apiVersion: apps/v1 kind: Deployment metadata: name: docker-registry namespace: infra labels: app: docker-registry spec: replicas: 1 # Recreate so the old pod fully terminates before the new one starts — # avoids NFS-lock races on the hostPath-backed PVC during rolling updates. strategy: type: Recreate selector: matchLabels: app: docker-registry template: metadata: labels: app: docker-registry spec: initContainers: - name: nfs-check-registry image: busybox:stable command: - sh - -c - | test -f /mnt/.nfs-sentinel || ( echo "ERROR: NFS sentinel missing at /mnt/.nfs-sentinel" echo "refusing to start; node likely has NFS unmounted" echo "pod would otherwise bind-mount the local-XFS shadow" exit 1 ) volumeMounts: - name: registry-storage mountPath: /mnt readOnly: true containers: - name: registry image: registry:2 ports: - containerPort: 5000 # Startup probe: give registry time to initialize (especially if NFS is slow) startupProbe: httpGet: path: /v2/ port: 5000 initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 3 failureThreshold: 12 # 60 seconds total (12 * 5s) # Liveness probe: restart pod if registry returns 503 (stale NFS) or becomes unresponsive livenessProbe: httpGet: path: /v2/ port: 5000 periodSeconds: 30 timeoutSeconds: 5 failureThreshold: 3 # Restart after 90 seconds of failures # Readiness probe: remove from service if not ready readinessProbe: httpGet: path: /v2/ port: 5000 periodSeconds: 10 timeoutSeconds: 3 failureThreshold: 2 volumeMounts: - name: registry-storage mountPath: /var/lib/registry volumes: - name: registry-storage persistentVolumeClaim: claimName: docker-registry-pvc