The module lifecycle stage: Preview
The module has requirements for installation
PVC configuration example
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: payload-registry
spec:
version: 1
enabled: true
settings:
users: {}
persistence:
storageClass: network-ssd # Immutable parameter
size: 10GiExample Role for Kubernetes token authorization
For more details, see the section Authentication with Kubernetes tokens.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: payload-registry-full
rules:
- apiGroups: ["payload-registry.deckhouse.io"]
resources: ["payloadrepositoryaccesses"]
resourceNames:
- "dist/*"
- "app/**"
verbs:
- "get" # Pull image and get tag info via Kubernetes API Extension.
- "list" # Get list of tags in namespace repositories via Kubernetes API Extension.
- "create" # Push images.
- "delete" # Delete tags, including via Kubernetes API Extension.Example static user configuration (deprecated)
This authentication method is deprecated. Use Kubernetes tokens instead.
Static configuration may be removed in future versions.
For more details, see the section Static user configuration (deprecated).
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: payload-registry
spec:
version: 1
enabled: true
settings:
users:
# User: user-catalog
# Access Level: catalog
user-catalog:
# bcrypt hash: `echo -n 'password123' | htpasswd -BinC 10 "" | cut -d: -f2 | tr -d '\n'; echo`
passwordHash: "$2y$10$gQvak.0k9BBUeH/je7n.y.cyNFc3YKyDti3L6DuZpy75drzb2wWK2"
projects: []
# User: user-frontend-push
# Access Level: push and pull
# Access to registries:
# - payload-registry.${PUBLIC_DOMAIN}/project-1/frontend/*:tag
# - payload-registry.${PUBLIC_DOMAIN}/project-1/frontend/*/*:tag
# Examples:
# - payload-registry.${PUBLIC_DOMAIN}/project-1/frontend/image:latest
# - payload-registry.${PUBLIC_DOMAIN}/project-1/frontend/firstapp/image:latest
user-frontend-push:
# bcrypt hash: `echo -n 'password123' | htpasswd -BinC 10 "" | cut -d: -f2 | tr -d '\n'; echo`
passwordHash: "$2y$10$gQvak.0k9BBUeH/je7n.y.cyNFc3YKyDti3L6DuZpy75drzb2wWK2"
projects:
- name: "project-1"
subPath: "frontend/*"
access: FULL
- name: "project-1"
subPath: "frontend/*/*"
access: FULL
# User: user-frontend-pull
# Access Level: pull
# Access to registries:
# - payload-registry.${PUBLIC_DOMAIN}/project-1/frontend/*:tag
# - payload-registry.${PUBLIC_DOMAIN}/project-1/frontend/*/*:tag
# Examples:
# - payload-registry.${PUBLIC_DOMAIN}/project-1/frontend/image:latest
# - payload-registry.${PUBLIC_DOMAIN}/project-1/frontend/firstapp/image:latest
user-frontend-pull:
# bcrypt hash: `echo -n 'password123' | htpasswd -BinC 10 "" | cut -d: -f2 | tr -d '\n'; echo`
passwordHash: "$2y$10$gQvak.0k9BBUeH/je7n.y.cyNFc3YKyDti3L6DuZpy75drzb2wWK2"
projects:
- name: "project-1"
subPath: "frontend/*"
access: READ
- name: "project-1"
subPath: "frontend/*/*"
access: READ
# User: user-backend-push
# Access Level: push and pull
# Access to registries:
# - payload-registry.${PUBLIC_DOMAIN}/project-2/backend/*:tag
# - payload-registry.${PUBLIC_DOMAIN}/project-2/backend/*/*:tag
# Examples:
# - payload-registry.${PUBLIC_DOMAIN}/project-2/backend/image:latest
# - payload-registry.${PUBLIC_DOMAIN}/project-2/backend/firstapp/image:latest
user-backend-push:
# bcrypt hash: `echo -n 'password123' | htpasswd -BinC 10 "" | cut -d: -f2 | tr -d '\n'; echo`
passwordHash: "$2y$10$gQvak.0k9BBUeH/je7n.y.cyNFc3YKyDti3L6DuZpy75drzb2wWK2"
projects:
- name: "project-2"
subPath: "backend/*"
access: FULL
- name: "project-2"
subPath: "backend/*/*"
access: FULL
# User: user-backend-pull
# Access Level: pull
# Access to registries:
# - payload-registry.${PUBLIC_DOMAIN}/project-2/backend/*:tag
# - payload-registry.${PUBLIC_DOMAIN}/project-2/backend/*/*:tag
# Examples:
# - payload-registry.${PUBLIC_DOMAIN}/project-2/backend/image:latest
# - payload-registry.${PUBLIC_DOMAIN}/project-2/backend/firstapp/image:latest
user-backend-pull:
# bcrypt hash: `echo -n 'password123' | htpasswd -BinC 10 "" | cut -d: -f2 | tr -d '\n'; echo`
passwordHash: "$2y$10$gQvak.0k9BBUeH/je7n.y.cyNFc3YKyDti3L6DuZpy75drzb2wWK2"
projects:
- name: "project-2"
subPath: "backend/*"
access: READ
- name: "project-2"
subPath: "backend/*/*"
access: READ
# User: user-admin
# Access Level: push and pull
# Access to registries:
# - payload-registry.${PUBLIC_DOMAIN}/project-1/*:tag
# - payload-registry.${PUBLIC_DOMAIN}/project-1/*/*:tag
# - payload-registry.${PUBLIC_DOMAIN}/project-2/*:tag
# - payload-registry.${PUBLIC_DOMAIN}/project-2/*/*:tag
# Examples:
# - payload-registry.${PUBLIC_DOMAIN}/project-1/frontend/image:latest
# - payload-registry.${PUBLIC_DOMAIN}/project-1/frontend/firstapp/image:latest
# - payload-registry.${PUBLIC_DOMAIN}/project-2/backend/image:latest
# - payload-registry.${PUBLIC_DOMAIN}/project-2/backend/firstapp/image:latest
user-admin:
# bcrypt hash: `echo -n 'password123' | htpasswd -BinC 10 "" | cut -d: -f2 | tr -d '\n'; echo`
passwordHash: "$2y$10$gQvak.0k9BBUeH/je7n.y.cyNFc3YKyDti3L6DuZpy75drzb2wWK2"
projects:
- name: "project-1"
subPath: "*"
access: FULL
- name: "project-1"
subPath: "*/*"
access: FULL
- name: "project-2"
subPath: "*"
access: FULL
- name: "project-2"
subPath: "*/*"
access: FULL
# User: user-ro-admin
# Access Level: pull
# Access to registries:
# - payload-registry.${PUBLIC_DOMAIN}/project-1/*:tag
# - payload-registry.${PUBLIC_DOMAIN}/project-1/*/*:tag
# - payload-registry.${PUBLIC_DOMAIN}/project-2/*:tag
# - payload-registry.${PUBLIC_DOMAIN}/project-2/*/*:tag
# Examples:
# - payload-registry.${PUBLIC_DOMAIN}/project-1/frontend/image:latest
# - payload-registry.${PUBLIC_DOMAIN}/project-1/frontend/firstapp/image:latest
# - payload-registry.${PUBLIC_DOMAIN}/project-2/backend/image:latest
# - payload-registry.${PUBLIC_DOMAIN}/project-2/backend/firstapp/image:latest
user-ro-admin:
# bcrypt hash: `echo -n 'password123' | htpasswd -BinC 10 "" | cut -d: -f2 | tr -d '\n'; echo`
passwordHash: "$2y$10$gQvak.0k9BBUeH/je7n.y.cyNFc3YKyDti3L6DuZpy75drzb2wWK2"
projects:
- name: "project-1"
subPath: "*"
access: READ
- name: "project-1"
subPath: "*/*"
access: READ
- name: "project-2"
subPath: "*"
access: READ
- name: "project-2"
subPath: "*/*"
access: READGC configuration example
During the GC operation, the registry transitions to “read-only” mode. In this state, push operations are unavailable, while pull operations continue to work.
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: payload-registry
spec:
version: 1
enabled: true
settings:
users: {}
gc:
enabled: true
# Every Monday at 20:00
# https://crontab.guru/#0_20_*_*_1
schedule: "0 20 * * 1"apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: payload-registry
spec:
version: 1
enabled: true
settings:
users: {}
gc:
enabled: true
# Every day at 03:05
# https://crontab.guru/#5_3_*_*_*
schedule: "5 3 * * *"