configs: registry_wait_sh: file: ./registry-wait.sh registry_config_yml: file: ./config.yml services: vault-agent-registry: image: hashicorp/vault:latest command: > sh -lc 'vault agent -config=/etc/vault/agent.hcl' cap_add: ["IPC_LOCK"] environment: VAULT_ADDR: "http://vault:8200" secrets: - source: registry_vault_role_id target: /vault/secrets/role_id - source: registry_vault_secret_id target: /vault/secrets/secret_id volumes: - ./vault:/etc/vault:ro - vault-secrets:/vault/secrets:rw networks: [cicd] healthcheck: test: ["CMD-SHELL", "test -s /vault/secrets/htpasswd -a -s /vault/secrets/env"] interval: 10s timeout: 3s retries: 10 deploy: placement: constraints: [node.role == manager] registry: image: registry:latest entrypoint: ["/usr/local/bin/registry-wait"] command: ["serve", "/etc/registry/config.yml"] configs: - source: registry_wait_sh target: /usr/local/bin/registry-wait mode: 0755 - source: registry_config_yml target: /etc/registry/config.yml volumes: - registry_data:/var/lib/registry - vault-secrets:/vault/secrets:ro environment: OTEL_TRACES_EXPORTER: "none" networks: [cicd] deploy: placement: constraints: [node.role == manager] labels: - "traefik.enable=true" - "traefik.docker.network=cicd" - "traefik.http.services.registry.loadbalancer.server.port=5000" - "traefik.http.routers.registry.rule=Host(`registry.sendico.io`)" - "traefik.http.routers.registry.entrypoints=websecure" - "traefik.http.routers.registry.tls=true" - "traefik.http.routers.registry.tls.certresolver=letsencrypt" networks: cicd: external: true volumes: vault-secrets: driver: local driver_opts: type: tmpfs device: tmpfs o: size=16m,uid=1000,gid=1000,mode=0750 registry_data: secrets: registry_vault_role_id: external: true registry_vault_secret_id: external: true