viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

use registry.viktorbarzin.me hostname for private images + protect ingress

Browse source 
- Switch priority-pass images from 10.0.20.10:5050 to registry.viktorbarzin.me
- Add containerd hosts.toml for registry.viktorbarzin.me on all nodes + template
  (redirects to 10.0.20.10:5050 LAN direct, avoids Traefik round-trip)
- Enable Authentik protection on priority-pass ingress
This commit is contained in:
Viktor Barzin 2026-03-23 01:02:27 +02:00
parent e9919d8fc9
commit 1f4e8cb278
2 changed files with 8 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
stacks/infra/main.tf
View file

@ -75,9 +75,13 @@ module "k8s-node-template" {
mkdir -p /etc/containerd/certs.d/ghcr.io mkdir -p /etc/containerd/certs.d/ghcr.io
printf 'server = "https://ghcr.io"\n\n[host."http://10.0.20.10:5010"]\n capabilities = ["pull", "resolve"]\n' > /etc/containerd/certs.d/ghcr.io/hosts.toml printf 'server = "https://ghcr.io"\n\n[host."http://10.0.20.10:5010"]\n capabilities = ["pull", "resolve"]\n' > /etc/containerd/certs.d/ghcr.io/hosts.toml
# Create hosts.toml for private registry (10.0.20.10:5050) skip TLS verify (IP-based, wildcard cert) # Create hosts.toml for private registry both IP and hostname entries
# IP-based (10.0.20.10:5050): direct access, skip TLS verify (wildcard cert, no IP SAN)
mkdir -p /etc/containerd/certs.d/10.0.20.10:5050 mkdir -p /etc/containerd/certs.d/10.0.20.10:5050
printf 'server = "https://10.0.20.10:5050"\n\n[host."https://10.0.20.10:5050"]\n capabilities = ["pull", "resolve", "push"]\n skip_verify = true\n' > /etc/containerd/certs.d/10.0.20.10:5050/hosts.toml printf 'server = "https://10.0.20.10:5050"\n\n[host."https://10.0.20.10:5050"]\n capabilities = ["pull", "resolve", "push"]\n skip_verify = true\n' > /etc/containerd/certs.d/10.0.20.10:5050/hosts.toml
# Hostname-based (registry.viktorbarzin.me): redirects to LAN IP to avoid Traefik round-trip
mkdir -p /etc/containerd/certs.d/registry.viktorbarzin.me
printf 'server = "https://registry.viktorbarzin.me"\n\n[host."https://10.0.20.10:5050"]\n capabilities = ["pull", "resolve", "push"]\n skip_verify = true\n' > /etc/containerd/certs.d/registry.viktorbarzin.me/hosts.toml
# Low-traffic registries (registry.k8s.io, quay.io, reg.kyverno.io) pull directly. # Low-traffic registries (registry.k8s.io, quay.io, reg.kyverno.io) pull directly.
# Pull-through cache removed: caused corrupted images (truncated downloads) # Pull-through cache removed: caused corrupted images (truncated downloads)

6
stacks/priority-pass/main.tf
View file

@ -47,7 +47,7 @@ resource "kubernetes_deployment" "priority-pass" {
} }
container { container {
name = "frontend" name = "frontend"
image = "10.0.20.10:5050/priority-pass-frontend:v4" image = "registry.viktorbarzin.me/priority-pass-frontend:v4"
port { port {
container_port = 3000 container_port = 3000
} }
@ -71,7 +71,7 @@ resource "kubernetes_deployment" "priority-pass" {
} }
container { container {
name = "backend" name = "backend"
image = "10.0.20.10:5050/priority-pass-backend:v1" image = "registry.viktorbarzin.me/priority-pass-backend:v1"
port { port {
container_port = 8000 container_port = 8000
} }
@ -118,6 +118,6 @@ module "ingress" {
namespace = "priority-pass" namespace = "priority-pass"
name = "priority-pass" name = "priority-pass"
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
protected = false protected = true
max_body_size = "10m" max_body_size = "10m"
} }