apiVersion: v1
kind: Pod
metadata:
  name: registry-pod
  labels:
    app: registry
    security: hardened
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - ALL
    readOnlyRootFilesystem: true
    seccompProfile:
      type: RuntimeDefault
    # Additional security hardening
    sysctls:
    - name: net.ipv4.ip_forward
      value: "0"
    - name: net.ipv4.conf.all.forwarding
      value: "0"
    - name: net.ipv4.conf.default.forwarding
      value: "0"
  containers:
  - name: registry
    image: registry:2
    securityContext:
      runAsNonRoot: true
      runAsUser: 1000
      runAsGroup: 1000
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      readOnlyRootFilesystem: true
    env:
    - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
      value: "/var/lib/registry"
    - name: REGISTRY_STORAGE_DELETE_ENABLED
      value: "false"
    - name: REGISTRY_HTTP_ADDR
      value: "0.0.0.0:5000"
    - name: REGISTRY_HTTP_TLS_CERTIFICATE
      value: "/etc/registry/certs/registry.crt"
    - name: REGISTRY_HTTP_TLS_KEY
      value: "/etc/registry/certs/private/registry.key"
    resources:
      requests:
        cpu: "500m"
        memory: "512Mi"
      limits:
        cpu: "1000m"
        memory: "1Gi"
    volumeMounts:
    - name: registry-data
      mountPath: /var/lib/registry
      readOnly: false
    - name: registry-certs
      mountPath: /etc/registry/certs
      readOnly: true
    - name: tmp-volume
      mountPath: /tmp
      readOnly: false
    ports:
    - containerPort: 5000
      protocol: TCP
    livenessProbe:
      httpGet:
        path: /v2/
        port: 5000
      initialDelaySeconds: 30
      periodSeconds: 10
    readinessProbe:
      httpGet:
        path: /v2/
        port: 5000
      initialDelaySeconds: 5
      periodSeconds: 5

  - name: nginx
    image: nginx:alpine
    securityContext:
      runAsNonRoot: true
      runAsUser: 1000
      runAsGroup: 1000
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      readOnlyRootFilesystem: true
      # Additional security hardening
      procMount: Default
      seccompProfile:
        type: RuntimeDefault
    ports:
    - containerPort: 443
      protocol: TCP
    - containerPort: 4443
      protocol: TCP
    resources:
      requests:
        cpu: "250m"
        memory: "256Mi"
      limits:
        cpu: "500m"
        memory: "512Mi"
    volumeMounts:
    - name: nginx-config
      mountPath: /etc/nginx/nginx.conf
      subPath: nginx.conf
      readOnly: true
    - name: registry-certs
      mountPath: /etc/registry/certs
      readOnly: true
    - name: registry-auth
      mountPath: /etc/nginx/.htpasswd
      subPath: .htpasswd
      readOnly: true
    - name: nginx-logs
      mountPath: /var/log/nginx
      readOnly: false
    - name: tmp-volume
      mountPath: /tmp
      readOnly: false
    livenessProbe:
      httpGet:
        path: /health
        port: 443
        scheme: HTTPS
      initialDelaySeconds: 30
      periodSeconds: 10
    readinessProbe:
      httpGet:
        path: /health
        port: 443
        scheme: HTTPS
      initialDelaySeconds: 5
      periodSeconds: 5

  volumes:
  - name: registry-data
    hostPath:
      path: /var/lib/registry/data
      type: Directory
  - name: nginx-config
    hostPath:
      path: /opt/APP_NAME/registry/nginx.conf
      type: File
  - name: registry-certs
    hostPath:
      path: /etc/registry/certs
      type: Directory
  - name: registry-auth
    hostPath:
      path: /etc/registry/auth
      type: Directory
  - name: nginx-logs
    hostPath:
      path: /var/log/nginx
      type: Directory
  - name: tmp-volume
    emptyDir:
      medium: Memory
      sizeLimit: "100Mi"