#k8s創建registry鏡像倉庫和web管理工具
#################################################### ####################################################所有節點執行 ###所有節點執行 ##每一個節點安裝GlusterFS yum install -y centos-release-gluster yum install glusterfs-server -y #配置 GlusterFS 集群: #啟動 glusterFS systemctl restart glusterd.service systemctl enable glusterd.service #創建數據存儲目錄: mkdir -p /gfs1 ####在 swarm-manager 節點上配置,將 節點 加入到 集群中。 ##gluster peer probe hostname #################################################### ####################################################只在主節點 gluster peer probe node224 gluster peer probe node225 ###查看集群狀態: gluster peer status ###所有節點執行 ##創建GlusterFS磁盤: 復制模式 gluster volume create gv1 replica 3 transport tcp node223:/gfs1 node224:/gfs1 node225:/gfs1 force #啟動 gv1 gluster volume start gv1 ###再查看 volume 狀態: gluster volume info gv1 #################################################### ####################################################客戶端掛載volume 所有節點執行 yum install -y centos-release-gluster yum install -y glusterfs glusterfs-fuse mkdir -p /gv1 mount -t glusterfs localhost:gv1 /gv1 echo 'localhost:/gv1 /gv1 glusterfs _netdev,rw,acl 0 0' >>/etc/fstab #################################################### #################################################### mkdir -p /gv1/registry/{certs,registry} yum install -y expect openssl ####創建證書 expect -c ' spawn openssl req -newkey rsa:4096 -nodes -sha256 -keyout /gv1/registry/certs/domain.key -x509 -days 3650 -out /gv1/registry/certs/domain.crt expect { "Country Name " { send "cn\r"; exp_continue} "State or Province Name" { send "sc\r" ; exp_continue} "Locality Name " { send "cd\r"; exp_continue} "Default Company Ltd" { send "k8s\r"; exp_continue} "Organizational Unit Name" { send "sys\r"; exp_continue} "Common Name " { send "k.xxxx.com\r" ; exp_continue} "Email Address " { send "\r" ; exp_continue} eof { exit } }' #################################################### #################################################### echo ' version: 0.1 log: fields: service: registry storage: delete: enabled: true cache: blobdescriptor: inmemory filesystem: rootdirectory: /var/lib/registry http: addr: :5000 headers: X-Content-Type-Options: [nosniff] health: storagedriver: enabled: true interval: 10s threshold: 3 ' >/gv1/registry/config.yml ################################################### mkdir -p /gv1/registry/registry-web cat >/gv1/registry/registry-web/config.yml <<EOF registry: # Docker registry url url: https://192.168.3.207:30050/v2 # Docker registry fqdn name: k.xxxx.com:30050 # To allow image delete, should be false readonly: false auth: # Disable authentication enabled: false EOF ################################################### cat >registry.yaml <<EOF apiVersion: v1 kind: ReplicationController metadata: name: registry-rc namespace: kube-system spec: replicas: 2 selector: app: registry-rc template: metadata: labels: app: registry-rc spec: nodeSelector: node-role.kubernetes.io/master: "" containers: - name: registry image: registry:2 ports: - containerPort: 5000 env: - name: REGISTRY_HTTP_TLS_CERTIFICATE value: "/certs/domain.crt" - name: REGISTRY_HTTP_TLS_KEY value: "/certs/domain.key" volumeMounts: - name: registry mountPath: /var/lib/registry - name: certs mountPath: /certs - name: conf mountPath: /etc/docker/registry/config.yml - name: registry-web image: hyper/docker-registry-web ports: - containerPort: 8080 env: - name: REGISTRY_TRUST_ANY_SSL value: "true" - name: REGISTRY_URL value: "https://192.168.3.207:30050/v2" - name: REGISTRY_NAME value: "k.xxxx.com:30050" volumeMounts: - name: webconf mountPath: /conf/config.yml volumes: - name: webconf hostPath: path: /gv1/registry/registry-web/config.yml - name: registry hostPath: path: /gv1/registry/registry - name: certs hostPath: path: /gv1/registry/certs - name: conf hostPath: path: /gv1/registry/config.yml tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule --- apiVersion: v1 kind: Service metadata: name: registry-svc namespace: kube-system spec: selector: app: registry-rc type: NodePort ports: - name: registry protocol: TCP port: 5000 targetPort: 5000 nodePort: 30050 - name: registry-web protocol: TCP port: 8080 targetPort: 8080 nodePort: 30180 EOF kubectl apply -f registry.yaml kubectl get pod,svc,rc -n kube-system -o wide |grep registry #kubectl delete -f registry.yaml curl --cacert /gv1/registry/certs/domain.crt https://k.xxxx.com:30050/v2/_catalog ###################################################### ###################################################### cat >registry-ingress.yaml <<EOF apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-registry namespace: kube-system annotations: kubernetes.io/ingress.class: "nginx" spec: rules: - host: hub.xxxx.com http: paths: - path: / backend: serviceName: registry-svc servicePort: 8080 EOF kubectl apply -f registry-ingress.yaml kubectl get Ingress -n kube-system -o wide #kubectl delete -f registry-ingress.yaml curl --cacert /gv1/registry/certs/domain.crt https://k.xxxx.com:30050/v2/_catalog curl http://k.xxxx.com/ -H "host:hub.xxxx.com" -I #########################################web管理工具訪問地址:http://k.xxxx.com:30180 倉庫的地址為:k.xxxx.com:30050