From 3be3f2188cf84387b193dbd6537d20ef4ff00c77 Mon Sep 17 00:00:00 2001 From: zhengtianbao Date: Tue, 7 Dec 2021 10:32:00 -0600 Subject: [PATCH] Registry add TLS and authentication support (#8229) * Add registry TLS support * Add registry configmap and htpasswd auth --- .../registry/defaults/main.yml | 24 +++++++++ roles/kubernetes-apps/registry/tasks/main.yml | 2 + .../registry/templates/registry-cm.yml.j2 | 10 ++++ .../registry/templates/registry-rs.yml.j2 | 52 +++++++++++++++++++ .../templates/registry-secrets.yml.j2 | 10 ++++ 5 files changed, 98 insertions(+) create mode 100644 roles/kubernetes-apps/registry/templates/registry-cm.yml.j2 create mode 100644 roles/kubernetes-apps/registry/templates/registry-secrets.yml.j2 diff --git a/roles/kubernetes-apps/registry/defaults/main.yml b/roles/kubernetes-apps/registry/defaults/main.yml index f3f55e2d7ac..bcbabfb23f6 100644 --- a/roles/kubernetes-apps/registry/defaults/main.yml +++ b/roles/kubernetes-apps/registry/defaults/main.yml @@ -5,3 +5,27 @@ registry_storage_access_mode: "ReadWriteOnce" registry_disk_size: "10Gi" registry_port: 5000 registry_replica_count: 1 +# name of kubernetes secret for registry TLS certs +registry_tls_secret: "" + +registry_htpasswd: "" + +# registry configuration +# see: https://docs.docker.com/registry/configuration/#list-of-configuration-options +registry_config: + version: 0.1 + log: + fields: + service: registry + storage: + cache: + blobdescriptor: inmemory + http: + addr: :{{ registry_port }} + headers: + X-Content-Type-Options: [nosniff] + health: + storagedriver: + enabled: true + interval: 10s + threshold: 3 diff --git a/roles/kubernetes-apps/registry/tasks/main.yml b/roles/kubernetes-apps/registry/tasks/main.yml index 6b8b5e7bcbd..b9f0ee432c2 100644 --- a/roles/kubernetes-apps/registry/tasks/main.yml +++ b/roles/kubernetes-apps/registry/tasks/main.yml @@ -15,6 +15,8 @@ - { name: registry-sa, file: registry-sa.yml, type: sa } - { name: registry-proxy-sa, file: registry-proxy-sa.yml, type: sa } - { name: registry-svc, file: registry-svc.yml, type: svc } + - { name: registry-secrets, file: registry-secrets.yml, type: secrets } + - { name: registry-cm, file: registry-cm.yml, type: cm } - { name: registry-rs, file: registry-rs.yml, type: rs } - { name: registry-proxy-ds, file: registry-proxy-ds.yml, type: ds } registry_templates_for_psp: diff --git a/roles/kubernetes-apps/registry/templates/registry-cm.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-cm.yml.j2 new file mode 100644 index 00000000000..b633dfd68ce --- /dev/null +++ b/roles/kubernetes-apps/registry/templates/registry-cm.yml.j2 @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: registry-config + namespace: {{ registry_namespace }} +{% if registry_config %} +data: + config.yml: |- + {{ registry_config | to_yaml(indent=2, width=1337) | indent(width=4) }} +{% endif %} diff --git a/roles/kubernetes-apps/registry/templates/registry-rs.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-rs.yml.j2 index 9470db46db3..47519f9d80f 100644 --- a/roles/kubernetes-apps/registry/templates/registry-rs.yml.j2 +++ b/roles/kubernetes-apps/registry/templates/registry-rs.yml.j2 @@ -33,24 +33,60 @@ spec: - name: registry image: {{ registry_image_repo }}:{{ registry_image_tag }} imagePullPolicy: {{ k8s_image_pull_policy }} + command: + - /bin/registry + - serve + - /etc/docker/registry/config.yml env: - name: REGISTRY_HTTP_ADDR value: :{{ registry_port }} - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY value: /var/lib/registry +{% if registry_htpasswd != "" %} + - name: REGISTRY_AUTH + value: "htpasswd" + - name: REGISTRY_AUTH_HTPASSWD_REALM + value: "Registry Realm" + - name: REGISTRY_AUTH_HTPASSWD_PATH + value: "/auth/htpasswd" +{% endif %} +{% if registry_tls_secret != "" %} + - name: REGISTRY_HTTP_TLS_CERTIFICATE + value: /etc/ssl/docker/tls.crt + - name: REGISTRY_HTTP_TLS_KEY + value: /etc/ssl/docker/tls.key +{% endif %} volumeMounts: - name: registry-pvc mountPath: /var/lib/registry + - name: registry-config + mountPath: /etc/docker/registry +{% if registry_htpasswd != "" %} + - name: auth + mountPath: /auth + readOnly: true +{% endif %} +{% if registry_tls_secret != "" %} + - name: tls-cert + mountPath: /etc/ssl/docker + readOnly: true +{% endif %} ports: - containerPort: {{ registry_port }} name: registry protocol: TCP livenessProbe: httpGet: +{% if registry_tls_secret != "" %} + scheme: HTTPS +{% endif %} path: / port: {{ registry_port }} readinessProbe: httpGet: +{% if registry_tls_secret != "" %} + scheme: HTTPS +{% endif %} path: / port: {{ registry_port }} volumes: @@ -60,4 +96,20 @@ spec: claimName: registry-pvc {% else %} emptyDir: {} +{% endif %} + - name: registry-config + configMap: + name: registry-config +{% if registry_htpasswd != "" %} + - name: auth + secret: + secretName: registry-secret + items: + - key: htpasswd + path: htpasswd +{% endif %} +{% if registry_tls_secret != "" %} + - name: tls-cert + secret: + secretName: {{ registry_tls_secret }} {% endif %} diff --git a/roles/kubernetes-apps/registry/templates/registry-secrets.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-secrets.yml.j2 new file mode 100644 index 00000000000..80727d28acd --- /dev/null +++ b/roles/kubernetes-apps/registry/templates/registry-secrets.yml.j2 @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: registry-secret + namespace: {{ registry_namespace }} +type: Opaque +data: +{% if registry_htpasswd != "" %} + htpasswd: {{ registry_htpasswd | b64encode }} +{% endif %}