updated for infra
This commit is contained in:
Arseni
30
infra/registry/config.yml
Normal file
30
infra/registry/config.yml
Normal file
@@ -0,0 +1,30 @@
|
||||
version: 0.1
|
||||
log:
|
||||
level: info
|
||||
|
||||
storage:
|
||||
s3:
|
||||
accesskey: registry
|
||||
secretkey: "88m]6uu:5^B>"
|
||||
bucket: registry
|
||||
region: us-east-1
|
||||
regionendpoint: https://s3.sendico.io
|
||||
secure: true
|
||||
v4auth: true
|
||||
forcepathstyle: true # required for MinIO path-style
|
||||
delete:
|
||||
enabled: true
|
||||
http:
|
||||
addr: :5000
|
||||
|
||||
auth:
|
||||
htpasswd:
|
||||
realm: "Registry Realm"
|
||||
path: /vault/secrets/htpasswd
|
||||
|
||||
health:
|
||||
storagedriver:
|
||||
enabled: true
|
||||
|
||||
monitoring:
|
||||
enabled: false
|
||||
79
infra/registry/docker-compose.yml
Normal file
79
infra/registry/docker-compose.yml
Normal file
@@ -0,0 +1,79 @@
|
||||
configs:
|
||||
registry_wait_sh:
|
||||
file: ./registry-wait.sh
|
||||
registry_config_yml:
|
||||
file: ./config.yml
|
||||
|
||||
services:
|
||||
vault-agent-registry:
|
||||
image: hashicorp/vault:latest
|
||||
command: >
|
||||
sh -lc 'vault agent -config=/etc/vault/agent.hcl'
|
||||
cap_add: ["IPC_LOCK"]
|
||||
environment:
|
||||
VAULT_ADDR: "http://vault:8200"
|
||||
secrets:
|
||||
- source: registry_vault_role_id
|
||||
target: /vault/secrets/role_id
|
||||
- source: registry_vault_secret_id
|
||||
target: /vault/secrets/secret_id
|
||||
volumes:
|
||||
- ./vault:/etc/vault:ro
|
||||
- vault-secrets:/vault/secrets:rw
|
||||
networks: [cicd]
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "test -s /vault/secrets/htpasswd -a -s /vault/secrets/env"]
|
||||
interval: 10s
|
||||
timeout: 3s
|
||||
retries: 10
|
||||
deploy:
|
||||
placement:
|
||||
constraints: [node.role == manager]
|
||||
|
||||
registry:
|
||||
image: registry:latest
|
||||
entrypoint: ["/usr/local/bin/registry-wait"]
|
||||
command: ["serve", "/etc/registry/config.yml"]
|
||||
configs:
|
||||
- source: registry_wait_sh
|
||||
target: /usr/local/bin/registry-wait
|
||||
mode: 0755
|
||||
- source: registry_config_yml
|
||||
target: /etc/registry/config.yml
|
||||
volumes:
|
||||
- registry_data:/var/lib/registry
|
||||
- vault-secrets:/vault/secrets:ro
|
||||
environment:
|
||||
OTEL_TRACES_EXPORTER: "none"
|
||||
networks: [cicd]
|
||||
deploy:
|
||||
placement:
|
||||
constraints: [node.role == manager]
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.docker.network=cicd"
|
||||
|
||||
- "traefik.http.services.registry.loadbalancer.server.port=5000"
|
||||
- "traefik.http.routers.registry.rule=Host(`registry.sendico.io`)"
|
||||
- "traefik.http.routers.registry.entrypoints=websecure"
|
||||
- "traefik.http.routers.registry.tls=true"
|
||||
- "traefik.http.routers.registry.tls.certresolver=letsencrypt"
|
||||
|
||||
networks:
|
||||
cicd:
|
||||
external: true
|
||||
|
||||
volumes:
|
||||
vault-secrets:
|
||||
driver: local
|
||||
driver_opts:
|
||||
type: tmpfs
|
||||
device: tmpfs
|
||||
o: size=16m,uid=1000,gid=1000,mode=0750
|
||||
registry_data:
|
||||
|
||||
secrets:
|
||||
registry_vault_role_id:
|
||||
external: true
|
||||
registry_vault_secret_id:
|
||||
external: true
|
||||
Reference in New Issue
Block a user