niedziela, 19 stycznia 2020

Traefik v2 - private docker repository

It's time to migrate from Traefik v1 to Traefik v2.

Sample project based on docker-compose service definition: priavate docker registry.

Quick setup
curl -sf automatus.cf/private-registry | bash

Or step by step.

  • Install docker & docker-compose
  • Create required directories
    mkdir registry
    cd registry
    mkdir {auth,default}
    
  • Create docker-compose.yml file:
    version: '3'
    
    services:
      gateway:
        image: traefik:2.1
        restart: always
        command: 
          - "--providers.docker"
          - "--providers.docker.exposedbydefault=false"
          - "--entrypoints.http.address=:80"
          - "--entrypoints.https.address=:443"
          - "--certificatesResolvers.le.acme.httpchallenge=true"
          - "--certificatesResolvers.le.acme.httpchallenge.entryPoint=http"
          - "--certificatesResolvers.le.acme.storage=/acme/acme.json"
         #- "--api.insecure=true"
         #- "--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
        ports:
          - 80:80
          - 443:443
          # API
          #- 8080:8080
        volumes:
          - /var/run/docker.sock:/var/run/docker.sock
          - acme:/acme
          - ./auth:/auth
    
      registry:
        restart: always
        image: registry:2
        environment:
          REGISTRY_HTTP_SECRET: change-me
        labels:
          - "traefik.enable=true"
          - "traefik.http.routers.http.rule=Host(`hostname-change-me`)" 
          - "traefik.http.routers.http.entrypoints=http"
          - "traefik.http.routers.https.rule=Host(`hostname-change-me`)" 
          - "traefik.http.routers.https.entrypoints=https"
          - "traefik.http.routers.https.tls=true"
          - "traefik.http.routers.https.tls.certresolver=le"
          - "traefik.http.middlewares.server-header.headers.customresponseheaders.server=docker-registry"
          - "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
          - "traefik.http.middlewares.auth.basicauth.usersFile=/auth/passwd"
          - "traefik.http.middlewares.auth.basicauth.realm=REGISTRY"
          - "traefik.http.routers.http.middlewares=redirect,server-header"
          - "traefik.http.routers.https.middlewares=server-header,auth"
        volumes:
          - registry:/var/lib/registry
    
      # Catch-all default vhost
      default:
        image: nginx:stable
        restart: always
        labels:
          - "traefik.enable=true"
          - "traefik.http.routers.default.rule=HostRegexp(`{default:.*}`)" 
          - "traefik.http.routers.default.entrypoints=http"
          - "traefik.http.routers.default.priority=1"
          - "traefik.http.routers.default.middlewares=server-header"
        volumes:
          - ./default/default.conf:/etc/nginx/conf.d/default.conf
    
    volumes:
      acme:
      registry:
    
    # vim: set tabstop=2 shiftwidth=2 expandtab autoindent indentexpr= nosmartindent : 
    
  • Create default/default.conf file:
    server { 
       listen 80 default_server; 
       return 204;
    }
    
  • Create user and passwrd for registry access:
    htpasswd -c auth/passwd username >auth/passwd
    #or
    docker run --rm -it httpd:alpine htpasswd >auth/passwd
    
  • Start project
    docker-compose up -d
    
  • Brak komentarzy: