kube/alrest: add pull-through dockerhub cache

Signed-off-by: Xe Iaso <me@xeiaso.net>

8 files changed, 152 insertions, 3 deletions

diff --git a/kube/alrest/gitea/runner.yaml b/kube/alrest/gitea/runner.yaml
index c8a54d3..98f6976 100644
--- a/kube/alrest/gitea/runner.yaml
+++ b/kube/alrest/gitea/runner.yaml
@@ -6,6 +6,16 @@ stringData:
   token: "CY2fOnh2aP4scVZc9w4dEDkyxBGnsezNZqRWcKyi"
 type: Opaque
 ---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: docker-daemon-config
+data:
+  daemon.json: |
+    {
+      "registry-mirrors": ["https://pt-dh.default.svc.alrest.xeserv.us"]
+    }
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -33,6 +43,9 @@ spec:
         emptyDir: {}
       - name: runner-data
         emptyDir: {}
+      - name: docker-daemon-config
+        configMap:
+          name: docker-daemon-config
       containers:
       - name: runner
         image: gitea/act_runner:nightly-dind-rootless
@@ -51,4 +64,6 @@ spec:
         volumeMounts:
         - name: runner-data
           mountPath: /data
-          subPath: "actions"
\ No newline at end of file
+          subPath: "actions"
+        - name: docker-daemon-config
+          mountPath: "/etc/docker"
\ No newline at end of file
diff --git a/kube/alrest/registry/deployment.yaml b/kube/alrest/registry/deployment.yaml
index 1660f60..34dd3a8 100644
--- a/kube/alrest/registry/deployment.yaml
+++ b/kube/alrest/registry/deployment.yaml
@@ -29,7 +29,7 @@ spec:
             secretName: registry-internal-tls
       containers:
         - name: registry
-          image: registrxe.fly.dev/registry:2
+          image: registry:2
           imagePullPolicy: "Always"
           resources:
             limits:
diff --git a/kube/alrest/registry/kustomization.yaml b/kube/alrest/registry/kustomization.yaml
index 6a768f9..d827155 100644
--- a/kube/alrest/registry/kustomization.yaml
+++ b/kube/alrest/registry/kustomization.yaml
@@ -5,4 +5,5 @@ resources:
   - deployment.yaml
   - external-dns.yaml
   - ingress.yaml
-  - service.yaml
\ No newline at end of file
+  - service.yaml
+  - pull-through/dockerhub
\ No newline at end of file
diff --git a/kube/alrest/registry/pull-through/dockerhub/1password.yaml b/kube/alrest/registry/pull-through/dockerhub/1password.yaml
new file mode 100644
index 0000000..0adb4f0
--- /dev/null
+++ b/kube/alrest/registry/pull-through/dockerhub/1password.yaml
@@ -0,0 +1,8 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: pullthru-docker-hub
+  labels:
+    app.kubernetes.io/name: pullthru-docker-hub
+spec:
+  itemPath: "vaults/Kubernetes/items/Docker Registry Pull-through"
\ No newline at end of file
diff --git a/kube/alrest/registry/pull-through/dockerhub/certificate.yaml b/kube/alrest/registry/pull-through/dockerhub/certificate.yaml
new file mode 100644
index 0000000..bce9b22
--- /dev/null
+++ b/kube/alrest/registry/pull-through/dockerhub/certificate.yaml
@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: pt-dh-internal
+  namespace: default
+spec:
+  secretName: pt-dh-internal-tls
+
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+
+  usages:
+    - digital signature
+    - key encipherment
+  dnsNames:
+    - pt-dh.default.svc.alrest.xeserv.us
+  issuerRef:
+    name: "letsencrypt-prod"
+    kind: ClusterIssuer
+    group: cert-manager.io
\ No newline at end of file
diff --git a/kube/alrest/registry/pull-through/dockerhub/deployment.yaml b/kube/alrest/registry/pull-through/dockerhub/deployment.yaml
new file mode 100644
index 0000000..4b475d3
--- /dev/null
+++ b/kube/alrest/registry/pull-through/dockerhub/deployment.yaml
@@ -0,0 +1,82 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pullthru-docker-hub
+  annotations:
+    operator.1password.io/auto-restart: "true"
+    keel.sh/policy: all
+    keel.sh/trigger: poll
+    keel.sh/pollSchedule: "@hourly"
+  labels:
+    app.kubernetes.io/name: pullthru-docker-hub
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: pullthru-docker-hub
+  replicas: 1
+  template:      
+    metadata:
+      labels:
+        app.kubernetes.io/name: pullthru-docker-hub
+    spec:
+      securityContext:
+        fsGroup: 1000
+      imagePullSecrets:
+        - name: regcred
+      volumes:
+        - name: internal-certs
+          secret:
+            secretName: pt-dh-internal-tls
+      containers:
+        - name: registry
+          image: registry:2
+          imagePullPolicy: "Always"
+          resources:
+            limits:
+              cpu: "500m"
+              memory: "512Mi"
+            requests:
+              cpu: "100m"
+              memory: "256Mi"
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+          envFrom:
+            - secretRef:
+                name: pullthru-docker-hub
+        - name: relayd
+          image: ghcr.io/xe/x/relayd:latest
+          imagePullPolicy: "Always"
+          resources:
+            limits:
+              cpu: "500m"
+              memory: "512Mi"
+            requests:
+              cpu: "100m"
+              memory: "256Mi"
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+          env:
+            - name: BIND
+              value: ":8443"
+            - name: PROXY_TO
+              value: "http://localhost:5000"
+          volumeMounts:
+            - name: "internal-certs"
+              mountPath: "/xe/pki"
+              readOnly: true
\ No newline at end of file
diff --git a/kube/alrest/registry/pull-through/dockerhub/kustomization.yaml b/kube/alrest/registry/pull-through/dockerhub/kustomization.yaml
new file mode 100644
index 0000000..62d1d9c
--- /dev/null
+++ b/kube/alrest/registry/pull-through/dockerhub/kustomization.yaml
@@ -0,0 +1,6 @@
+namespace: default
+resources:
+  - 1password.yaml
+  - certificate.yaml
+  - deployment.yaml
+  - service.yaml
\ No newline at end of file
diff --git a/kube/alrest/registry/pull-through/dockerhub/service.yaml b/kube/alrest/registry/pull-through/dockerhub/service.yaml
new file mode 100644
index 0000000..f142540
--- /dev/null
+++ b/kube/alrest/registry/pull-through/dockerhub/service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pt-dh
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 80
+      targetPort: 5000
+      protocol: TCP
+    - name: https
+      port: 443
+      targetPort: 8443
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: pullthru-docker-hub
\ No newline at end of file