feat(registry-cache): add Docker Hub pull-through cache + dind mirror config

Deploy registry:2 as Docker Hub pull-through cache on chemavx-k8 (hostPort 5000,
ClusterIP 10.43.163.56:5000). Configures dind runner to use local mirror via
daemon.json to eliminate Docker Hub rate limit failures in CI/CD.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

argocd/application-registry-cache.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: registry-cache
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: http://gitea.gitea.svc.cluster.local:3000/chemavx/k8s-manifests.git
+    targetRevision: main
+    path: registry-cache
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: registry-cache
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

gitea/configmap-daemon-json.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: docker-daemon-config
+  namespace: gitea
+data:
+  daemon.json: |
+    {
+      "registry-mirrors": ["http://registry-cache.registry-cache.svc.cluster.local:5000"],
+      "insecure-registries": ["registry-cache.registry-cache.svc.cluster.local:5000"]
+    }

gitea/deployment-gitea-runner.yaml

@@ -0,0 +1,92 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea-runner
+  namespace: gitea
+  labels:
+    app: gitea-runner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea-runner
+  template:
+    metadata:
+      labels:
+        app: gitea-runner
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: chemavx-k8
+      restartPolicy: Always
+      volumes:
+      - name: runner-data
+        emptyDir: {}
+      - name: runner-config
+        configMap:
+          name: gitea-runner-config
+      - name: dind-storage
+        emptyDir: {}
+      - name: docker-daemon-config
+        configMap:
+          name: docker-daemon-config
+      containers:
+      - name: dind
+        image: docker:24-dind
+        imagePullPolicy: IfNotPresent
+        args:
+        - --host=tcp://0.0.0.0:2375
+        - --tls=false
+        env:
+        - name: DOCKER_TLS_CERTDIR
+          value: ""
+        securityContext:
+          privileged: true
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            cpu: "2"
+            memory: 2Gi
+        volumeMounts:
+        - mountPath: /var/lib/docker
+          name: dind-storage
+        - mountPath: /etc/docker/daemon.json
+          name: docker-daemon-config
+          subPath: daemon.json
+      - name: runner
+        image: gitea/act_runner:latest
+        imagePullPolicy: Always
+        command:
+        - /bin/sh
+        - -c
+        args:
+        - |
+          until nc -z localhost 2375 2>/dev/null; do sleep 1; done
+          exec /usr/local/bin/run.sh
+        env:
+        - name: GITEA_INSTANCE_URL
+          value: http://gitea.gitea.svc.cluster.local:3000
+        - name: GITEA_RUNNER_NAME
+          value: k8s-runner
+        - name: CONFIG_FILE
+          value: /etc/act_runner/config.yaml
+        - name: GITEA_RUNNER_REGISTRATION_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: gitea-runner-secret
+              key: GITEA_RUNNER_REGISTRATION_TOKEN
+        - name: DOCKER_HOST
+          value: tcp://localhost:2375
+        resources:
+          requests:
+            cpu: 100m
+            memory: 128Mi
+          limits:
+            cpu: "1"
+            memory: 512Mi
+        volumeMounts:
+        - mountPath: /data
+          name: runner-data
+        - mountPath: /etc/act_runner
+          name: runner-config

registry-cache/deployment-registry-cache.yaml

@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: registry-cache
+  namespace: registry-cache
+  labels:
+    app: registry-cache
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: registry-cache
+  template:
+    metadata:
+      labels:
+        app: registry-cache
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: chemavx-k8
+      containers:
+      - name: registry
+        image: registry:2
+        ports:
+        - containerPort: 5000
+          hostPort: 5000
+        env:
+        - name: REGISTRY_PROXY_REMOTEURL
+          value: https://registry-1.docker.io
+        - name: REGISTRY_PROXY_USERNAME
+          value: ""
+        - name: REGISTRY_PROXY_PASSWORD
+          value: ""
+        - name: REGISTRY_STORAGE_DELETE_ENABLED
+          value: "true"
+        volumeMounts:
+        - name: registry-storage
+          mountPath: /var/lib/registry
+        resources:
+          requests:
+            cpu: 100m
+            memory: 128Mi
+          limits:
+            cpu: "1"
+            memory: 1Gi
+        readinessProbe:
+          httpGet:
+            path: /v2/
+            port: 5000
+          initialDelaySeconds: 5
+          periodSeconds: 10
+      volumes:
+      - name: registry-storage
+        persistentVolumeClaim:
+          claimName: registry-cache-pvc

registry-cache/namespace-registry-cache.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: registry-cache
+  labels:
+    kubernetes.io/metadata.name: registry-cache
+spec:
+  finalizers:
+  - kubernetes

registry-cache/pvc-registry-cache.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: registry-cache-pvc
+  namespace: registry-cache
+spec:
+  accessModes:
+  - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 20Gi

registry-cache/service-registry-cache.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: registry-cache
+  namespace: registry-cache
+spec:
+  selector:
+    app: registry-cache
+  ports:
+  - port: 5000
+    targetPort: 5000
+    protocol: TCP
+  type: ClusterIP