Create new Registry version

Author: laverya

addons/registry/3.0.0/Manifest

@@ -0,0 +1,2 @@
+image registry registry:3.0.0
+image s3cmd kurlsh/s3cmd:20230406-9a6d89f

addons/registry/3.0.0/README.md

@@ -0,0 +1,21 @@
+
+[Docker registry](https://github.com/docker/distribution) is an OCI compatible image registry.
+This addon deploys it to the `kurl` namespace.
+
+## TLS
+
+TLS is enabled on the registry using a certificate signed by the Kubernetes cluster CA.
+The kubeadm bootstrapping process distributes the CA to every node in the cluster at filepath /etc/kubernetes/pki/ca.crt.
+The registry addon script copies that file to /etc/docker/certs.d/<service-IP>/ca.crt, telling Docker to trust the registry certificate signed by that CA.
+The service IP is from the Service of type ClusterIP that is created along with the Deployment.
+
+## Auth
+
+All access to the registry requires authentication with [basic auth](https://docs.docker.com/registry/deploying/#native-basic-auth).
+A new user/password is generated and placed in a secret in the default namespace to be used as an imagePullSecret by Pods.
+The user has push/pull access to all repos in the registry.
+
+## Options
+
+By default it is not possible to push to the registry from remote hosts.
+Use the `registry-publish-port=<port>` flag to configure the registry to listen on a NodePort.

addons/registry/3.0.0/deployment-pvc.yaml

@@ -0,0 +1,110 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: registry-config
+  labels:
+    app: registry
+data:
+  config.yml: |-
+    health:
+      storagedriver:
+        enabled: true
+        interval: 10s
+        threshold: 3
+    auth:
+      htpasswd:
+        realm: basic-realm
+        path: /auth/htpasswd
+    http:
+      addr: :443
+      headers:
+        X-Content-Type-Options:
+        - nosniff
+      tls:
+        certificate: /etc/pki/registry.crt
+        key: /etc/pki/registry.key
+    log:
+      fields:
+        service: registry
+      accesslog:
+        disabled: true
+    storage:
+      delete:
+        enabled: true
+      filesystem:
+        rootdirectory: /var/lib/registry
+      cache:
+        blobdescriptor: inmemory
+      maintenance:
+        uploadpurging:
+          enabled: false
+    version: 0.1
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: registry
+spec:
+  selector:
+    matchLabels:
+      app: registry
+  replicas: 1
+  strategy:
+    type:
+      Recreate
+  template:
+    metadata:
+      labels:
+        app: registry
+    spec:
+      terminationGracePeriodSeconds: 30
+      containers:
+      - name: registry
+        image: registry:3.0.0
+        imagePullPolicy: IfNotPresent
+        command:
+        - /bin/registry
+        - serve
+        - /etc/docker/registry/config.yml
+        ports:
+        - containerPort: 443
+          protocol: TCP
+        volumeMounts:
+        - name: registry-data
+          mountPath: /var/lib/registry
+        - name: registry-config
+          mountPath: /etc/docker/registry
+        - name: registry-pki
+          mountPath: /etc/pki
+        - name: registry-htpasswd
+          mountPath: /auth
+        env:
+        - name: REGISTRY_HTTP_SECRET
+          valueFrom:
+            secretKeyRef:
+              key: haSharedSecret
+              name: registry-session-secret
+        readinessProbe:
+          failureThreshold: 3
+          initialDelaySeconds: 10
+          periodSeconds: 1
+          successThreshold: 2
+          timeoutSeconds: 1
+          httpGet:
+            path: /
+            port: 443
+            scheme: HTTPS
+      volumes:
+      - name: registry-data
+        persistentVolumeClaim:
+          claimName: registry-pvc
+      - name: registry-config
+        configMap:
+          name: registry-config
+      - name: registry-pki
+        secret:
+          secretName: registry-pki
+      - name: registry-htpasswd
+        secret:
+          secretName: registry-htpasswd