K8s:搭建镜像加速
生成证书
建一个空的网站,指向registry.riguz.com,然后更新证书:
sudo certbot --apache
安装Docker
sudo apt-get install ca-certificates curl gnupg lsb-release
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
启动镜像
htpasswd -Bbn user xxxxxxxxx> auth/htpasswd
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
proxy:
remoteurl : https://gcr.io
docker run -d -p 5000:443 \
--restart always \
--name registry \
-v /etc/letsencrypt/archive/riguz.com:/certs \
-v "$(pwd)"/auth:/auth \
-v "$(pwd)"/config.yml:/etc/docker/registry/config.yml \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain3.pem \
-e REGISTRY_HTTP_TLS_KEY=/certs/privkey3.pem \
registry:latest
apache 代理
sudo a2enmod proxy
sudo a2enmod proxy_http
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName registry.riguz.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/registry
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyPreserveHost On
SSLProxyEngine on
ProxyPass / https://127.0.0.1:5000/
ProxyPassReverse / https://127.0.0.1:5000/
</VirtualHost>
</IfModule>
k3s 使用代理
/etc/rancher/k3s/registries.yaml(没有的话自行创建)
mirrors:
gcr.io:
endpoint:
- "https://registry.riguz.com/v2"
configs:
"registry.riguz.com":
auth:
username: xxx
password: xxxxx
sudo systemctl restart k3s.service
sudo systemctl restart k3s-agent.service
使用自签名证书
openssl \
req \
-newkey rsa:2048 -nodes \
-keyout key.pem \
-x509 -days 36500 \
-out cert.pem \
-config server_cert.cnf
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
x509_extensions = req_ext
[req_distinguished_name]
C = CN
ST = Hubei
L = Wuhan
O = KingSoft
OU = HPC
CN = gcr-mirror.com
[req_ext]
basicConstraints=CA:TRUE
subjectAltName = @alt_names
[alt_names]
IP.1 = 10.226.27.53
DNS.1 = gcr-mirror.com
DNS.2 = www.gcr-mirror.com
DNS.3 = gcr.ksord.com
DNS.4 = mirror.ksord.com
DNS.5 = registry.ksord.com
docker run -d -p 5000:443 ^
--restart always ^
--name gcr-mirror ^
-v /c/gcr-mirror/certs/:/certs ^
-v /c/gcr-mirror/auth:/auth ^
-v /c/gcr-mirror/config.yaml:/etc/docker/registry/config.yaml ^
-e "REGISTRY_AUTH=htpasswd" ^
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" ^
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd ^
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 ^
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/cert.pem ^
-e REGISTRY_HTTP_TLS_KEY=/certs/key.pem ^
registry:latest
cp cert.pem /etc/pki/ca-trust/source/anchors
update-ca-trust
openssl x509 -noout -text -in <cert_file> | grep --after-context=2 "X509v3 Basic Constraints" | grep "CA:TRUE"