From 70184dd85d76eb8a1d573c8b083c13f9de45181d Mon Sep 17 00:00:00 2001 From: phil Date: Sat, 2 Nov 2024 04:05:28 +0100 Subject: [PATCH] Initial commit --- Containerfile | 8 ++++ README | 29 ++++++++++++++ auth/.gitignore | 1 + auth/htpasswd | 1 + certs/.gitignore | 2 + container_registry.yaml | 88 +++++++++++++++++++++++++++++++++++++++++ data/.gitignore | 1 + secret.yaml | 8 ++++ 8 files changed, 138 insertions(+) create mode 100644 Containerfile create mode 100644 README create mode 100644 auth/.gitignore create mode 100644 auth/htpasswd create mode 100644 certs/.gitignore create mode 100644 container_registry.yaml create mode 100644 data/.gitignore create mode 100644 secret.yaml diff --git a/Containerfile b/Containerfile new file mode 100644 index 0000000..58c872a --- /dev/null +++ b/Containerfile @@ -0,0 +1,8 @@ +FROM docker.io/library/registry:latest +ENV REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED true +ENV REGISTRY_AUTH htpasswd +ENV REGISTRY_AUTH_HTPASSWD_REALM "Registry Realm" +ENV REGISTRY_AUTH_HTPASSWD_PATH /auth/htpasswd +ENV REGISTRY_HTTP_TLS_CERTIFICATE /certs/domain.crt +ENV REGISTRY_HTTP_TLS_KEY /certs/domain.key +EXPOSE 5000 diff --git a/README b/README new file mode 100644 index 0000000..369fe75 --- /dev/null +++ b/README @@ -0,0 +1,29 @@ +Create a private registry for containers + +Ref: https://www.redhat.com/sysadmin/simple-container-registry + +Just run: ansible-playbook container_registry.yaml + +~~~ + +Make sure the local CA (domain.crt) is accepted on all the machines that will commit the images AND on all the target systems (the machines where the images will be deployed). + +Manually, for Debian: +HOST=k3s +REGISTRY=tiptop:5000 +ssh root@$HOST mkdir -p /etc/containers/certs.d/$REGISTRY +scp certs/domain.crt root@$HOST:/etc/containers/certs.d/$REGISTRY/ + +~~~ + +Next, add the credential to the kubernetes cluster: +kubectl create secret docker-registry regcred --docker-server=tiptop:5000 --docker-username=admin --docker-password=admin -n default + +~~~ + +To push to the registry: +podman push docker://:5000/ + +~~~ + +To use it in Kubernetes, see https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ diff --git a/auth/.gitignore b/auth/.gitignore new file mode 100644 index 0000000..205388f --- /dev/null +++ b/auth/.gitignore @@ -0,0 +1 @@ +htpassword diff --git a/auth/htpasswd b/auth/htpasswd new file mode 100644 index 0000000..2670e31 --- /dev/null +++ b/auth/htpasswd @@ -0,0 +1 @@ +admin:$2b$12$0j.FEghiSM1km9LHgetFAusfni9QPR7KibzKEbaukFUba/Z8zwWHK diff --git a/certs/.gitignore b/certs/.gitignore new file mode 100644 index 0000000..be870b4 --- /dev/null +++ b/certs/.gitignore @@ -0,0 +1,2 @@ +*.crt +*.key diff --git a/container_registry.yaml b/container_registry.yaml new file mode 100644 index 0000000..d1c9c4e --- /dev/null +++ b/container_registry.yaml @@ -0,0 +1,88 @@ +- name: Run registry container + hosts: localhost + gather_facts: false + tasks: + - name: Creates directory for certs + ansible.builtin.file: + path: "{{playbook_dir}}/certs" + state: directory + + - name: Creates directory for data, will be mounted on the container and used for the registry store + ansible.builtin.file: + path: "{{playbook_dir}}/data" + state: directory + + - name: Creates directory for auth (htpasswd) + ansible.builtin.file: + path: "{{playbook_dir}}/auth" + state: directory + + - name: Create auth file + community.general.htpasswd: + path: "{{playbook_dir}}/auth/htpasswd" + name: admin + password: admin + hash_scheme: bcrypt + + - name: Create private key (RSA, 4096 bits) + community.crypto.openssl_privatekey: + path: "{{playbook_dir}}/certs/domain.key" + + - name: Create certificate signing request (CSR) for self-signed certificate + community.crypto.openssl_csr_pipe: + privatekey_path: "{{playbook_dir}}/certs/domain.key" + common_name: tiptop + organization_name: MyOwnVerySelf + subject_alt_name: + - "DNS:tiptop" + register: ca_csr + + - name: Create self-signed certificate from CSR + community.crypto.x509_certificate: + path: "{{playbook_dir}}/certs/domain.crt" + csr_content: "{{ ca_csr.csr }}" + privatekey_path: "{{playbook_dir}}/certs/domain.key" + provider: selfsigned + + - name: Build container + containers.podman.podman_image: + name: myregistry + state: build + build: + format: oci + container_file: |- + FROM docker.io/library/registry:latest + ENV REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED true + ENV REGISTRY_AUTH htpasswd + ENV REGISTRY_AUTH_HTPASSWD_REALM "Registry Realm" + ENV REGISTRY_AUTH_HTPASSWD_PATH /auth/htpasswd + ENV REGISTRY_HTTP_TLS_CERTIFICATE /certs/domain.crt + ENV REGISTRY_HTTP_TLS_KEY /certs/domain.key + EXPOSE 5000 + + - name: Install quadlet + containers.podman.podman_container: + name: myregistry + state: quadlet + image: localhost/myregistry:latest + volumes: + - "{{playbook_dir}}/certs:/certs:z" + - "{{playbook_dir}}/data:/var/lib/registry:z" + - "{{playbook_dir}}/auth:/auth:z" + ports: + - 5000:5000 + quadlet_options: + - | + [Install] + WantedBy=default.target + + - name: Reload systemd + ansible.builtin.systemd_service: + daemon_reload: true + scope: user + + - name: Start container + ansible.builtin.systemd_service: + scope: user + name: myregistry.service + state: started diff --git a/data/.gitignore b/data/.gitignore new file mode 100644 index 0000000..355164c --- /dev/null +++ b/data/.gitignore @@ -0,0 +1 @@ +*/ diff --git a/secret.yaml b/secret.yaml new file mode 100644 index 0000000..6d77782 --- /dev/null +++ b/secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: image-pull-secret +data: + .dockerconfigjson: + {{ "{"my-passwordauths": {"tiptop:5000": {"username": "admin", "password": "admin"}}}" | b64enc }}