add htpasswd auth to private docker registry + expose at registry.viktorbarzin.me

- Add auth.htpasswd section to config-private.yml - Mount htpasswd file in registry-private container, fix healthcheck for 401 - Rename registry UI from registry.viktorbarzin.me → docker.viktorbarzin.me - Add Docker CLI ingress at registry.viktorbarzin.me (HTTPS backend, no rate-limit, unlimited body) - Add docker to cloudflare_proxied_names (registry stays non-proxied) - Add Kyverno ClusterPolicy to sync registry-credentials secret to all namespaces - Update infra provisioning to install apache2-utils and generate htpasswd from Vault
2026-03-22 22:10:10 +02:00 · 2026-03-22 22:10:10 +02:00 · 36171bcda4
commit 36171bcda4
parent e4f478b490
6 changed files with 123 additions and 5 deletions
--- a/stacks/kyverno/modules/kyverno/registry-credentials.tf
+++ b/stacks/kyverno/modules/kyverno/registry-credentials.tf
@ -0,0 +1,83 @@
+
+# =============================================================================
+# Private Docker Registry Credentials — Auto-sync to all namespaces
+# =============================================================================
+# Source secret in kyverno namespace, cloned by ClusterPolicy into every NS.
+# Pods use imagePullSecrets: [{name: registry-credentials}] to pull from
+# registry.viktorbarzin.me (or 10.0.20.10:5050 internally).
+
+data "vault_kv_secret_v2" "viktor" {
+  mount = "secret"
+  name  = "viktor"
+}
+
+resource "kubernetes_secret" "registry_credentials" {
+  metadata {
+    name      = "registry-credentials"
+    namespace = kubernetes_namespace.kyverno.metadata[0].name
+  }
+  type = "kubernetes.io/dockerconfigjson"
+  data = {
+    ".dockerconfigjson" = jsonencode({
+      auths = {
+        "registry.viktorbarzin.me" = {
+          auth = base64encode("${data.vault_kv_secret_v2.viktor.data["registry_user"]}:${data.vault_kv_secret_v2.viktor.data["registry_password"]}")
+        }
+        "10.0.20.10:5050" = {
+          auth = base64encode("${data.vault_kv_secret_v2.viktor.data["registry_user"]}:${data.vault_kv_secret_v2.viktor.data["registry_password"]}")
+        }
+      }
+    })
+  }
+}
+
+resource "kubernetes_manifest" "sync_registry_credentials" {
+  manifest = {
+    apiVersion = "kyverno.io/v1"
+    kind       = "ClusterPolicy"
+    metadata = {
+      name = "sync-registry-credentials"
+    }
+    spec = {
+      rules = [
+        {
+          name = "sync-registry-secret"
+          match = {
+            any = [
+              {
+                resources = {
+                  kinds = ["Namespace"]
+                }
+              }
+            ]
+          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  namespaces = ["kube-system", "kube-public", "kube-node-lease"]
+                }
+              }
+            ]
+          }
+          generate = {
+            apiVersion  = "v1"
+            kind        = "Secret"
+            name        = "registry-credentials"
+            namespace   = "{{request.object.metadata.name}}"
+            synchronize = true
+            clone = {
+              namespace = "kyverno"
+              name      = "registry-credentials"
+            }
+          }
+        }
+      ]
+    }
+  }
+
+  depends_on = [
+    helm_release.kyverno,
+    kubernetes_secret.registry_credentials,
+  ]
+}