从 docker registry 官方文档入手

https://docs.docker.com/registry/

阅读一个大概，我们只需要找到核心的 docker-comppse 文件即可 -> https://docs.docker.com/registry/deploying/#deploy-your-registry-using-a-compose-file

yml
registry:
  restart: always
  image: registry:2
  ports:
    - 5000:5000
  environment:
    REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
    REGISTRY_HTTP_TLS_KEY: /certs/domain.key
    REGISTRY_AUTH: htpasswd
    REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
    REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
  volumes:
    - /path/data:/var/lib/registry
    - /path/certs:/certs
    - /path/auth:/auth

基于上述配置，我做出如下修改:

yml
version: "3"
services:
  registry:
    restart: always
    image: registry:2
    ports:
      - 5000:5000
    volumes:
      - /mnt/data:/var/lib/registry

修改的思路如下：

1. 我不打算让 registry 自身来做 basic auth 的权限控制和证书校验，Kubernetes 集群有 ingress contrller，ingress contrller 是一个称职的反向代理，权限就应该交给它
2. 因为是集群内部的 registry，所以我打算一直走 insecure-registrie 路线，避免 CI/CD 的时候每次都要走外网流量来拉取镜像，这个其实是很大的一个金钱成本，相关文档参考-> https://docs.docker.com/registry/insecure/ ，哪怕未来准备将 registry 暴露到公网，那也应该是 ingress contrller 来进行 TLS 的校验

基于 docker-compose 我们来编写 helm chart

首先我们基于 docker-compose 写出它的 kubectrl 的 yaml 试试

yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc-registry
  labels:
    k8s-app: docker-registry
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi
  storageClassName: nfs-client
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: docker-registry
  labels:
    k8s-app: docker-registry
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: docker-registry
  template:
    metadata:
      labels:
        k8s-app: docker-registry
    spec:
      containers:
      - name: docker-registry
        image: docker.io/registry:latest
        ports:
          - name: http
            containerPort: 5000
        volumeMounts:
          - name: vol-registry
            mountPath: "/var/lib/registry"
        resources:      
          limits:
            cpu: 400m
            memory: 512Mi
          requests:
            cpu: 100m
            memory: 128Mi   
      volumes:
        - name: vol-registry
          persistentVolumeClaim:
            claimName: pvc-registry
---
apiVersion: v1
kind: Service
metadata:
  name: docker-registry
  labels:
    k8s-app: docker-registry
spec:
  ports:
  - name: http
    port: 5000
    targetPort: 5000
  selector:
    k8s-app: docker-registry
  type: ClusterIP
 ---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
  name: docker-registry
spec:
  ingressClassName: nginx
  rules:
  - host: registry.my-k8s-cluster.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: docker-registry
            port:
              number: 5000

注意，此处需要你的集群已经按照之前的文章安装了 nfs 的 storage 插件 -> Kubernetes 动态卷 - 自建 NFS(Network File System) 服务器

修改 docker 配置，尝试推送一个镜像上去

修改你本地 hosts 文件：

config
192.168.137.200 registry.my-k8s-cluster.com # 192.168.137.200 是我本地 Kubernetes 集群的 Ingress controller 暴露的 IP，这里换成你的

修改 docker 的配置

shell
$ sudo vi /etc/docker/daemon.json
# 加上这个配置
{
  "insecure-registries" : ["registry.my-k8s-cluster.com"]
}

# 然后重启服务

$ sudo systemctl daemon-reload
$ sudo systemctl restart docker
$ sudo systemctl status docker

拉取一个简单的镜像并且把它推到私有仓库

shell
$ docker pull hashicorp/http-echo
$ docker image tag hashicorp/http-echo registry.my-k8s-cluster.com/my-http-echo
$ docker push registry.my-k8s-cluster.com/my-http-echo

换到另外集群的另一台机器去尝试拉取私有镜像

shell
$ docker pull registry.my-k8s-cluster.com/my-http-echo
Using default tag: latest
latest: Pulling from my-http-echo
Digest: sha256:61d5cb94d7e546518a7bbd5bee06bfad0ecea8f56a75b084522a43dccbbcd845
Status: Downloaded newer image for registry.my-k8s-cluster.com/my-http-echo:latest
registry.my-k8s-cluster.com/my-http-echo:latest