Initial commit

Author: AlexF

Diff for: README.md

@@ -1 +1,58 @@
-# k8s_registry_redis
+# Docker registry with Redis cache based on Kubernetes
+
+`image_retention.groovy` file - Jenkins pipeline.
+Setup proper value for DOMAIN variable in `image_retention.groovy`, i.e.:
+DOMAIN="your.docker-registry.com"
+
+All k8s manifests are in subfolders.
+
+## How to deploy
+
+AWS ACM and Network Load Balancer are used.
+
+Setup proper values for ACM and DOMAIN variables in deploy.sh
+
+```
+# AWS ACM: arn:aws:acm:xxxxxxxxxxx
+export ACM="arn:aws:acm:xxxxxxxxxxxxx"
+# domain name for your docker registry without schema (http/https): your.docker-registry.com
+export DOMAIN="your.docker-registry.com"
+```
+
+Run `bash deploy.sh`
+
+## How to remove deployment
+
+Run `bash undeploy.sh`
+
+## Issues
+
+Encountered issues related to using more than 1 replica and emptyDir using for Volumes (instead of PVC).
+
+1) for Deployment with 2 replicas and emptyDir in Volumes - data consistency issue:
+
+```
+        - name: image-data
+          emptyDir: {}
+```
+
+During the docker push have retries and blob upload unknown:
+```
+with 2 replicas:
+f1b5933fe4b5: Pushing [==================================================>]  5.796MB
+blob upload unknown
+The push refers to repository [MYDOMAIN.com/alpine]
+f1b5933fe4b5: Retrying in 10 second 
+```
+
+2) for Deployment with 2 replicas and PVC, PVC accessMode should be ReadWriteMany (RWX) (ReadWriteOnce - RWO can be attached to one node only) - so, NFS, GlusterFS, Ceph, etc should be used:
+
+```
+Events:
+  Type     Reason              Age   From                     Message
+  ----     ------              ----  ----                     -------
+  Normal   Scheduled           27s   default-scheduler        Successfully assigned docker-registry/docker-registry-cron-1562070600-jpgr8 to ip-172-20-33-53.us-east-2.compute.internal
+  Warning  FailedAttachVolume  27s   attachdetach-controller  Multi-Attach error for volume "pvc-70a143c3-82a6-4c82-a45c-94fe607942c7" Volume is already used by pod(s) docker-registry-579469cd77-hv4zg
+
+  Warning  FailedMount  95s    kubelet, ip-172-20-33-53.us-east-2.compute.internal  Unable to mount volumes for pod "docker-registry-cron-1562070000-l7dwz_docker-registry(2c8d33e3-9220-411a-8a6c-5afd3f7d3080)": timeout expired waiting for volumes to attach or mount for pod "docker-registry"/"docker-registry-cron-1562070000-l7dwz". list of unmounted volumes=[image-data]. list of unattached volumes=[image-data default-token-dxktg]
+```

Diff for: common/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: docker-registry

Diff for: deploy.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+# AWS ACM: arn:aws:acm:xxxxxxxxxxx
+export ACM="arn:aws:acm:xxxxxxxxxxx"
+# domain name for your docker registry without schema (http/https): your.docker-registry.com
+export DOMAIN="your.docker-registry.com"
+
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
+envsubst < ./ingress-nginx/service-nlb.yaml.tmpl > /tmp/service-nlb.yaml
+kubectl apply -f /tmp/service-nlb.yaml
+
+kubectl apply -f ./common/namespace.yaml
+
+kubectl apply -f ./redis/deployment.yaml
+kubectl apply -f ./redis/service.yaml
+
+kubectl apply -f ./registry/pvc.yaml
+kubectl apply -f ./registry/deployment.yaml
+kubectl apply -f ./registry/service.yaml
+envsubst < ./registry/ingress.yaml.tmpl > /tmp/ingress.yaml
+kubectl apply -f /tmp/ingress.yaml
+kubectl apply -f ./registry/cronjob.yaml

Diff for: image_retention.groovy

@@ -0,0 +1,47 @@
+#!/usr/bin/env groovy
+
+def CleanUpRegistry(REPOSITORY, SAVE_FIRST_N_IMAGES) {
+    sh """#!/usr/bin/env bash
+    set -x
+    SAVE_FIRST_N_IMAGES=\$(($SAVE_FIRST_N_IMAGES + 1))
+    ACCEPT_HEADER="Accept: application/vnd.docker.distribution.manifest.v2+json"
+    DOMAIN="your.docker-registry.com"
+    
+    ARRAY=()
+    declare -A TIME_TAG_MAP
+    TAGS=\$(curl -Ls https://\$DOMAIN/v2/$REPOSITORY/tags/list | jq -r '."tags"[]')
+    if [ \${#TAGS[@]} -gt 0 ]; then
+      for TAG in \${TAGS[@]}; do
+        ID=\$(curl -Ls --header "\$ACCEPT_HEADER" GET https://\$DOMAIN/v2/$REPOSITORY/manifests/\$TAG | jq -r '.config.digest')
+        UPL_TIME=\$(curl -Ls GET https://\$DOMAIN/v2/$REPOSITORY/blobs/\$ID | jq '.created' | sort | tail -n1 | sed 's/"//g')
+        ARRAY+=(\$UPL_TIME)
+        TIME_TAG_MAP[\$UPL_TIME]=\$ID
+        echo "\$TAG | \$UPL_TIME | \$ID"
+      done
+    fi
+    
+    if [ \${#ARRAY[@]} -gt 0 ]; then
+      for i in \$(sort -rn < <(printf '%s\\n' \${ARRAY[@]}) | uniq | tail -n +\$SAVE_FIRST_N_IMAGES); do
+        echo "For deletion: \$i --- \${TIME_TAG_MAP[\$i]}"
+        echo "curl -Ls --header \"\$ACCEPT_HEADER" -X DELETE https://\$DOMAIN/v2/$REPOSITORY/manifests/\${TIME_TAG_MAP[\$i]}"
+      done
+    fi
+    """
+}
+
+
+node('ec2Slave') {
+    try{
+      parallel CleanUpRegistry1 : {
+        stage ('CleanUpRegistry1'){
+            CleanUpRegistry("alpine", 2)
+        }
+      }, CleanUpRegistry2 : {
+        stage ('CleanUpRegistry2'){
+            CleanUpRegistry("python", 1)
+        }
+      }
+    } catch(err) {
+       throw(err)
+    }finally{}
+}

Diff for: ingress-nginx/service-nlb.yaml.tmpl

@@ -0,0 +1,30 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: ingress-nginx
+  namespace: ingress-nginx
+  labels:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+  annotations:
+    # by default the type is elb (classic load balancer).
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "${ACM}"
+    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
+    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
+    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
+spec:
+  # this setting is to make sure the source IP address is preserved.
+  externalTrafficPolicy: Local
+  type: LoadBalancer
+  selector:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
+    - name: https
+      port: 443
+      targetPort: http
+---

Diff for: redis/deployment.yaml

@@ -0,0 +1,20 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: redis
+  namespace: docker-registry
+spec:
+  selector:
+    matchLabels:
+      app: redis
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+      - name: master
+        image: k8s.gcr.io/redis
+        ports:
+        - containerPort: 6379

Diff for: redis/service.yaml

@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: redis
+  namespace: docker-registry
+spec:
+  selector:
+    app: redis
+  ports:
+  - name: http
+    protocol: TCP
+    port: 6379
+    targetPort: 6379

Diff for: registry/cronjob.yaml

@@ -0,0 +1,32 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: docker-registry-cron
+  namespace: docker-registry
+spec:
+  schedule: "*/30 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          name: docker-registry-cron
+        spec:
+          containers:
+          - name: docker-registry-cron
+            image: registry:latest
+            args:
+            - /bin/registry
+            - garbage-collect
+            - --dry-run
+            - /etc/docker/registry/config.yml
+            envFrom:
+            - configMapRef:
+                name: registry
+            volumeMounts:
+            - name: image-data
+              mountPath: /var/lib/registry
+          restartPolicy: OnFailure
+          volumes:
+            - name: image-data
+              persistentVolumeClaim:
+                claimName: docker-registry

Diff for: registry/deployment.yaml

@@ -0,0 +1,61 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: docker-registry
+  namespace: docker-registry
+  labels:
+    app: docker-registry
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: docker-registry
+  template:
+    metadata:
+      labels:
+        app: docker-registry
+    spec:
+      containers:
+      - image: registry:latest
+        name: docker-registry
+        envFrom:
+        - configMapRef:
+            name: registry
+        volumeMounts:
+        # - name: files
+        #   mountPath: /etc/k8s
+        - name: image-data
+          mountPath: /var/lib/registry
+        ports:
+        - name: registry
+          containerPort: 5000
+          protocol: TCP
+        imagePullPolicy: Always
+      restartPolicy: Always
+      volumes:
+        # - name: files
+        #   configMap:
+        #     name: registry
+        #     items:
+        #     - key: HTPASSWD_FILE
+        #       path: htpasswd
+        - name: image-data
+          persistentVolumeClaim:
+            claimName: docker-registry
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: registry
+  namespace: docker-registry
+data:
+  REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry
+  REGISTRY_HTTP_SECRET: FPNxM9cwZDkxO5RkMDUzXjk6YjIyOWRmhjBlMWRhMjQG
+  REGISTRY_STORAGE_CACHE_BLOBDESCRIPTOR: redis
+  REGISTRY_REDIS_ADDR: redis:6379
+  REGISTRY_STORAGE_DELETE_ENABLED: "true"
+  # REGISTRY_AUTH: htpasswd
+  # REGISTRY_AUTH_HTPASSWD_PATH: /etc/k8s/htpasswd
+  # REGISTRY_AUTH_HTPASSWD_REALM: Private Registry
+  # HTPASSWD_FILE: |
+  #   admin:xxxxxxxxxxxxxxxxxxxxxxx

Diff for: registry/ingress.yaml.tmpl

@@ -0,0 +1,18 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: docker-registry
+  namespace: docker-registry
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+spec:
+  rules:
+  - host: ${DOMAIN}
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: docker-registry
+          servicePort: 5000

Diff for: registry/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: docker-registry
+  namespace: docker-registry
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi

Diff for: registry/service.yaml

@@ -0,0 +1,12 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: docker-registry
+  namespace: docker-registry
+spec:
+  selector:
+    app: docker-registry
+  ports:
+  - protocol: TCP
+    port: 5000
+    targetPort: 5000

Diff for: undeploy.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+
+kubectl delete namespaces docker-registry
+kubectl delete namespaces ingress-nginx