container-registry

prepare

k8s is ready
- in this article, the k8s cluster is created by minikube
argocd is ready and logged in
minio is ready

initialization

prepare secret named s3-credentials-for-container-registry to store the minio credentials

pvc backend

# not required by pvc backend

minio backend

kubectl -n basic-components create secret generic s3-credentials-for-container-registry \
  --from-literal=s3AccessKey=$(kubectl -n storage get secret minio-credentials -o jsonpath='{.data.rootUser}' | base64 -d) \
  --from-literal=s3SecretKey=$(kubectl -n storage get secret minio-credentials -o jsonpath='{.data.rootPassword}' | base64 -d)

create bucket named container-registry in minio

pvc backend

# not required by pvc backend

minio backend

# change K8S_MASTER_IP to your k8s master ip
K8S_MASTER_IP=$(kubectl get node -l node-role.kubernetes.io/control-plane -o jsonpath='{.items[0].status.addresses[?(@.type=="InternalIP")].address}')
ACCESS_SECRET=$(kubectl -n storage get secret minio-credentials -o jsonpath='{.data.rootPassword}' | base64 -d)
podman run --rm \
    --entrypoint bash \
    --add-host=minio-api.dev.geekcity.tech:${K8S_MASTER_IP} \
    -it docker.io/minio/mc:latest \
    -c "mc alias set minio http://minio-api.dev.geekcity.tech:32080 admin ${ACCESS_SECRET} \
        && mc mb --ignore-existing minio/container-registry"

installation

prepare container-registry.yaml

pvc backend

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: container-registry
spec:
  syncPolicy:
    syncOptions:
    - CreateNamespace=true
  project: default
  source:
    repoURL: https://helm.twun.io
    chart: docker-registry
    targetRevision: 2.2.3
    helm:
      releaseName: container-registry
      values: |
        image:
          repository: docker.io/library/registry
        storage: filesystem
        persistence:
          enabled: true
          storageClass: ''
          size: 10Gi
        secrets:
          #htpasswd: "admin:$2y$05$t3KKc9mSR7Mwq3QZpAGFnu1ePMXbcMk3nwsp2DRse9Pqk4Gr3MEnO"
        ingress:
          enabled: true
          className: nginx
          annotations:
            cert-manager.io/cluster-issuer: self-signed-ca-issuer
            nginx.ingress.kubernetes.io/proxy-body-size: "1024m"
          hosts:
            - container-registry.dev.geekcity.tech
          tls:
            - secretName: container-registry.dev.geekcity.tech-tls
              hosts:
                - container-registry.dev.geekcity.tech
  destination:
    server: https://kubernetes.default.svc
    namespace: basic-components

minio backend

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: container-registry
spec:
  syncPolicy:
    syncOptions:
    - CreateNamespace=true
  project: default
  source:
    repoURL: https://helm.twun.io
    chart: docker-registry
    targetRevision: 2.2.3
    helm:
      releaseName: container-registry
      values: |
        image:
          repository: docker.io/library/registry
        storage: filesystem
        persistence:
          enabled: true
          storageClass: ''
          size: 10Gi
        secrets:
          #htpasswd: "admin:$2y$05$t3KKc9mSR7Mwq3QZpAGFnu1ePMXbcMk3nwsp2DRse9Pqk4Gr3MEnO"
        ingress:
          enabled: true
          className: nginx
          annotations:
            cert-manager.io/cluster-issuer: self-signed-ca-issuer
            nginx.ingress.kubernetes.io/proxy-body-size: "1024m"
          hosts:
            - container-registry.dev.geekcity.tech
          tls:
            - secretName: container-registry.dev.geekcity.tech-tls
              hosts:
                - container-registry.dev.geekcity.tech
  destination:
    server: https://kubernetes.default.svc
    namespace: basic-components

optional to add password to the container registry

generate htpasswd

PASSWORD=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 16)
HTPASSWD=$(podman run --rm --entrypoint htpasswd -it docker.io/library/httpd:2 -Bbn admin $PASSWORD 2>/dev/null)

echo "remember the password which cannot be retrieved again: $PASSWORD"
echo "corresponding htpasswd: $HTPASSWD"

add secrets.htpasswd: ${HTPASSWD} to the spec.source.helm.values described in container-registry.yaml

apply to k8s

kubectl -n argocd apply -f container-registry.yaml

sync by argocd

argocd app sync argocd/container-registry

if you can't control dns to point minio-api.dev.geekcity.tech to ${K8S_MASTER_IP}

patch the deployment by hostAliases

K8S_MASTER_IP=$(kubectl get node -l node-role.kubernetes.io/control-plane -o jsonpath='{.items[0].status.addresses[?(@.type=="InternalIP")].address}')
kubectl -n basic-components patch deployment container-registry-docker-registry --patch "
spec:
  template:
    spec:
      hostAliases:
      - ip: ${K8S_MASTER_IP}
        hostnames:
        - minio-api.dev.geekcity.tech
"

tests

container-registry.dev.geekcity.tech and minio-api.dev.geekcity.tech can be resolved

for example

add $K8S_MASTER_IP container-registry.dev.geekcity.tech to /etc/hosts

echo "$K8S_MASTER_IP container-registry.dev.geekcity.tech" | sudo tee -a /etc/hosts

add $K8S_MASTER_IP minio-api.dev.geekcity.tech to /etc/hosts

echo "$K8S_MASTER_IP minio-api.dev.geekcity.tech" | sudo tee -a /etc/hosts

$K8S_MASTER_IP can be retrieved by

kubectl get node -l node-role.kubernetes.io/control-plane -o jsonpath='{.items[0].status.addresses[?(@.type=="InternalIP")].address}'

pull image

podman pull docker.io/library/alpine:3.20.1
podman tag docker.io/library/alpine:3.20.1 container-registry.dev.geekcity.tech:32443/alpine:3.20.1
# $PASSWORD is the password set in the installation step
podman login --tls-verify=false -u admin -p $PASSWORD container-registry.dev.geekcity.tech:32443
podman push --tls-verify=false container-registry.dev.geekcity.tech:32443/alpine:3.20.1