docker registry/ui

services/docker-registry-ui/deploy.sh

@@ -0,0 +1,4 @@
+set -ex
+
+vault policy write service-docker-registry-ui policy.vault
+nomad run -var-file=../../nomad_job.vars docker-registry-ui.nomad

services/docker-registry-ui/docker-registry-ui.nomad

@@ -0,0 +1,108 @@
+variable "docker_registry" {
+  type        = string
+  description = "The docker registry"
+  default     = ""
+}
+
+variable "domain" {
+  type        = string
+  description = "Name of this instance of Neon Compute Postgres"
+}
+
+variable "image_id" {
+  type        = string
+  description = "The docker image used for task."
+  default     = "joxit/docker-registry-ui:2.5.3-debian"
+}
+
+variable "count" {
+  type        = number
+  description = "Number of instances"
+  default     = 1
+}
+
+job "docker-registry-ui" {
+  datacenters = ["dc1"]
+  type        = "service"
+
+  group "app" {
+
+    count = var.count
+
+    update {
+      max_parallel     = 1
+      min_healthy_time = "30s"
+      healthy_deadline = "5m"
+
+      auto_promote     = true
+      canary           = 1
+    }
+
+    restart {
+      attempts = 2
+      interval = "1m"
+      delay    = "10s"
+      mode     = "delay"
+    }
+
+    service {
+      name = "docker-registry-ui"
+      port = "http"
+
+      tags = [
+        "traefik.enable=true",
+	      "traefik.http.routers.docker-registry-ui.tls=true",
+	      "traefik.http.routers.docker-registry-ui.tls.certresolver=home",
+      ]
+
+      check {
+        name     = "alive"
+        type     = "http"
+        port     = "http"
+        path     = "/"
+        interval = "10s"
+        timeout  = "2s"
+      }
+    }
+
+
+    network {
+      port "http" {
+  	    to = 80
+      }
+    }
+
+    task "app" {
+      driver = "docker"
+
+      vault {
+        policies = ["service-docker-registry-ui"]
+      }
+
+      config {
+        image = "${var.docker_registry}${var.image_id}"
+        ports = ["http"]
+      }
+
+      resources {
+        cpu    = 100
+        memory = 512
+        memory_max = 2048
+      }
+
+      template {
+          destination = "local/subscriptions.yaml"
+          env=true
+          data = <<EOF
+REGISTRY_TITLE=My Private Docker Registry
+REGISTRY_URL=https://docker-registry.{{ key "site/domain"}}
+SINGLE_REGISTRY=true
+
+EOF
+      }
+    }
+  }
+}
+
+
+

services/docker-registry-ui/policy.vault

@@ -0,0 +1,3 @@
+path "pki_int/issue/docker-registry-ui" {
+  capabilities = ["update"]
+}

services/docker-registry/README.md

@@ -0,0 +1,2 @@
+
+

services/docker-registry/deploy.sh

@@ -0,0 +1,7 @@
+set -ex
+
+vault policy write service-docker-registry policy.vault
+
+# nomad volume create minio.volume
+
+nomad run -var-file=../../nomad_job.vars docker-registry.nomad

services/docker-registry/docker-registry.nomad

@@ -0,0 +1,133 @@
+
+variable "docker_registry" {
+  type        = string
+  description = "The docker registry"
+  default     = ""
+}
+
+variable "domain" {
+  type        = string
+  description = "Name of this instance of Neon Compute Postgres"
+}
+
+variable "count" {
+  type        = number
+  description = "The number of compute containers to run."
+  default     = "2"
+}
+
+variable "image_id" {
+  type        = string
+  description = "The docker image used for compute task."
+  default     = "registry:2"
+}
+
+job "docker-registry" {
+  datacenters = ["dc1"]
+  type        = "service"
+
+  group "app" {
+
+    count = var.count
+
+    restart {
+      attempts = 2
+      interval = "1m"
+      delay    = "10s"
+      mode     = "delay"
+    }
+
+    update {
+      max_parallel     = 1
+      min_healthy_time = "60s"
+      healthy_deadline = "5m"
+    }
+
+    service {
+      name = "docker-registry"
+      port = "http"
+
+      tags = [
+        "traefik.enable=true",
+	      "traefik.http.routers.docker-registry.tls=true",
+	      "traefik.http.routers.docker-registry.tls.certresolver=home",
+      ]
+
+      check {
+        name     = "alive"
+        type     = "http"
+        port     = "http"
+        path     = "/"
+        interval = "10s"
+        timeout  = "2s"
+      }
+    }
+
+    network {
+      port "http" {
+        to = 5000
+      }
+
+    }
+
+    task "app" {
+      driver = "docker"
+
+      vault {
+        policies = ["service-docker-registry"]
+      }
+
+      config {
+        image = "${var.docker_registry}${var.image_id}"
+        ports = ["http"]
+
+        args = [
+          "registry",
+          "serve",
+          "/secrets/config.yml"
+        ]
+
+      }
+
+      resources {
+        cpu    = 20
+        memory = 64
+        memory_max = 512
+      }
+
+      template {
+        destination = "secrets/config.yml"
+        data = <<EOF
+
+version: 0.1
+http:
+  addr: 0.0.0.0:5000
+  headers:
+    Access-Control-Allow-Origin: ['https://docker-registry-ui.{{ key "site/domain" }}']
+{{ with secret "kv/data/docker-registry" }}
+http:
+  secret: {{ .Data.data.http_secret }}
+
+storage:
+  s3:
+    accesskey: {{.Data.data.AWS_ACCESS_KEY_ID}}
+    secretkey: {{.Data.data.AWS_SECRET_ACCESS_KEY}}
+    region: us-west-1
+    regionendpoint: https://s3.{{ key "site/domain" }}
+    bucket: {{.Data.data.bucket}}
+    encrypt: false
+    secure: true
+    chunksize: 5242880
+    multipartcopychunksize: 33554432
+    multipartcopymaxconcurrency: 100
+    multipartcopythresholdsize: 33554432
+    rootdirectory: "/"
+
+{{ end }}
+
+EOF
+      }
+
+    }
+  }
+}

services/docker-registry/policy.vault

@@ -0,0 +1,3 @@
+path "kv/data/docker-registry" {
+  capabilities = ["read"]
+}