#k8s创建registry镜像仓库和web管理工具
####################################################
####################################################所有节点执行
###所有节点执行
##每一个节点安装GlusterFS
yum install -y centos-release-gluster
yum install glusterfs-server -y
#配置 GlusterFS 集群:
#启动 glusterFS
systemctl restart glusterd.service
systemctl enable glusterd.service
#创建数据存储目录:
mkdir -p /gfs1
####在 swarm-manager 节点上配置,将 节点 加入到 集群中。
##gluster peer probe hostname
####################################################
####################################################只在主节点
gluster peer probe node224
gluster peer probe node225
###查看集群状态:
gluster peer status
###所有节点执行
##创建GlusterFS磁盘: 复制模式
gluster volume create gv1 replica 3 transport tcp node223:/gfs1 node224:/gfs1 node225:/gfs1 force
#启动 gv1
gluster volume start gv1
###再查看 volume 状态:
gluster volume info gv1
####################################################
####################################################客户端挂载volume 所有节点执行
yum install -y centos-release-gluster
yum install -y glusterfs glusterfs-fuse
mkdir -p /gv1
mount -t glusterfs localhost:gv1 /gv1
echo 'localhost:/gv1 /gv1 glusterfs _netdev,rw,acl 0 0' >>/etc/fstab
####################################################
####################################################
mkdir -p /gv1/registry/{certs,registry}
yum install -y expect openssl
####创建证书
expect -c '
spawn openssl req -newkey rsa:4096 -nodes -sha256 -keyout /gv1/registry/certs/domain.key -x509 -days 3650 -out /gv1/registry/certs/domain.crt
expect {
"Country Name " { send "cn\r"; exp_continue}
"State or Province Name" { send "sc\r" ; exp_continue}
"Locality Name " { send "cd\r"; exp_continue}
"Default Company Ltd" { send "k8s\r"; exp_continue}
"Organizational Unit Name" { send "sys\r"; exp_continue}
"Common Name " { send "k.xxxx.com\r" ; exp_continue}
"Email Address " { send "\r" ; exp_continue}
eof { exit }
}'
####################################################
####################################################
echo '
version: 0.1
log:
fields:
service: registry
storage:
delete:
enabled: true
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
' >/gv1/registry/config.yml
###################################################
mkdir -p /gv1/registry/registry-web
cat >/gv1/registry/registry-web/config.yml <<EOF
registry:
# Docker registry url
url: https://192.168.3.207:30050/v2
# Docker registry fqdn
name: k.xxxx.com:30050
# To allow image delete, should be false
readonly: false
auth:
# Disable authentication
enabled: false
EOF
###################################################
cat >registry.yaml <<EOF
apiVersion: v1
kind: ReplicationController
metadata:
name: registry-rc
namespace: kube-system
spec:
replicas: 2
selector:
app: registry-rc
template:
metadata:
labels:
app: registry-rc
spec:
nodeSelector:
node-role.kubernetes.io/master: ""
containers:
- name: registry
image: registry:2
ports:
- containerPort: 5000
env:
- name: REGISTRY_HTTP_TLS_CERTIFICATE
value: "/certs/domain.crt"
- name: REGISTRY_HTTP_TLS_KEY
value: "/certs/domain.key"
volumeMounts:
- name: registry
mountPath: /var/lib/registry
- name: certs
mountPath: /certs
- name: conf
mountPath: /etc/docker/registry/config.yml
- name: registry-web
image: hyper/docker-registry-web
ports:
- containerPort: 8080
env:
- name: REGISTRY_TRUST_ANY_SSL
value: "true"
- name: REGISTRY_URL
value: "https://192.168.3.207:30050/v2"
- name: REGISTRY_NAME
value: "k.xxxx.com:30050"
volumeMounts:
- name: webconf
mountPath: /conf/config.yml
volumes:
- name: webconf
hostPath:
path: /gv1/registry/registry-web/config.yml
- name: registry
hostPath:
path: /gv1/registry/registry
- name: certs
hostPath:
path: /gv1/registry/certs
- name: conf
hostPath:
path: /gv1/registry/config.yml
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
apiVersion: v1
kind: Service
metadata:
name: registry-svc
namespace: kube-system
spec:
selector:
app: registry-rc
type: NodePort
ports:
- name: registry
protocol: TCP
port: 5000
targetPort: 5000
nodePort: 30050
- name: registry-web
protocol: TCP
port: 8080
targetPort: 8080
nodePort: 30180
EOF
kubectl apply -f registry.yaml
kubectl get pod,svc,rc -n kube-system -o wide |grep registry
#kubectl delete -f registry.yaml
curl --cacert /gv1/registry/certs/domain.crt https://k.xxxx.com:30050/v2/_catalog
######################################################
######################################################
cat >registry-ingress.yaml <<EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-registry
namespace: kube-system
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: hub.xxxx.com
http:
paths:
- path: /
backend:
serviceName: registry-svc
servicePort: 8080
EOF
kubectl apply -f registry-ingress.yaml
kubectl get Ingress -n kube-system -o wide
#kubectl delete -f registry-ingress.yaml
curl --cacert /gv1/registry/certs/domain.crt https://k.xxxx.com:30050/v2/_catalog
curl http://k.xxxx.com/ -H "host:hub.xxxx.com" -I
#########################################web管理工具访问地址:http://k.xxxx.com:30180 仓库的地址为:k.xxxx.com:30050
浙公网安备 33010602011771号