# 1. 创建独立的命名空间 apiVersion: v1 kind: Namespace metadata: name: registry-system --- # 2. 将刚才生成的密码文件创建为 K8s Secret --- # 3. 申请硬盘空间 (存放镜像文件) apiVersion: v1 kind: PersistentVolumeClaim metadata: name: registry-pvc namespace: registry-system spec: accessModes: - ReadWriteOnce storageClassName: longhorn resources: requests: storage: 20Gi # 给仓库 20G 空间,不够随时可以扩 --- # 4. 部署 Registry 应用 apiVersion: apps/v1 kind: Deployment metadata: name: registry namespace: registry-system spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app: registry template: metadata: labels: app: registry spec: containers: - name: registry image: registry:2 ports: - containerPort: 5000 env: # --- 开启认证 --- - name: REGISTRY_AUTH value: "htpasswd" - name: REGISTRY_AUTH_HTPASSWD_REALM value: "Registry Realm" - name: REGISTRY_AUTH_HTPASSWD_PATH value: "/auth/htpasswd" # --- 存储路径 --- - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY value: "/var/lib/registry" volumeMounts: - name: data-volume mountPath: /var/lib/registry - name: auth-volume mountPath: /auth volumes: - name: data-volume persistentVolumeClaim: claimName: registry-pvc - name: auth-volume secret: secretName: registry-auth-secret --- # 5. 内部服务 apiVersion: v1 kind: Service metadata: name: registry-service namespace: registry-system spec: selector: app: registry ports: - protocol: TCP port: 80 targetPort: 5000 --- # 6. 暴露 HTTPS 域名 apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: registry-ingress namespace: registry-system annotations: cert-manager.io/cluster-issuer: letsencrypt-prod # 增加上传大小限制 (Docker 镜像层可能很大) ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/proxy-body-size: "0" spec: rules: - host: registry.u9.net3w.com http: paths: - path: / pathType: Prefix backend: service: name: registry-service port: number: 80 tls: - hosts: - registry.u9.net3w.com secretName: registry-tls-secret