Initial commit

2024-11-02 04:05:28 +01:00 · 2024-11-02 04:05:28 +01:00 · 70184dd85d
commit 70184dd85d
8 changed files with 138 additions and 0 deletions
--- a/8
+++ b/8
@ -0,0 +1,8 @@
+FROM docker.io/library/registry:latest
+ENV REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED true
+ENV REGISTRY_AUTH htpasswd
+ENV REGISTRY_AUTH_HTPASSWD_REALM "Registry Realm"
+ENV REGISTRY_AUTH_HTPASSWD_PATH /auth/htpasswd
+ENV REGISTRY_HTTP_TLS_CERTIFICATE /certs/domain.crt
+ENV REGISTRY_HTTP_TLS_KEY /certs/domain.key
+EXPOSE 5000
--- a/29
+++ b/29
@ -0,0 +1,29 @@
+Create a private registry for containers
+
+Ref: https://www.redhat.com/sysadmin/simple-container-registry
+
+Just run: ansible-playbook container_registry.yaml
+
+~~~
+
+Make sure the local CA (domain.crt) is accepted on all the machines that will commit the images AND on all the target systems (the machines where the images will be deployed).
+
+Manually, for Debian:
+HOST=k3s
+REGISTRY=tiptop:5000
+ssh root@$HOST mkdir -p /etc/containers/certs.d/$REGISTRY
+scp certs/domain.crt root@$HOST:/etc/containers/certs.d/$REGISTRY/
+
+~~~
+
+Next, add the credential to the kubernetes cluster:
+kubectl create secret docker-registry regcred --docker-server=tiptop:5000 --docker-username=admin --docker-password=admin -n default
+
+~~~
+
+To push to the registry:
+podman push <image name> docker://<host name>:5000/<image name>
+
+~~~
+
+To use it in Kubernetes, see https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
--- a/auth/.gitignore
+++ b/auth/.gitignore
@ -0,0 +1 @@
+htpassword
--- a/auth/htpasswd
+++ b/auth/htpasswd
@ -0,0 +1 @@
+admin:$2b$12$0j.FEghiSM1km9LHgetFAusfni9QPR7KibzKEbaukFUba/Z8zwWHK
--- a/certs/.gitignore
+++ b/certs/.gitignore
@ -0,0 +1,2 @@
+*.crt
+*.key
--- a/container_registry.yaml
+++ b/container_registry.yaml
@ -0,0 +1,88 @@
+- name: Run registry container
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Creates directory for certs
+      ansible.builtin.file:
+        path: "{{playbook_dir}}/certs"
+        state: directory
+
+    - name: Creates directory for data, will be mounted on the container and used for the registry store
+      ansible.builtin.file:
+        path: "{{playbook_dir}}/data"
+        state: directory
+
+    - name: Creates directory for auth (htpasswd)
+      ansible.builtin.file:
+        path: "{{playbook_dir}}/auth"
+        state: directory
+
+    - name: Create auth file
+      community.general.htpasswd:
+        path: "{{playbook_dir}}/auth/htpasswd"
+        name: admin
+        password: admin
+        hash_scheme: bcrypt
+
+    - name: Create private key (RSA, 4096 bits)
+      community.crypto.openssl_privatekey:
+        path: "{{playbook_dir}}/certs/domain.key"
+
+    - name: Create certificate signing request (CSR) for self-signed certificate
+      community.crypto.openssl_csr_pipe:
+        privatekey_path: "{{playbook_dir}}/certs/domain.key"
+        common_name: tiptop
+        organization_name: MyOwnVerySelf
+        subject_alt_name:
+          - "DNS:tiptop"
+      register: ca_csr
+
+    - name: Create self-signed certificate from CSR
+      community.crypto.x509_certificate:
+        path: "{{playbook_dir}}/certs/domain.crt"
+        csr_content: "{{ ca_csr.csr }}"
+        privatekey_path: "{{playbook_dir}}/certs/domain.key"
+        provider: selfsigned
+
+    - name: Build container
+      containers.podman.podman_image:
+        name: myregistry
+        state: build
+        build:
+          format: oci
+          container_file: |-
+            FROM docker.io/library/registry:latest
+            ENV REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED true
+            ENV REGISTRY_AUTH htpasswd
+            ENV REGISTRY_AUTH_HTPASSWD_REALM "Registry Realm"
+            ENV REGISTRY_AUTH_HTPASSWD_PATH /auth/htpasswd
+            ENV REGISTRY_HTTP_TLS_CERTIFICATE /certs/domain.crt
+            ENV REGISTRY_HTTP_TLS_KEY /certs/domain.key
+            EXPOSE 5000
+
+    - name: Install quadlet
+      containers.podman.podman_container:
+        name: myregistry
+        state: quadlet
+        image: localhost/myregistry:latest
+        volumes:
+          - "{{playbook_dir}}/certs:/certs:z"
+          - "{{playbook_dir}}/data:/var/lib/registry:z"
+          - "{{playbook_dir}}/auth:/auth:z"
+        ports:
+          - 5000:5000
+        quadlet_options:
+          - |
+            [Install]
+            WantedBy=default.target
+
+    - name: Reload systemd
+      ansible.builtin.systemd_service:
+        daemon_reload: true
+        scope: user
+
+    - name: Start container
+      ansible.builtin.systemd_service:
+        scope: user
+        name: myregistry.service
+        state: started
--- a/data/.gitignore
+++ b/data/.gitignore
@ -0,0 +1 @@
+*/
--- a/secret.yaml
+++ b/secret.yaml
@ -0,0 +1,8 @@
+apiVersion: v1    
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+  name: image-pull-secret
+data:
+  .dockerconfigjson:
+    {{ "{"my-passwordauths": {"tiptop:5000": {"username": "admin", "password": "admin"}}}" | b64enc }}
				`@ -0,0 +1 @@`
				`admin:$2b$12$0j.FEghiSM1km9LHgetFAusfni9QPR7KibzKEbaukFUba/Z8zwWHK`