How to generate a passwordHash?
To generate a bcrypt hash, use the htpasswd command:
$ htpasswd -Bnb "${USER_NAME}" "${PASSWORD}" | cut -d: -f2
The generated hash should be specified in the users.${USER_NAME}.passwordHash field. Example:
$ htpasswd -Bnb "user-1" "password123" | cut -d: -f2
$2y$05$KbQy.oSLGCS.mm0SIkLtIOYu.G1Lcp8iyPMLfK/Id9AO7nJYmdLXa
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: payload-registry
spec:
version: 1
enabled: true
settings:
users:
user-1:
passwordHash: "$2y$05$KbQy.oSLGCS.mm0SIkLtIOYu.G1Lcp8iyPMLfK/Id9AO7nJYmdLXa"
projects: []
How to add an image to a project?
-
To add an image to a project, you need to configure a user with
FULLaccess rights to the project. Example configuration:apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: payload-registry spec: version: 1 enabled: true settings: users: user-1: # bcrypt hash of the password `password123` passwordHash: "$2y$05$KbQy.oSLGCS.mm0SIkLtIOYu.G1Lcp8iyPMLfK/Id9AO7nJYmdLXa" - name: "project-1" subPath: "*" access: FULL -
To be able to push images to the project, the namespace with the project’s name must exist in the cluster.
$ kubectl create namespace project-1 -
Log in to the payload registry from your machine:
$ docker login payload-registry.${PUBLIC_DOMAIN} -u user-1 -p password123 -
Create and push the image to the payload registry:
$ docker tag ubuntu:latest payload-registry.${PUBLIC_DOMAIN}/project-1/ubuntu:latest $ docker push payload-registry.${PUBLIC_DOMAIN}/project-1/ubuntu:latest -
Verify the presence of the image in the payload registry. Example check using the
cranecommand:$ crane auth login payload-registry.${PUBLIC_DOMAIN} -u user-1 -p password123 $ crane catalog payload-registry.${PUBLIC_DOMAIN}
How to set up imagePullSecrets to access a project?
-
To create
imagePullSecrets, configure a user withREAD/FULLaccess rights to the project. Example:apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: payload-registry spec: version: 1 enabled: true settings: users: user-1: # bcrypt hash of the password `password123` passwordHash: "$2y$05$KbQy.oSLGCS.mm0SIkLtIOYu.G1Lcp8iyPMLfK/Id9AO7nJYmdLXa" - name: "project-1" subPath: "*" access: READ -
Create
imagePullSecretsin theproject-1namespace using the following command:$ kubectl create secret docker-registry my-img-pull-secret \ --docker-server="https://payload-registry.${PUBLIC_DOMAIN}" \ --docker-username=user-1 \ --docker-password=password123 \ --namespace=project-1 -
Add
imagePullSecretsto a cluster component and specify the image:apiVersion: v1 kind: Pod metadata: name: ubuntu spec: containers: - name: ubuntu image: payload-registry.${PUBLIC_DOMAIN}/project-1/ubuntu:latest imagePullSecrets: - my-img-pull-secret
How to create a new PVC?
- This procedure describes the creation of a new PVC (
PersistentVolumeClaim), which may be necessary for changing immutable parameters such asstorageClassandaccessModes. - During the procedure, a new PVC will be created without transferring data from the old one.
Changing parameters like size can be done without this procedure if supported by the storageClass provider. To increase size, simply specify the new value.
-
Disable garbage collection (GC). Change the
settings.gc.enabledparameter value tofalse:apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: payload-registry spec: version: 1 enabled: true settings: gc: enabled: false ... -
Wait for GC to be disabled. Ensure that all completed jobs are deleted:
Before disabling:
$ kubectl -n d8-payload-registry get jobs NAME STATUS COMPLETIONS DURATION AGE registry-gc-20251008-111705 Complete 1/1 12s 2m48s registry-gc-20251008-111805 Complete 1/1 3s 107s registry-gc-20251008-111905 Complete 1/1 3s 47s $ kubectl -n d8-payload-registry get pods -l "component=gc" NAME READY STATUS RESTARTS AGE registry-gc-20251008-111905-zv7hh 0/1 Completed 0 2m2s registry-gc-20251008-112006-zs69r 0/1 Completed 0 62s registry-gc-20251008-112105-bblpx 0/1 ContainerCreating 0 3sAfter disabling:
$ kubectl -n d8-payload-registry get jobs No resources found in d8-payload-registry namespace. $ kubectl -n d8-payload-registry get pods -l "component=gc" No resources found in d8-payload-registry namespace. -
Specify the new PVC parameters in the
settings.persistencesection. Provide a new name in thenamefield to create a new PVC:apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: payload-registry spec: enabled: true settings: gc: enabled: false ... # Old PVC settings # The name field defaults to `registry` # persistence: # size: 10Gi # New PVC settings with name `registry-2` # New PVC is Initialized with a New storageClass persistence: name: registry-2 storageClass: network-ssd size: 10Gi ... -
Apply the changes. Wait for the new PVC to be created and connected to the registry.
Check the creation of the PVC:
$ kubectl -n d8-payload-registry get pvc NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE registry Bound pvc-09cb5d2e-6529-4759-adca-56aa20aead80 10Gi RWO network-hdd <unset> 92m registry-2 Bound pvc-b3f037d2-d3fa-4b2c-8ae1-e9af75ff14d5 10Gi RWO network-ssd <unset> 60sCheck the connection of the PVC to the registry:
$ kubectl -n d8-payload-registry get deployment/registry -o yaml | grep 'registry-2' claimName: registry-2 -
Enable garbage collection (GC) by setting the
settings.gc.enabledparameter totrue:apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: payload-registry spec: version: 1 enabled: true settings: gc: enabled: true ... persistence: name: registry-2 storageClass: network-ssd size: 10Gi -
If necessary, delete the old PVC. The old PVC can be reattached by performing a similar connection procedure.
Deleting the PVC:
This step will result in the loss of data stored in the old PVC.
$ kubectl -n d8-payload-registry delete pvc/registry persistentvolumeclaim "registry" deleted