kube/alrest: add docker registry

Signed-off-by: Xe Iaso <[email protected]>
Xe · Oct 8, 2024 · 695237e · 695237e
1 parent 92d4a67
commit 695237e
Show file tree

Hide file tree

Showing 10 changed files with 263 additions and 0 deletions.
diff --git a/Earthfile b/Earthfile
@@ -110,6 +110,16 @@ mimi:
 
     SAVE IMAGE --push ghcr.io/xe/x/mimi:latest
 
+relayd:
+    FROM +runtime
+
+    COPY +everything/bin/relayd /app/bin/relayd
+    CMD ["/app/bin/relayd"]
+
+    LABEL org.opencontainers.image.source="https://github.com/Xe/x"
+
+    SAVE IMAGE --push ghcr.io/xe/x/relayd:latest
+
 sanguisuga:
     FROM +runtime
 
@@ -216,6 +226,7 @@ all:
     BUILD --platform=linux/amd64 +hlang
     BUILD --platform=linux/amd64 +mi
     BUILD --platform=linux/amd64 +mimi
+    BUILD --platform=linux/amd64 +relayd
     BUILD --platform=linux/amd64 +sanguisuga
     BUILD --platform=linux/amd64 +sapientwindex
     BUILD --platform=linux/amd64 +todayinmarch2020

diff --git a/cmd/relayd/main.go b/cmd/relayd/main.go
@@ -0,0 +1,79 @@
+package main
+
+import (
+	"flag"
+	"log"
+	"log/slog"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"os"
+	"path/filepath"
+	"time"
+
+	"within.website/x/internal"
+)
+
+var (
+	bind      = flag.String("bind", ":3004", "port to listen on")
+	certDir   = flag.String("cert-dir", "/xe/pki", "where to read mounted certificates from")
+	certFname = flag.String("cert-fname", "tls.crt", "certificate filename")
+	keyFname  = flag.String("key-fname", "tls.key", "key filename")
+	proxyTo   = flag.String("proxy-to", "http://localhost:5000", "where to reverse proxy to")
+)
+
+func main() {
+	internal.HandleStartup()
+
+	slog.Info("starting",
+		"bind", *bind,
+		"cert-dir", *certDir,
+		"cert-fname", *certFname,
+		"key-fname", *keyFname,
+		"proxy-to", *proxyTo,
+	)
+
+	cert := filepath.Join(*certDir, *certFname)
+	key := filepath.Join(*certDir, *keyFname)
+
+	st, err := os.Stat(cert)
+
+	if err != nil {
+		slog.Error("can't stat cert file", "certFname", cert)
+		os.Exit(1)
+	}
+
+	lastModified := st.ModTime()
+
+	go func(lm time.Time) {
+		t := time.NewTicker(time.Hour)
+		defer t.Stop()
+
+		for range t.C {
+			st, err := os.Stat(cert)
+			if err != nil {
+				slog.Error("can't stat file", "fname", cert, "err", err)
+				continue
+			}
+
+			if st.ModTime().After(lm) {
+				slog.Info("new cert detected", "oldTime", lm.Format(time.RFC3339), "newTime", st.ModTime().Format(time.RFC3339))
+				os.Exit(0)
+			}
+		}
+	}(lastModified)
+
+	u, err := url.Parse(*proxyTo)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	log.Fatal(
+		http.ListenAndServeTLS(
+			*bind,
+			cert,
+			key,
+			httputil.NewSingleHostReverseProxy(u),
+		),
+	)
+}
diff --git a/kube/alrest/kustomization.yaml b/kube/alrest/kustomization.yaml
@@ -3,6 +3,7 @@ resources:
   - gitea
   - ollama
   - pvfm
+  - registry
   - staticsites
   - vms
   - x
diff --git a/kube/alrest/registry/1password.yaml b/kube/alrest/registry/1password.yaml
@@ -0,0 +1,8 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: registry
+  labels:
+    app.kubernetes.io/name: registry
+spec:
+  itemPath: "vaults/Kubernetes/items/Docker Registry"
diff --git a/kube/alrest/registry/certificate.yaml b/kube/alrest/registry/certificate.yaml
@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: registry-internal
+  namespace: default
+spec:
+  secretName: registry-internal-tls
+
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+
+  usages:
+    - digital signature
+    - key encipherment
+  dnsNames:
+    - registry.default.svc.alrest.xeserv.us
+  issuerRef:
+    name: "letsencrypt-prod"
+    kind: ClusterIssuer
+    group: cert-manager.io
diff --git a/kube/alrest/registry/deployment.yaml b/kube/alrest/registry/deployment.yaml
@@ -0,0 +1,82 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: registry
+  annotations:
+    operator.1password.io/auto-restart: "true"
+    keel.sh/policy: all
+    keel.sh/trigger: poll
+    keel.sh/pollSchedule: "@hourly"
+  labels:
+    app.kubernetes.io/name: registry
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: registry
+  replicas: 1
+  template:      
+    metadata:
+      labels:
+        app.kubernetes.io/name: registry
+    spec:
+      securityContext:
+        fsGroup: 1000
+      imagePullSecrets:
+        - name: regcred
+      volumes:
+        - name: internal-certs
+          secret:
+            secretName: registry-internal-tls
+      containers:
+        - name: registry
+          image: registrxe.fly.dev/registry:2
+          imagePullPolicy: "Always"
+          resources:
+            limits:
+              cpu: "500m"
+              memory: "512Mi"
+            requests:
+              cpu: "100m"
+              memory: "256Mi"
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+          envFrom:
+            - secretRef:
+                name: registry
+        - name: relayd
+          image: ghcr.io/xe/x/relayd:latest
+          imagePullPolicy: "Always"
+          resources:
+            limits:
+              cpu: "500m"
+              memory: "512Mi"
+            requests:
+              cpu: "100m"
+              memory: "256Mi"
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+          env:
+            - name: BIND
+              value: ":8443"
+            - name: PROXY_TO
+              value: "http://localhost:5000"
+          volumeMounts:
+            - name: "internal-certs"
+              mountPath: "/xe/pki"
+              readOnly: true
diff --git a/kube/alrest/registry/external-dns.yaml b/kube/alrest/registry/external-dns.yaml
@@ -0,0 +1,12 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: registry-internal
+  namespace: default
+spec:
+  endpoints:
+  - dnsName: registry.default.svc.alrest.xeserv.us
+    recordTTL: 3600
+    recordType: A
+    targets:
+    - 10.223.208.190
diff --git a/kube/alrest/registry/ingress.yaml b/kube/alrest/registry/ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: registry
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      more_set_headers "Request-Id: $req_id";
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+      - reg.xeiaso.net
+      secretName: reg-xeiaso-net-public-tls
+  rules:
+  - host: reg.xeiaso.net
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: registry
+            port: 
+              name: http
diff --git a/kube/alrest/registry/kustomization.yaml b/kube/alrest/registry/kustomization.yaml
@@ -0,0 +1,8 @@
+namespace: default
+resources:
+  - 1password.yaml
+  - certificate.yaml
+  - deployment.yaml
+  - external-dns.yaml
+  - ingress.yaml
+  - service.yaml
diff --git a/kube/alrest/registry/service.yaml b/kube/alrest/registry/service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: registry
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 80
+      targetPort: 5000
+      protocol: TCP
+    - name: https
+      port: 443
+      targetPort: 8443
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: registry
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,6 +3,7 @@ resources: @@
       - gitea
       - ollama
       - pvfm
+      - registry
       - staticsites
       - vms
       - x