From 695237e6b216b7d36a0377a6accba8610eda6321 Mon Sep 17 00:00:00 2001
From: Xe Iaso <me@xeiaso.net>
Date: Tue, 8 Oct 2024 14:06:23 -0400
Subject: [PATCH] kube/alrest: add docker registry

Signed-off-by: Xe Iaso <me@xeiaso.net>
---
 Earthfile                               | 11 ++++
 cmd/relayd/main.go                      | 79 ++++++++++++++++++++++++
 kube/alrest/kustomization.yaml          |  1 +
 kube/alrest/registry/1password.yaml     |  8 +++
 kube/alrest/registry/certificate.yaml   | 20 ++++++
 kube/alrest/registry/deployment.yaml    | 82 +++++++++++++++++++++++++
 kube/alrest/registry/external-dns.yaml  | 12 ++++
 kube/alrest/registry/ingress.yaml       | 25 ++++++++
 kube/alrest/registry/kustomization.yaml |  8 +++
 kube/alrest/registry/service.yaml       | 17 +++++
 10 files changed, 263 insertions(+)
 create mode 100644 cmd/relayd/main.go
 create mode 100644 kube/alrest/registry/1password.yaml
 create mode 100644 kube/alrest/registry/certificate.yaml
 create mode 100644 kube/alrest/registry/deployment.yaml
 create mode 100644 kube/alrest/registry/external-dns.yaml
 create mode 100644 kube/alrest/registry/ingress.yaml
 create mode 100644 kube/alrest/registry/kustomization.yaml
 create mode 100644 kube/alrest/registry/service.yaml

diff --git a/Earthfile b/Earthfile
index 6f23bd78..193cd758 100644
--- a/Earthfile
+++ b/Earthfile
@@ -110,6 +110,16 @@ mimi:
 
     SAVE IMAGE --push ghcr.io/xe/x/mimi:latest
 
+relayd:
+    FROM +runtime
+
+    COPY +everything/bin/relayd /app/bin/relayd
+    CMD ["/app/bin/relayd"]
+
+    LABEL org.opencontainers.image.source="https://github.com/Xe/x"
+
+    SAVE IMAGE --push ghcr.io/xe/x/relayd:latest
+
 sanguisuga:
     FROM +runtime
 
@@ -216,6 +226,7 @@ all:
     BUILD --platform=linux/amd64 +hlang
     BUILD --platform=linux/amd64 +mi
     BUILD --platform=linux/amd64 +mimi
+    BUILD --platform=linux/amd64 +relayd
     BUILD --platform=linux/amd64 +sanguisuga
     BUILD --platform=linux/amd64 +sapientwindex
     BUILD --platform=linux/amd64 +todayinmarch2020
diff --git a/cmd/relayd/main.go b/cmd/relayd/main.go
new file mode 100644
index 00000000..18d94cc9
--- /dev/null
+++ b/cmd/relayd/main.go
@@ -0,0 +1,79 @@
+package main
+
+import (
+	"flag"
+	"log"
+	"log/slog"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"os"
+	"path/filepath"
+	"time"
+
+	"within.website/x/internal"
+)
+
+var (
+	bind      = flag.String("bind", ":3004", "port to listen on")
+	certDir   = flag.String("cert-dir", "/xe/pki", "where to read mounted certificates from")
+	certFname = flag.String("cert-fname", "tls.crt", "certificate filename")
+	keyFname  = flag.String("key-fname", "tls.key", "key filename")
+	proxyTo   = flag.String("proxy-to", "http://localhost:5000", "where to reverse proxy to")
+)
+
+func main() {
+	internal.HandleStartup()
+
+	slog.Info("starting",
+		"bind", *bind,
+		"cert-dir", *certDir,
+		"cert-fname", *certFname,
+		"key-fname", *keyFname,
+		"proxy-to", *proxyTo,
+	)
+
+	cert := filepath.Join(*certDir, *certFname)
+	key := filepath.Join(*certDir, *keyFname)
+
+	st, err := os.Stat(cert)
+
+	if err != nil {
+		slog.Error("can't stat cert file", "certFname", cert)
+		os.Exit(1)
+	}
+
+	lastModified := st.ModTime()
+
+	go func(lm time.Time) {
+		t := time.NewTicker(time.Hour)
+		defer t.Stop()
+
+		for range t.C {
+			st, err := os.Stat(cert)
+			if err != nil {
+				slog.Error("can't stat file", "fname", cert, "err", err)
+				continue
+			}
+
+			if st.ModTime().After(lm) {
+				slog.Info("new cert detected", "oldTime", lm.Format(time.RFC3339), "newTime", st.ModTime().Format(time.RFC3339))
+				os.Exit(0)
+			}
+		}
+	}(lastModified)
+
+	u, err := url.Parse(*proxyTo)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	log.Fatal(
+		http.ListenAndServeTLS(
+			*bind,
+			cert,
+			key,
+			httputil.NewSingleHostReverseProxy(u),
+		),
+	)
+}
diff --git a/kube/alrest/kustomization.yaml b/kube/alrest/kustomization.yaml
index bab7299e..70ad775d 100644
--- a/kube/alrest/kustomization.yaml
+++ b/kube/alrest/kustomization.yaml
@@ -3,6 +3,7 @@ resources:
   - gitea
   - ollama
   - pvfm
+  - registry
   - staticsites
   - vms
   - x
\ No newline at end of file
diff --git a/kube/alrest/registry/1password.yaml b/kube/alrest/registry/1password.yaml
new file mode 100644
index 00000000..524f8077
--- /dev/null
+++ b/kube/alrest/registry/1password.yaml
@@ -0,0 +1,8 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: registry
+  labels:
+    app.kubernetes.io/name: registry
+spec:
+  itemPath: "vaults/Kubernetes/items/Docker Registry"
\ No newline at end of file
diff --git a/kube/alrest/registry/certificate.yaml b/kube/alrest/registry/certificate.yaml
new file mode 100644
index 00000000..f2b6d37a
--- /dev/null
+++ b/kube/alrest/registry/certificate.yaml
@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: registry-internal
+  namespace: default
+spec:
+  secretName: registry-internal-tls
+
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+
+  usages:
+    - digital signature
+    - key encipherment
+  dnsNames:
+    - registry.default.svc.alrest.xeserv.us
+  issuerRef:
+    name: "letsencrypt-prod"
+    kind: ClusterIssuer
+    group: cert-manager.io
\ No newline at end of file
diff --git a/kube/alrest/registry/deployment.yaml b/kube/alrest/registry/deployment.yaml
new file mode 100644
index 00000000..1660f60c
--- /dev/null
+++ b/kube/alrest/registry/deployment.yaml
@@ -0,0 +1,82 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: registry
+  annotations:
+    operator.1password.io/auto-restart: "true"
+    keel.sh/policy: all
+    keel.sh/trigger: poll
+    keel.sh/pollSchedule: "@hourly"
+  labels:
+    app.kubernetes.io/name: registry
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: registry
+  replicas: 1
+  template:      
+    metadata:
+      labels:
+        app.kubernetes.io/name: registry
+    spec:
+      securityContext:
+        fsGroup: 1000
+      imagePullSecrets:
+        - name: regcred
+      volumes:
+        - name: internal-certs
+          secret:
+            secretName: registry-internal-tls
+      containers:
+        - name: registry
+          image: registrxe.fly.dev/registry:2
+          imagePullPolicy: "Always"
+          resources:
+            limits:
+              cpu: "500m"
+              memory: "512Mi"
+            requests:
+              cpu: "100m"
+              memory: "256Mi"
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+          envFrom:
+            - secretRef:
+                name: registry
+        - name: relayd
+          image: ghcr.io/xe/x/relayd:latest
+          imagePullPolicy: "Always"
+          resources:
+            limits:
+              cpu: "500m"
+              memory: "512Mi"
+            requests:
+              cpu: "100m"
+              memory: "256Mi"
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+          env:
+            - name: BIND
+              value: ":8443"
+            - name: PROXY_TO
+              value: "http://localhost:5000"
+          volumeMounts:
+            - name: "internal-certs"
+              mountPath: "/xe/pki"
+              readOnly: true
\ No newline at end of file
diff --git a/kube/alrest/registry/external-dns.yaml b/kube/alrest/registry/external-dns.yaml
new file mode 100644
index 00000000..3f39a8cd
--- /dev/null
+++ b/kube/alrest/registry/external-dns.yaml
@@ -0,0 +1,12 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: registry-internal
+  namespace: default
+spec:
+  endpoints:
+  - dnsName: registry.default.svc.alrest.xeserv.us
+    recordTTL: 3600
+    recordType: A
+    targets:
+    - 10.223.208.190
\ No newline at end of file
diff --git a/kube/alrest/registry/ingress.yaml b/kube/alrest/registry/ingress.yaml
new file mode 100644
index 00000000..db50f708
--- /dev/null
+++ b/kube/alrest/registry/ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: registry
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      more_set_headers "Request-Id: $req_id";
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+      - reg.xeiaso.net
+      secretName: reg-xeiaso-net-public-tls
+  rules:
+  - host: reg.xeiaso.net
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: registry
+            port: 
+              name: http
diff --git a/kube/alrest/registry/kustomization.yaml b/kube/alrest/registry/kustomization.yaml
new file mode 100644
index 00000000..6a768f93
--- /dev/null
+++ b/kube/alrest/registry/kustomization.yaml
@@ -0,0 +1,8 @@
+namespace: default
+resources:
+  - 1password.yaml
+  - certificate.yaml
+  - deployment.yaml
+  - external-dns.yaml
+  - ingress.yaml
+  - service.yaml
\ No newline at end of file
diff --git a/kube/alrest/registry/service.yaml b/kube/alrest/registry/service.yaml
new file mode 100644
index 00000000..d928de34
--- /dev/null
+++ b/kube/alrest/registry/service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: registry
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 80
+      targetPort: 5000
+      protocol: TCP
+    - name: https
+      port: 443
+      targetPort: 8443
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: registry
\ No newline at end of file