registry私有镜像仓库部署
- 创建持久化存储 (PVC,PV),建议使用storageclass
# pv.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: registry-pv
labels:
app: registry
spec:
capacity:
storage: 40Gi
nfs: # 这里使用的是nfs
path: /nfs/registry
server: 10.0.0.105
accessModes:
- ReadWriteOnce
nodeAffinity:
required:
nodeSelectorTerms: # 选择存储节点,放在数据盘充足的节点,尽量不要放系统盘
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- master-11
# pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: registry-pvc
namespace: kube-system
spec:
accessModes:
- ReadWriteOnce
# storageClassName: hostpath
resources:
requests:
storage: 40Gi
selector: # 筛选带有 app: myapp 标签的PV
matchLabels:
app: registry
kubectl apply -f pv.yaml -n kube-system
kubectl apply -f pvc.yaml
2、创建 Deployment 和 Service
# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: docker-registry
namespace: kube-system
labels:
app: docker-registry
spec:
replicas: 1
selector:
matchLabels:
app: docker-registry
template:
metadata:
labels:
app: docker-registry
spec:
nodeSelector:
kubernetes.io/hostname: master-11 # 节点选择
containers:
- name: registry
image: registry:2
ports:
- containerPort: 5000
volumeMounts:
- name: registry-storage
mountPath: /var/lib/registry # 将容器内部的私有镜像挂载到容器外
- name: registry-auth # 指定密钥文件
mountPath: /auth
readOnly: true
env:
# - name: REGISTRY_HTTP_ADDR
# value: ":5000"
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
value: "/var/lib/registry" # 容器内存储的路径
- name: REGISTRY_AUTH
value: "htpasswd"
- name: REGISTRY_AUTH_HTPASSWD_REALM
value: "registry.local"
- name: REGISTRY_AUTH_HTPASSWD_PATH
value: "/auth/htpasswd" # 容器内密钥文件路径
- name: REGISTRY_AUTH_HTPASSWD_NORANDOM
value: "true"
volumes:
- name: registry-storage
persistentVolumeClaim:
claimName: registry-pvc # 匹配步骤1中创建的 PVC 名称
- name: registry-auth
secret:
secretName: registry-auth-secret
defaultMode: 0644 # 确保文件可读
items:
- key: htpasswd
path: htpasswd
---
apiVersion: v1
kind: Service
metadata:
name: docker-registry
namespace: kube-system
labels:
app: docker-registry
spec:
selector:
app: docker-registry
ports:
- port: 5000
targetPort: 5000
kubectl apply -f deployment.yaml -n kube-system
- 配置外部访问与 TLS
# 生成自签名证书
openssl req -x509 -newkey rsa:4096 -nodes -sha256 -days 365 \
-keyout registry.key -out registry.crt \
-subj "/CN=registry.xwk.local" -addext "subjectAltName=DNS:registry.xwk.local" # 填自己想要的地址
# 创建包含证书的 Kubernetes Secret
kubectl create secret tls registry-tls-secret --namespace=kube-system \
--key=registry.key --cert=registry.crt
# ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: registry-ingress
namespace: kube-system
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "100G" # 允许大镜像推送
nginx.ingress.kubernetes.io/backend-protocol: "HTTP" # Registry 服务是 HTTP
spec:
tls:
- hosts:
- registry.xwk.local # 你的域名
secretName: registry-tls-secret # 步骤中创建的 TLS Secret
rules:
- host: registry.xwk.local # 你的域名
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: docker-registry
port:
number: 5000
- 生成密钥文件
apt install apache2-utils # htpasswd没有则安装这个
htpasswd -Bbn youradmin yourpasswd htpasswd
kubectl create secret generic registry-auth-secret --namespace=kube-system \
--from-file=htpasswd=./htpasswd
- 检查密码
[root@master-11 registry]# kubectl exec -n kube-system $(kubectl get pods -n kube-system -l app=docker-registry -o name) -- cat /auth/htpasswd
admin:$2y$05$gRcvY.XqO0mfscQaqKc2UekRl3zd9ZCV6KLyfu6cuClUmcazQqBMS
[root@master-11 registry]# kubectl get secret -n kube-system registry-auth-secret -o jsonpath='{.data.htpasswd}' | base64 -d
admin:$2y$05$gRcvY.XqO0mfscQaqKc2UekRl3zd9ZCV6KLyfu6cuClUmcazQqBMS
两边一定要对的上
6. 拷贝证书
mkdir -p /etc/containerd/certs.d/registry.xwk.local # 如果你使用的docker那就改成你docker所在的路径,这个registry.xwk.local改为自己的地址
cp registry.crt /etc/containerd/certs.d/registry.xwk.local/ca.crt
echo "10.0.0.11 registry.xwk.local" >> /etc/hosts # 写自己的IP和地址
nerdctl login registry.xwk.local --username youradmin --password yourpasswd
最后显示 Login Succeeded 即为成功
- 尝试在本地生成私有镜像
[root@master-11 ~]# nerdctl pull registry.cn-beijing.aliyuncs.com/xwk123/nginx # 拉取一个nginx的测试镜像
registry.cn-beijing.aliyuncs.com/xwk123/nginx:latest: resolved |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:104fded227a722e64a0bc8afb5c7993ca58ce790c8259adcc84e20be8de2292f: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:4cad75abc83d5ca6ee22053d85850676eaef657ee9d723d7bef61179e1e1e485: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:e81a6b82cf648bedba69393d4a1c09839203d02587537c8c9a7703c01b37af49: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:4a679ac3b09feb9625d3378a18f861b55bd9c1a8b62ae398b99931b8c76cf5f5: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:75b6425929919354127c44985ea613fa508df8d80dbd1beafeb629400efb7541: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:553c8756fd6670dc339ab500b042fe404386f114673f9c8af8dff3c6ade96cc7: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:10fe6d2248e3ac5eab320a5c240e1aabfb0249d7b4b438b136633a8cbdc2190f: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:3b6e18ae4ce61fa7b74c27a0b077d76bd53699d7e55b9e6a438c62282c0153e7: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:3dce86e3b08256a60ab97ef86944f0c2a1e5c90a2df7806043c9969decfd82e8: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 10.4s
[root@master-11 ~]# nerdctl tag registry.cn-beijing.aliyuncs.com/xwk123/nginx:latest registry.xwk.local/wod/nginx:latest
[root@master-11 ~]# nerdctl push registry.xwk.local/wod/nginx:latest # 推送到仓库里
INFO[0000] pushing as a reduced-platform image (application/vnd.docker.distribution.manifest.v2+json, sha256:104fded227a722e64a0bc8afb5c7993ca58ce790c8259adcc84e20be8de2292f)
manifest-sha256:104fded227a722e64a0bc8afb5c7993ca58ce790c8259adcc84e20be8de2292f: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:4cad75abc83d5ca6ee22053d85850676eaef657ee9d723d7bef61179e1e1e485: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 1.2 s
[root@master-11 wod]# pwd # 看看本地是否有生成对应版本的私有镜像
/data/nfs/registry/docker/registry/v2/repositories/wod
[root@master-11 wod]# ls
nginx
[root@master-11 wod]# ls nginx/_manifests/tags
latest
将镜像删除再拉取可以看见私有镜像可以正常使用
[root@master-11 wod]# nerdctl rmi registry.xwk.local/wod/nginx:latest
Untagged: registry.xwk.local/wod/nginx:latest@sha256:104fded227a722e64a0bc8afb5c7993ca58ce790c8259adcc84e20be8de2292f
Deleted: sha256:ea680fbff095473bb8a6c867938d6d851e11ef0c177fce983ccc83440172bd72
Deleted: sha256:c1a9699c65592e502a6b68876f5037b91972c4f72dac2e4e9b84f80f4b0790c2
Deleted: sha256:d8d396eadc9a4f516284b8be48b1283f025d392c19e84c1c00e1187fe70bba53
Deleted: sha256:27f473333e2f615c75d1350e314ad8641d9d13ad9f2dbb82999f2012c86a0c53
Deleted: sha256:ae2a14e88adb05e51056b3ceaba6af7dccee9a987af4f2bae6243b51ba66a018
Deleted: sha256:fd2315f0cf242aa3776d71f69fbe78d4088999ef9fc2df1de5cb513606be1215
Deleted: sha256:eda01226259d5df53a10c6b6d7d760bfc37317a8037b98f17f23835fa26fc087
[root@master-11 wod]# nerdctl pull registry.xwk.local/wod/nginx:latest
registry.xwk.local/wod/nginx:latest: resolved |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:104fded227a722e64a0bc8afb5c7993ca58ce790c8259adcc84e20be8de2292f: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:4cad75abc83d5ca6ee22053d85850676eaef657ee9d723d7bef61179e1e1e485: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 0.1 s total: 0.0 B (0.0 B/s)
至此私有镜像仓库部署完成。若有哪个地方写的有问题请谅解
浙公网安备 33010602011771号