Add registry-convoy template to build registry using Convoy pools (#143)

templates/registry-convoy/0/docker-compose.yml

@@ -0,0 +1,111 @@
+db:
+  image: mysql:5.7.10
+  environment:
+    MYSQL_DATABASE: portus
+    MYSQL_ROOT_PASSWORD: ${ROOTPASSWORD}
+    MYSQL_USER: portus
+    MYSQL_PASSWORD: ${DBPASSWORD}
+  tty: true
+  stdin_open: true
+  volume_driver: ${DRIVER}
+  volumes:
+  - ${PFX}-db:/var/lib/mysql
+  labels:
+    registry.portus.db: 1
+sslproxy:
+  image: nginx:1.9.9
+  tty: true
+  stdin_open: true
+  links:
+  - portus:portus
+  volume_driver: ${DRIVER}
+  volumes:
+  - ${PFX}-certs:/etc/nginx/certs:ro
+  - ${PFX}-proxy:/etc/nginx/conf.d:ro
+  labels:
+    io.rancher.scheduler.affinity:container_label_soft: registry.portus.db=1
+registry:
+  image: registry:2.3.1
+  environment:
+    REGISTRY_LOG_LEVEL: warn
+    REGISTRY_STORAGE_DELETE_ENABLED: true
+    REGISTRY_AUTH: token
+    REGISTRY_AUTH_TOKEN_REALM: https://${DOMAIN}:${PPORT}/v2/token
+    REGISTRY_AUTH_TOKEN_SERVICE: ${DOMAIN}:${RPORT}
+    REGISTRY_AUTH_TOKEN_ISSUER: ${DOMAIN}
+    REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /certs/registry.crt
+    REGISTRY_HTTP_TLS_CERTIFICATE: /certs/registry.crt
+    REGISTRY_HTTP_TLS_KEY: /certs/registry.key
+    REGISTRY_HTTP_SECRET: httpsecret
+    REGISTRY_NOTIFICATIONS_ENDPOINTS: >
+      - name: portus
+        url: http://portus:3000/v2/webhooks/events
+        timeout: 500
+        threshold: 5
+        backoff: 1
+  tty: true
+  stdin_open: true
+  links:
+  - portus:portus
+  volume_driver: ${DRIVER}
+  volumes:
+  - ${PFX}-certs:/certs
+  - ${PFX}-data:/var/lib/registry
+lb:
+  image: rancher/load-balancer-service
+  tty: true
+  stdin_open: true
+  ports:
+  - ${RPORT}:5000/tcp
+  - ${PPORT}:443/tcp
+  labels:
+    io.rancher.loadbalancer.target.sslproxy: ${PPORT}=443
+    io.rancher.loadbalancer.target.registry: ${RPORT}=5000
+    io.rancher.scheduler.global: 'true'
+    io.rancher.scheduler.affinity:not_host_label: lb=0
+    io.rancher.scheduler.affinity:not_host_label: registry.enabled=false
+  links:
+  - registry:registry
+  - sslproxy:sslproxy
+portus:
+  image: sshipway/portus:2.0.5
+  environment: 
+    PORTUS_MACHINE_FQDN: ${DOMAIN}
+    PORTUS_PRODUCTION_HOST: db
+    PORTUS_PRODUCTION_DATABASE: portus
+    PORTUS_PRODUCTION_USERNAME: portus
+    PORTUS_PRODUCTION_PASSWORD: ${DBPASSWORD}
+    PORTUS_GRAVATAR_ENABLED: true
+    PORTUS_KEY_PATH: /certs/registry.key
+    PORTUS_PASSWORD: ${DBPASSWORD}
+    PORTUS_SECRET_KEY_BASE: ${ROOTPASSWORD}
+    PORTUS_CHECK_SSL_USAGE_ENABLED: true
+    PORTUS_SMTP_ENABLED: false
+    PORTUS_LDAP_ENABLED: ${LDAP}
+    PORTUS_LDAP_HOSTNAME: ${LDAPHOST}
+    PORTUS_LDAP_PORT: ${LDAPPORT}
+    PORTUS_LDAP_METHOD: ${LDAPTLS}
+    PORTUS_LDAP_BASE: ${LDAPBASE}
+    PORTUS_LDAP_UID: cn
+    PORTUS_LDAP_AUTHENTICATION_ENABLED: ${LDAPBIND}
+    PORTUS_LDAP_AUTHENTICATION_BIND_DN: ${LDAPBINDDN}
+    PORTUS_LDAP_AUTHENTICATION_PASSWORD: ${LDAPBINDPASS}
+    PORTUS_LDAP_GUESS_EMAIL_ENABLED: true
+    PORTUS_LDAP_GUESS_EMAIL_ATTR: mail
+    PORTUS_PORT: ${PPORT}
+    REGISTRY_SSL_ENABLED: true
+    REGISTRY_HOSTNAME: ${DOMAIN}
+    REGISTRY_PORT: ${RPORT}
+    REGISTRY_NAME: Registry
+  tty: true
+  stdin_open: true
+  volume_driver: ${DRIVER}
+  volumes:
+  - ${PFX}-certs:/certs
+  - ${PFX}-proxy:/etc/nginx/conf.d
+  links:
+  - db:db
+  labels:
+    io.rancher.container.pull_image: always
+    io.rancher.scheduler.affinity:container_label_soft: registry.portus.db=1
+    registry.portus.app: 1

templates/registry-convoy/0/rancher-compose.yml

@@ -0,0 +1,116 @@
+.catalog:
+  name: "Registry"
+  version: "v2.3.1-3.1"
+  description: "Docker Registry"
+  uuid: registry-3
+  questions: 
+    - variable: "RPORT"
+      label: "Registry Port"
+      description: "Port on which to run the registry service"
+      default: 5000
+      required: true
+      type: "int"
+    - variable: "PPORT"
+      label: "Admin Port"
+      description: "Port on which to run the SSL Portus administration service and API"
+      default: 443
+      required: true
+      type: "int"
+    - variable: "DBPASSWORD"
+      label: "DB Password"
+      description: "Password for Portus database access, must be 8 characters or longer"
+      required: true
+      default: password
+      type: "password"
+    - variable: "ROOTPASSWORD"
+      label: "DB Root Password"
+      description: "Root Password for MySQL database, must be 8 characters or longer.  This is not normally used."
+      required: true
+      default: password
+      type: "password"
+    - variable: "DRIVER"
+      label: "Storage Pool"
+      description: "Convoy storage pool name"
+      required: true
+      type: "string"
+      default: "convoy"
+    - variable: "PFX"
+      label: "Convoy volume prefix"
+      description: "Prefix to use for all Convoy storage pool volumes"
+      required: true
+      type: "string"
+      default: "registry"
+    - variable: "DOMAIN"
+      label: "FQDN"
+      description: "FQDN of server.  This should be the CN in the certificates and will be the URL to contact the Registry and Web interface"
+      required: true
+      type: "string"
+    - variable: "LDAP"
+      label: "LDAP Enabled"
+      description: "Enable LDAP authentication"
+      required: true
+      default: false
+      type: "boolean"
+    - variable: "LDAPHOST"
+      label: "LDAP Server"
+      description: "The FQDN of the LDAP server (if LDAP authentication is being used)"
+      required: false
+      default: "ldap.company.com"
+      type: "string"
+    - variable: "LDAPPORT"
+      label: "LDAP Server port"
+      description: "The port number on the LDAP server (if LDAP authentication is being used)"
+      required: false
+      default: 389
+      type: "int"
+    - variable: "LDAPTLS"
+      label: "LDAP TLS"
+      description: "The TLS option for the LDAP server (if LDAP authentication is being used)"
+      required: false
+      default: "starttls"
+      type: "enum"
+      options:
+        - starttls
+        - simple_tls
+        - plain
+    - variable: "LDAPBASE"
+      label: "LDAP Base DN"
+      description: "The Base DN for User lookups on the LDAP server (if LDAP authentication is being used)"
+      required: false
+      default: "ou=People,dc=company,dc=com"
+      type: "string"
+    - variable: "LDAPBIND"
+      label: "LDAP Bind enabled"
+      description: "Should an authenticated Bind be used to access LDAP (if LDAP authentication is being used)"
+      required: false
+      default: false
+      type: "boolean"
+    - variable: "LDAPBINDDN"
+      label: "LDAP Bind DN"
+      description: "The DN to use for binding to the LDAP server (if LDAP authentication is being used with Bind enabled)"
+      required: false
+      default: "ou=portus,dc=company,dc=com"
+      type: "string"
+    - variable: "LDAPBINDPASS"
+      label: "LDAP Bind Password"
+      description: "The password to use for binding to the LDAP server (if LDAP authentication is being used with Bind enabled)"
+      required: false
+      default: "password"
+      type: "password"
+db:
+  scale: 1
+sslproxy:
+  scale: 1
+lb:
+  load_balancer_config:
+    haproxy_config: {}
+  health_check:
+    port: 42
+    interval: 2000
+    unhealthy_threshold: 3
+    healthy_threshold: 2
+    response_timeout: 2000
+registry:
+  scale: 1
+portus:
+  scale: 1

templates/registry-convoy/README.md

@@ -0,0 +1,77 @@
+# Registry
+
+This catalogue item consists of a Registry, and the Portus web UI for 
+authentication.  There is also a MySQL database for storage, and a nginx
+proxy to provide SSL for the web frontend.
+
+This version mounts volumes from Convoy rather than using shared mounts.
+A common prefix is expected for the volumes to be created.
+
+If no certificates are provided in the /certs directory, then the system 
+will generate self-signed SSL certificates to use.
+
+Note that the containers will take a significant amount of time to initialse after 
+they are started.  You may need to wait 15 minutes for the Portus instance
+to finally spot the registry instance and perform its first synchronisation,
+after which the web interface will come online.
+
+## Backing Store
+
+A set of Convoy volues are used to host the Registry, and also the 
+MySQL database, as well as the certificates under certs/server.crt
+and certs/server.key; if no certificate is present, then a self-signed
+certificate will be created (valid for one year only) that can later be 
+replaced.
+
+## LDAP Authentication
+
+If you enable LDAP authentication, then this will be used for both the
+Web interface and for Registry authentication.  The LDAP configuration
+may optionally have authenticated Bind credentials, and TLS options.
+
+## Security
+
+All connections are protected by SSL.  A self-signed certificate is
+automatically generated as certs/server.crt and certs/server.key in 
+the persistent shared storage; this can be replaced if necessary.
+
+The certificate is used for registry access, for web admin access,
+and for signing API access keys.
+
+Registry access is controlled by the same user access as the web interface;
+so if you link to LDAP then this will also lock the Registry access.
+
+If not using LDAP, then the 'portus' use password is the Database Password
+as defined in the template options.
+
+## Access
+
+The template will create a Load Balancer for access to the Registry and
+to the Web Admin interface.  This will run on all Hosts without the label 
+LB=0, listening on the defined ports.
+
+To access the web UI, use https on the hostname and port you configured.
+
+To upload to the repository, use an SSL connection to the hostname and
+registry port you configured.
+
+## Administration
+
+The first user to log in to the web interface will be granted Admin
+privileges.
+
+## Synchronisation with Registry
+
+The Web interface will be initially configured to use the incorporated 
+registry.  A periodic synchronisation task and the upload webhook will
+ensure they are in synch.  If, for some reason, your registry already 
+has items (for example, if you are recreating the stack on preexisting
+shared storage) then it may take up to 5min for the Portus Web UI to 
+synchronise the registry content to its database.
+
+## Feedback
+
+This is a complex setup, and uses a custom build of the Portus container,
+which is not yet available as an official release.  You may need to
+customise this heavily for your own site.  Any feedback can
+be logged against https://github.com/sshipway/Portus

templates/registry-convoy/config.yml

@@ -0,0 +1,7 @@
+name: Registry-Convoy
+description: |
+  Secure Docker registry using Convoy.  Web based administration.  Optional LDAP authentication.
+version: v2.3.1-3.1
+category: Applications
+maintainer: Steve Shipway <s.shipway@auckland.ac.nz>
+