№ 10420 В разделе "Sysadmin"
от December 4th, 2019,
В подшивках: DigitalOcean, Docker, Kubernetes
Prepare Configmap with auth information. Use command htpasswd -Bbn vlad 123
to create login and password for users. No need to restart all pods of registry to apply changes. May be you want to store it in Secret resource, at your choice.
Example:
--- apiVersion: v1 kind: ConfigMap metadata: creationTimestamp: null name: registry-auth data: htpasswd: | vlad:$2y$05$anFCx3pAPG/BNxPsEKcau.LPKjWFN7hHkoXbvIMp7Jie97uYafuSq
Now create bucket my-own-registry
in Spaces with access key id and secret key. Do not forget to set http_secret and nodeSelector. http_secret required if you want multiple pods.
Example:
--- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: registry spec: replicas: 2 template: metadata: labels: name: registry spec: containers: - name: registry image: registry:2 ports: - name: registry containerPort: 5000 volumeMounts: - mountPath: /auth name: auth env: - name: REGISTRY_STORAGE_DELETE_ENABLED value: "true" - name: REGISTRY_HEALTH_STORAGEDRIVER_ENABLED value: "false" - name: REGISTRY_AUTH value: "htpasswd" - name: REGISTRY_AUTH_HTPASSWD_REALM value: "Registry Realm" - name: REGISTRY_AUTH_HTPASSWD_PATH value: /auth/htpasswd - name: REGISTRY_STORAGE value: "s3" - name: REGISTRY_STORAGE_S3_ACCESSKEY value: "TVV3WXZ233MEPEBXFP7X" - name: REGISTRY_STORAGE_S3_SECRETKEY value: "ERlofd+hb9Ps1oBR5jUJuPa9NIMRSLxvUyulKJnt8S0" - name: REGISTRY_STORAGE_S3_BUCKET value: "my-own-registry" - name: REGISTRY_STORAGE_S3_REGION value: "fra1" - name: REGISTRY_STORAGE_S3_REGIONENDPOINT value: "https://fra1.digitaloceanspaces.com" - name: REGISTRY_LOG_LEVEL value: "info" - name: REGISTRY_HTTP_ADDR value: "0.0.0.0:5000" - name: REGISTRY_HTTP_SECRET value: sexy_pony resources: limits: cpu: 100m memory: 200Mi requests: cpu: 50m memory: 50Mi volumes: - name: auth configMap: name: registry-auth nodeSelector: doks.digitalocean.com/node-pool: infra
Last step easily shares registry. Set limit for image size in proxy-body-size
, value 0
means no limits.
Example:
--- apiVersion: v1 kind: Service metadata: name: registry labels: name: registry spec: ports: - port: 80 targetPort: registry protocol: TCP name: registry selector: name: registry type: ClusterIP --- apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: certmanager.k8s.io/cluster-issuer: letsencrypt-prod kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/proxy-body-size: "0" name: registry spec: rules: - host: registry.k8s.blindage.org http: paths: - backend: serviceName: registry servicePort: registry path: / tls: - hosts: - k8s.blindage.org - '*.k8s.blindage.org' secretName: k8s-blindage-tls
Problems:
time="2019-12-14T22:03:19.448702167Z" level=info msg="PurgeUploads starting: olderThan=2019-12-07 22:03:19.439373039 +0000 UTC m=-601559.638413974, actuallyDelete=true"
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xc4e6bd]
Its a bug.
№ 10401 В разделе "Sysadmin"
от November 19th, 2019,
В подшивках: DigitalOcean, Terraform
At first, create digitalocean.tf
with auth token if you do not have one.
Carefully read documentation:
Now prepare domains.tf
with resources declaration:
resource "digitalocean_domain" "k8s_blindage_org" { name = "k8s.blindage.org" } resource "digitalocean_record" "k8s_blindage_org_ns1" { domain = digitalocean_domain.k8s_blindage_org.name type = "NS" name = "@" value = "ns1.digitalocean.com." } resource "digitalocean_record" "k8s_blindage_org_ns2" { domain = digitalocean_domain.k8s_blindage_org.name type = "NS" name = "@" value = "ns2.digitalocean.com." } resource "digitalocean_record" "k8s_blindage_org_ns3" { domain = digitalocean_domain.k8s_blindage_org.name type = "NS" name = "@" value = "ns3.digitalocean.com." }
Authorize and receive list of records with IDs:
export DO_TOKEN=fed82d66020b4ccfa67d53d45a519fuck6d3you0c946a9cd196f1062195a7993 curl -X GET https://api.digitalocean.com/v2/domains/k8s.blindage.org/records -H "Authorization:Bearer ${DO_TOKEN}"
Now you are ready to import current state with record IDs from previous step:
terraform import digitalocean_domain.k8s_blindage_org k8s.blindage.org terraform import digitalocean_record.k8s_blindage_org_ns1 k8s.blindage.org,80019903 terraform import digitalocean_record.k8s_blindage_org_ns2 k8s.blindage.org,80019904 terraform import digitalocean_record.k8s_blindage_org_ns3 k8s.blindage.org,80019905
Fortune cookie: Today's spam: Visitors can smell oders that the home owners can not!