Setting Private Docker Registries, making sure that they are always up and running, the images inside it are safe and does not get lost is almost every time a requirement for organizations which are planning to use containers for their applications. Well, to make all these thing happen we have our awesome Kubernetes. Let’s see how we can setup a private docker registry for storing images.

Prerequisites:

  • A Kubernetes Cluster with ingress controller configured.
  • A custom domain name with proper routes configured.Here I have used Route 53 to route traffic to the ingress controller.

For this article all the steps have been performed on Kubernetes Cluster running on AWS using Kops.

Step 1: Getting the required files

Clone this repository to get required files to configure the registry by running the below command:

git clone https://github.com/SamPriyadarshi/private-docker-registry.git

Step 2:Creating Self-Signed Certificates

Create a self signed certificates so that we can connect with the registry over TLS securely. You can also use Let’s Encrypt to generate certificates. Follow this link to perform those steps if interested. But here we will go with self signed certificates.

openssl genrsa -out devdockerCA.key2048   
openssl req -x509 -new -nodes -keydevdockerCA.key -days 10000 -out devdockerCA.crt
openssl genrsa -out domain.key 2048

After you type the below command, OpenSSL will prompt you to answer a few questions. Write whatever you’d like for the first few, but when OpenSSL prompts you to enter the “CommonName” make sure to type in the domain or IP of your server.

openssl req -new -key domain.key -out dev-docker-registry.com.csr
openssl x509 -req -in dev-docker-registry.com.csr -CAdevdockerCA.crt -CAkey devdockerCA.key -CAcreateserial -out domain.crt -days10000

Since the certificates we just generated aren’t verified by any known certificate authority (e.g., VeriSign), we need to tell any clients that are going to be using this Docker registry that this is a legitimate certificate. Let’s do this locally on the host machine so that we can use Docker from the Docker registry server itself:

sudo mkdir /usr/local/share/ca-certificates/docker-dev-certsudo cp devdockerCA.crt /usr/local/share/ca-certificates/docker-dev-cert
sudo update-ca-certificates

Restart the Docker daemon so that it picks up the changes to our certificate store:

sudo service docker restart

Step 3: Creating TLS Secret for Ingress

Create a secret with contents of the above certificates to use with the Ingress Resouce that we will create later.

kubectl create secret tls custom-tls-cert --key domain.key--cert domain.crt

Step 4: Creating Authentication for Registry

Create a secret for authenticating the user with username and password. We will use this secret with the Ingress Controller later.

$ htpasswd -c auth foo
New password: <bar>
New password:
Re-type new password:
$ kubectl create secret genericbasic-auth --from-file=auth
secret "basic-auth"created
$ kubectl get secret basic-auth-o yaml
apiVersion: v1
data:
auth: Zm9vOiRhcHIxJE9GRzNYeWJwJGNrTDBGSERBa29YWUlsSDkuY3lzVDAK
kind: Secret
metadata:
name: basic-auth
namespace: default
type: Opaque

Step 5: Configuring Ingress

Edit your ingress file and replace host name with your appropriate hostname.

Step 6: Deploying the files on Kubernetes

Kubectl create ns docker-registry
Kubectl apply –f docker-private-registry

Step 7: Logging in to Private Registry

Login to the private docker registry using:

docker login<DNS of Private registry>

Provide with username and password and voila you have your own private docker registry.

Step 8: Pushing and Pulling to Registry

Run the below commands to pull and push images from registry:

docker pull redis:latest
docker tag redis:latest <your private registry DNS>/redis:1.0
docker push <your private registry DNS>/redis:1.0

Pull from another machine:

dockerpull <your private registry DNS>/redis:1.0

Leave a comment

Your email address will not be published. Required fields are marked *