespace: {{ registry_namespace }}
labels: labels:
k8s-app: kube-registry-upstream k8s-app: registry
kubernetes.io/cluster-service: "true" kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/name: "KubeRegistry" kubernetes.io/name: "KubeRegistry"
spec: spec:
selector: selector:
k8s-app: kube-registry-upstream k8s-app: registry
ports: ports:
- name: registry - name: registry
port: 5000 port: 5000
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment