Set up a private docker registry in Kubernetes
Create certificates
- Modify openssl config if you don't have domain name.
$ vim /etc/ssl/openssl.cnf
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# add your ip address on this section
subjectAltName=IP:192.168.10.1
- Generate your own certificate
$ mkdir -p certs
$ openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt
Common name ( CN ) is your docker registry ip address: 192.168.10.1:35000 (PS: 35000 is kubernetes node port)
- Copy your domain.crt to every docker client.
$ cp certs/domain.crt /etc/docker/certs.d/192.168.10.1:5000/ca.crt on every
# You could use scp command to download from other node.
$ scp -r [email protected]:/xxx/certs/domain.crt /etc/docker/certs.d/192.168.10.1:35000/ca.crt
Create a private registry in kubernetest
- Create a secret
$ kubectl --namespace=kube-system create secret generic registry-tls-secret --from-file=domain.crt=domain.crt --from-file=domain.key=domain.key
- Create a pv/pvc
apiVersion: v1
kind: PersistentVolume
metadata:
name: kube-registry-pv
namespace: kube-system
spec:
capacity:
storage: 1024Gi
accessModes:
- ReadWriteOnce
nfs:
server: 192.168.10.1
path: "/data/docker/registry"
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: registry-pv-claim
namespace: kube-system
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1024Gi
- Create a Replication Controller
apiVersion: v1
kind: ReplicationController
metadata:
name: kube-registry-v0
namespace: kube-system
labels:
k8s-app: kube-registry
version: v0
spec:
replicas: 1
selector:
k8s-app: kube-registry
version: v0
template:
metadata:
labels:
k8s-app: kube-registry
version: v0
spec:
containers:
- name: registry
image: registry:2
resources:
# keep request = limit to keep this container in guaranteed class
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 100m
memory: 100Mi
env:
- name: REGISTRY_HTTP_ADDR
value: :5000
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
value: /var/lib/registry
- name: REGISTRY_HTTP_TLS_CERTIFICATE
value: /certs/domain.crt
- name: REGISTRY_HTTP_TLS_KEY
value: /certs/domain.key
volumeMounts:
- name: image-store
mountPath: /var/lib/registry
- name: cert-dir
mountPath: /certs
ports:
- containerPort: 5000
name: registry
protocol: TCP
volumes:
- name: image-store
persistentVolumeClaim:
claimName: registry-pv-claim
- name: cert-dir
secret:
secretName: registry-tls-secret
- Create a service
apiVersion: v1
kind: Service
metadata:
name: kube-registry
namespace: kube-system
labels:
k8s-app: kube-registry
kubernetes.io/name: "KubeRegistry"
spec:
type: NodePort
selector:
k8s-app: kube-registry
ports:
- name: registry
port: 5000
nodePort: 35000
protocol: TCP