编辑
2022-11-22
Kubernetes
0
请注意,本文编写于 460 天前,最后修改于 460 天前,其中某些信息可能已经过时。

目录

从 docker registry 官方文档入手
基于 docker-compose 我们来编写 helm chart
修改 docker 配置,尝试推送一个镜像上去

看完本文会得到什么

  1. 部署在集群内部的 docker registry
  2. 在集群内部进行 docker build & push 实现 CI/CD
  3. 从零开始编写 helm chart

从 docker registry 官方文档入手

https://docs.docker.com/registry/

阅读一个大概,我们只需要找到核心的 docker-comppse 文件即可 -> https://docs.docker.com/registry/deploying/#deploy-your-registry-using-a-compose-file

yml
registry: restart: always image: registry:2 ports: - 5000:5000 environment: REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt REGISTRY_HTTP_TLS_KEY: /certs/domain.key REGISTRY_AUTH: htpasswd REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm volumes: - /path/data:/var/lib/registry - /path/certs:/certs - /path/auth:/auth

基于上述配置,我做出如下修改:

yml
version: "3" services: registry: restart: always image: registry:2 ports: - 5000:5000 volumes: - /mnt/data:/var/lib/registry

修改的思路如下:

  1. 我不打算让 registry 自身来做 basic auth 的权限控制和证书校验,Kubernetes 集群有 ingress contrller,ingress contrller 是一个称职的反向代理,权限就应该交给它
  2. 因为是集群内部的 registry,所以我打算一直走 insecure-registrie 路线,避免 CI/CD 的时候每次都要走外网流量来拉取镜像,这个其实是很大的一个金钱成本,相关文档参考-> https://docs.docker.com/registry/insecure/ ,哪怕未来准备将 registry 暴露到公网,那也应该是 ingress contrller 来进行 TLS 的校验

基于 docker-compose 我们来编写 helm chart

首先我们基于 docker-compose 写出它的 kubectrl 的 yaml 试试

yaml
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: pvc-registry labels: k8s-app: docker-registry spec: accessModes: - ReadWriteOnce resources: requests: storage: 20Gi storageClassName: nfs-client --- apiVersion: apps/v1 kind: Deployment metadata: name: docker-registry labels: k8s-app: docker-registry spec: replicas: 1 selector: matchLabels: k8s-app: docker-registry template: metadata: labels: k8s-app: docker-registry spec: containers: - name: docker-registry image: docker.io/registry:latest ports: - name: http containerPort: 5000 volumeMounts: - name: vol-registry mountPath: "/var/lib/registry" resources: limits: cpu: 400m memory: 512Mi requests: cpu: 100m memory: 128Mi volumes: - name: vol-registry persistentVolumeClaim: claimName: pvc-registry --- apiVersion: v1 kind: Service metadata: name: docker-registry labels: k8s-app: docker-registry spec: ports: - name: http port: 5000 targetPort: 5000 selector: k8s-app: docker-registry type: ClusterIP --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/proxy-read-timeout: "600" nginx.ingress.kubernetes.io/proxy-send-timeout: "600" name: docker-registry spec: ingressClassName: nginx rules: - host: registry.my-k8s-cluster.com http: paths: - path: / pathType: Prefix backend: service: name: docker-registry port: number: 5000

注意,此处需要你的集群已经按照之前的文章安装了 nfs 的 storage 插件 -> Kubernetes 动态卷 - 自建 NFS(Network File System) 服务器

修改 docker 配置,尝试推送一个镜像上去

修改你本地 hosts 文件:

config
192.168.137.200 registry.my-k8s-cluster.com # 192.168.137.200 是我本地 Kubernetes 集群的 Ingress controller 暴露的 IP,这里换成你的

修改 docker 的配置

shell
$ sudo vi /etc/docker/daemon.json # 加上这个配置 { "insecure-registries" : ["registry.my-k8s-cluster.com"] } # 然后重启服务 $ sudo systemctl daemon-reload $ sudo systemctl restart docker $ sudo systemctl status docker

拉取一个简单的镜像并且把它推到私有仓库

shell
$ docker pull hashicorp/http-echo $ docker image tag hashicorp/http-echo registry.my-k8s-cluster.com/my-http-echo $ docker push registry.my-k8s-cluster.com/my-http-echo

换到另外集群的另一台机器去尝试拉取私有镜像

shell
$ docker pull registry.my-k8s-cluster.com/my-http-echo Using default tag: latest latest: Pulling from my-http-echo Digest: sha256:61d5cb94d7e546518a7bbd5bee06bfad0ecea8f56a75b084522a43dccbbcd845 Status: Downloaded newer image for registry.my-k8s-cluster.com/my-http-echo:latest registry.my-k8s-cluster.com/my-http-echo:latest