Set up a private docker registry in Kubernetes

Create certificates

  • Modify openssl config if you don't have domain name.
$ vim /etc/ssl/openssl.cnf

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]

# add your ip address on this section
subjectAltName=IP:192.168.10.1
  • Generate your own certificate
$ mkdir -p certs

$ openssl req \
  -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
  -x509 -days 365 -out certs/domain.crt

Common name ( CN ) is your docker registry ip address: 192.168.10.1:35000 (PS: 35000 is kubernetes node port)

  • Copy your domain.crt to every docker client.
$ cp certs/domain.crt /etc/docker/certs.d/192.168.10.1:5000/ca.crt on every 

# You could use scp command to download from other node.
$ scp -r [email protected]:/xxx/certs/domain.crt /etc/docker/certs.d/192.168.10.1:35000/ca.crt

Create a private registry in kubernetest

  • Create a secret
$ kubectl --namespace=kube-system create secret generic registry-tls-secret --from-file=domain.crt=domain.crt --from-file=domain.key=domain.key
  • Create a pv/pvc
apiVersion: v1
kind: PersistentVolume
metadata:
  name: kube-registry-pv
  namespace: kube-system
spec:
  capacity:
    storage: 1024Gi
  accessModes:
    - ReadWriteOnce
  nfs:
    server: 192.168.10.1
    path: "/data/docker/registry"
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: registry-pv-claim
  namespace: kube-system
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1024Gi
  • Create a Replication Controller
apiVersion: v1
kind: ReplicationController
metadata:
  name: kube-registry-v0
  namespace: kube-system
  labels:
    k8s-app: kube-registry
    version: v0
spec:
  replicas: 1
  selector:
    k8s-app: kube-registry
    version: v0
  template:
    metadata:
      labels:
        k8s-app: kube-registry
        version: v0
    spec:
      containers:
      - name: registry
        image: registry:2
        resources:
          # keep request = limit to keep this container in guaranteed class
          limits:
            cpu: 100m
            memory: 100Mi
          requests:
            cpu: 100m
            memory: 100Mi
        env:
        - name: REGISTRY_HTTP_ADDR
          value: :5000
        - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
          value: /var/lib/registry
        - name: REGISTRY_HTTP_TLS_CERTIFICATE
          value: /certs/domain.crt
        - name: REGISTRY_HTTP_TLS_KEY
          value: /certs/domain.key
        volumeMounts:
        - name: image-store
          mountPath: /var/lib/registry
        - name: cert-dir
          mountPath: /certs
        ports:
        - containerPort: 5000
          name: registry
          protocol: TCP
      volumes:
      - name: image-store
        persistentVolumeClaim:
          claimName: registry-pv-claim
      - name: cert-dir
        secret:
          secretName: registry-tls-secret
  • Create a service
apiVersion: v1
kind: Service
metadata:
  name: kube-registry
  namespace: kube-system
  labels:
    k8s-app: kube-registry
    kubernetes.io/name: "KubeRegistry"
spec:
  type: NodePort
  selector:
    k8s-app: kube-registry
  ports:
  - name: registry
    port: 5000
    nodePort: 35000
    protocol: TCP

Reference

results matching ""

    No results matching ""