---
apiVersion: v1
kind: Namespace
metadata:
  name: registry
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: registry-pv
  namespace: registry
spec:
  capacity:
    storage: 20Gi
  accessModes:
    - ReadWriteOnce
  storageClassName: local-pvs
  local:
    path: /home/ansible/k3s/makhiwane/registry
  nodeAffinity:
    required:
      nodeSelectorTerms:
        - matchExpressions:
            - key: kubernetes.io/hostname
              operator: In
              values:
                - lead
  persistentVolumeReclaimPolicy: Retain
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: registry-pvc
  namespace: registry
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: local-pvs
  resources:
    requests:
      storage: 20Gi
---
apiVersion: v1
kind: Secret
metadata:
  name: registry-http-secret
  namespace: registry
type: Opaque
data:
  http-secret: ZDlmOTNjOGEyMmQ2NDMyZWE4YTMwYTBkNDc5ZjBhMWY=
---
apiVersion: v1
kind: Secret
metadata:
  name: registry-basic-auth
  namespace: registry
type: Opaque
data:
  users: YXBwX3VzZXI6JGFwcjEkMTIzNDUk
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: registry
  namespace: registry
spec:
  replicas: 1
  selector:
    matchLabels:
      app: registry
  template:
    metadata:
      labels:
        app: registry
    spec:
      containers:
        - name: registry
          image: registry:2.8.2
          ports:
            - containerPort: 5000
              name: http
          env:
            - name: REGISTRY_STORAGE_DELETE_ENABLED
              value: "true"
            - name: REGISTRY_HTTP_SECRET
              valueFrom:
                secretKeyRef:
                  name: registry-http-secret
                  key: http-secret
            - name: REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin
              value: '["https://registry-ui.apps.mngoma.lab","https://registry.apps.mngoma.lab"]'
            - name: REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods
              value: '["HEAD","GET","OPTIONS","DELETE","PUT","POST"]'
            - name: REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials
              value: '["true"]'
            - name: REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers
              value: '["Authorization","Accept","Cache-Control","Content-Type","X-Requested-With"]'
            - name: REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers
              value: '["Docker-Content-Digest"]'
          volumeMounts:
            - name: registry-data
              mountPath: /var/lib/registry
          resources:
            requests:
              memory: "256Mi"
              cpu: "250m"
            limits:
              memory: "512Mi"
              cpu: "500m"
      volumes:
        - name: registry-data
          persistentVolumeClaim:
            claimName: registry-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: registry-server
  namespace: registry
spec:
  selector:
    app: registry
  ports:
    - name: http
      port: 5000
      targetPort: 5000
  type: ClusterIP
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: registry-server-ingress
  namespace: registry
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`registry.apps.mngoma.lab`)
      kind: Rule
      middlewares:
        - name: registry-basic-auth
      services:
        - name: registry-server
          port: 5000
  tls: {}
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: registry-server-insecure
  namespace: registry
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`registry.apps.mngoma.lab`)
      kind: Rule
      services:
        - name: registry-server
          port: 5000
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: registry-basic-auth
  namespace: registry
spec:
  basicAuth:
    secret: registry-basic-auth
    removeHeader: true