Setting Private Docker Registries, making sure that they are always up and running, the images inside it are safe and does not get lost is almost every time a requirement for organizations which are planning to use containers for their applications. Well, to make all these thing happen we have our awesome Kubernetes. Let’s see how we can setup a private docker registry for storing images.
- A Kubernetes Cluster with ingress controller configured.
- A custom domain name with proper routes configured.Here I have used Route 53 to route traffic to the ingress controller.
For this article all the steps have been performed on Kubernetes Cluster running on AWS using Kops.
Step 1: Getting the required files
Clone this repository to get required files to configure the registry by running the below command:
git clone https://github.com/SamPriyadarshi/private-docker-registry.git
Step 2:Creating Self-Signed Certificates
Create a self signed certificates so that we can connect with the registry over TLS securely. You can also use Let’s Encrypt to generate certificates. Follow this link to perform those steps if interested. But here we will go with self signed certificates.
openssl genrsa -out devdockerCA.key2048
openssl req -x509 -new -nodes -keydevdockerCA.key -days 10000 -out devdockerCA.crt
openssl genrsa -out domain.key 2048
After you type the below command, OpenSSL will prompt you to answer a few questions. Write whatever you’d like for the first few, but when OpenSSL prompts you to enter the “CommonName” make sure to type in the domain or IP of your server.
openssl req -new -key domain.key -out dev-docker-registry.com.csr
openssl x509 -req -in dev-docker-registry.com.csr -CAdevdockerCA.crt -CAkey devdockerCA.key -CAcreateserial -out domain.crt -days10000
Since the certificates we just generated aren’t verified by any known certificate authority (e.g., VeriSign), we need to tell any clients that are going to be using this Docker registry that this is a legitimate certificate. Let’s do this locally on the host machine so that we can use Docker from the Docker registry server itself:
sudo mkdir /usr/local/share/ca-certificates/docker-dev-certsudo cp devdockerCA.crt /usr/local/share/ca-certificates/docker-dev-cert
Restart the Docker daemon so that it picks up the changes to our certificate store:
sudo service docker restart
Step 3: Creating TLS Secret for Ingress
Create a secret with contents of the above certificates to use with the Ingress Resouce that we will create later.
kubectl create secret tls custom-tls-cert --key domain.key--cert domain.crt
Step 4: Creating Authentication for Registry
Create a secret for authenticating the user with username and password. We will use this secret with the Ingress Controller later.
$ htpasswd -c auth foo
New password: <bar>
Re-type new password:
$ kubectl create secret genericbasic-auth --from-file=auth
$ kubectl get secret basic-auth-o yaml
Step 5: Configuring Ingress
Edit your ingress file and replace host name with your appropriate hostname.
Step 6: Deploying the files on Kubernetes
Kubectl create ns docker-registry
Kubectl apply –f docker-private-registry
Step 7: Logging in to Private Registry
Login to the private docker registry using:
docker login<DNS of Private registry>
Provide with username and password and voila you have your own private docker registry.
Step 8: Pushing and Pulling to Registry
Run the below commands to pull and push images from registry:
docker pull redis:latest
docker tag redis:latest <your private registry DNS>/redis:1.0
docker push <your private registry DNS>/redis:1.0
Pull from another machine:
dockerpull <your private registry DNS>/redis:1.0