创建 Namespace
# Namespace
apiVersion: v1
kind: Namespace
metadata:
name: registry
PVC 作为存储,其实不需要
# PersistentVolumeClaim (PVC) for storage
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: registry-storage
namespace: registry
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi # 根据缓存需求调整大小
storageClassName: local-path # 替换为你的 StorageClass
上级 Registry/Hub 证书(私有证书的话)
# ConfigMap for CA certificate
apiVersion: v1
kind: ConfigMap
metadata:
name: registry-ca-cert
namespace: registry
data:
hub-yiqisoft-cert.pem: | # 替换为你的证书内容,或通过 kubectl create configmap 上传
-----BEGIN CERTIFICATE-----
MIIDNDCCAhygAwIBAgIQJ6pOclGOhjgEFTkYFs4HcTANBgkqhkiG9w0BAQsFADAU
MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjUwMzE0MTAzOTU3WhcNMjYwMzE0MTAz
...
jffMLIw4CQ+yhsg/oCRyQ5fBvWKdCoxylW5G27WyZpqkXyzhUklqx2bIMIlJ8qkc
CzANv3vVAHcfy6wuzv2ybW7lsOzyIQ7X2ucQ+PEJqOo7K977MikRCwU2DtIVAn7L
DdDlTn8lUtM73hH7SaM6eeVzKBEegyQ+wpEwdXkLy01DlTqp6rhuHht87PWocwA1
AwINqhHJOzLPL7b+wB/uAoBqQ8iIWOlXb9j5OeHPYBREpwMk7gtmpbc2hWDQqo1L
aX0vN94MciF22OqQU4rh46agcxTxTMPM3mxqS3je+Yh1HsoV/8nC2kgJV16kciWG
rxuE9CpQ0g0=
-----END CERTIFICATE-----
Deployment 部署 pod
# Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: registry
namespace: registry
spec:
replicas: 1
selector:
matchLabels:
app: registry
template:
metadata:
labels:
app: registry
spec:
initContainers:
- name: update-ca-certificates
image: hub.yiqisoft.cn/library/registry:2
command: ["/bin/sh", "-c", "cp /etc/certs/hub-yiqisoft-cn.crt /usr/local/share/ca-certificates/ && update-ca-certificates"]
volumeMounts:
- name: ca-cert
mountPath: /etc/certs
- name: ca-cert-dir
mountPath: /usr/local/share/ca-certificates
- name: ca-cert-system
mountPath: /etc/ssl/certs
containers:
- name: registry
image: hub.yiqisoft.cn/library/registry:2
ports:
- containerPort: 5000
volumeMounts:
- name: registry-data
mountPath: /var/lib/registry
- name: ca-cert
mountPath: /etc/certs
readOnly: true
- name: ca-cert-system
mountPath: /etc/ssl/certs
readOnly: true
env:
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
value: /var/lib/registry
- name: REGISTRY_PROXY_REMOTEURL
value: "https://hub.yiqisoft.cn"
- name: REGISTRY_PROXY_USERNAME
value: "admin"
- name: REGISTRY_PROXY_PASSWORD
value: "abcd"
volumes:
- name: registry-data
persistentVolumeClaim:
claimName: registry-storage
- name: ca-cert
configMap:
name: registry-ca-cert
items:
- key: hub-yiqisoft-cert.pem
path: hub-yiqisoft-cn.crt
- name: ca-cert-dir
emptyDir: {}
- name: ca-cert-system
emptyDir: {}
Service 部署
# Service
apiVersion: v1
kind: Service
metadata:
name: registry
namespace: registry
spec:
selector:
app: registry
ports:
- protocol: TCP
port: 5000
targetPort: 5000
type: ClusterIP
Ingress 配置
openssl req -x509 -newkey rsa:4096 -keyout hub-yiqisoft.key -out hub-yiqisoft.crt -days 3650 -nodes -subj "/CN=hub.yiqisoft.cn" -addext "subjectAltName=DNS:hub.yiqisoft.cn"
kubectl -n default create secret tls hub-tls-secret --cert=hub-yiqisoft.crt --key=hub-yiqisoft.key
# Ingress (可选,用于外部访问)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: registry-ingress
namespace: registry
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: registry.yiqisoft.cn # 替换为你的域名
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: registry
port:
number: 5000
tls:
- hosts:
- hub.yiqisoft.cn
secretName: hub-tls-secret
部署完成后,验证
openssl s_client -showcerts -connect hub.yiqisoft.cn:443 </dev/null 2>/dev/null | openssl x509 -text -noout