pyramation

Secured Private Docker Registry on Kubernetes

December 28, 2020

This assumes that you are using Traefik as a load balancer and handles your SSL traffic automatically. I'll be following up with a post and will link to it for how to set up Traefik.

add prerequisite files

First, create a folder ./generate. Inside create a file generate-registry-config.sh:

#!/bin/bash

export SHA=$(head -c 16 /dev/urandom | shasum | cut -d " " -f 1)
export USERNAME=user$(head -c 16 /dev/urandom | shasum | cut -d " " -f 1)

echo $USERNAME > registry-creds.txt
echo $SHA >> registry-creds.txt

docker run --entrypoint htpasswd registry:2.7.0 -Bbn $USERNAME $SHA > ./htpasswd

# https://github.com/helm/charts/tree/master/stable/docker-registry

helm template webinc-reg stable/docker-registry \
  --namespace default \
  --set persistence.enabled=true \
  --set persistence.accessMode=ReadWriteOnce \
  --set persistence.storageClass=standard \
  --set persistence.size=24Gi \
  --set service.type=NodePort \
  --set secrets.htpasswd=$(cat ./htpasswd) \
  > registry-source-from-helm.yaml

Add stable to helm repos

helm repo add stable https://charts.helm.sh/stable
help repo update

setup registry

inside of ./generate

  1. run ./generate-registry-config.sh, this will generate registry-source-from-helm.yaml

  2. I prefer to copy/paste everything out into the different pieces out, pvc, service, deployment, config...

  3. Make sure you have storage configured. Read up on that here

  4. now deploy the individual files via kubectl

ingress

Add ingress for traefik

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: docker-yourdomain-com-ingress
  namespace: webinc
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
    - host: docker.yourdomain.com
      http:
        paths:
          - path: /
            backend:
              serviceName: webinc-reg-docker-registry
              servicePort: registry

authentication, etc.

Delete and store the registry-creds.txt ASAP, it's a secret. But get is secured first.

test it out: https://docker.yourdomain.com/v2/_catalog

cool, works.

Now, how to get this going...

creating secrets

Caveat: you may have to do this for multiple namespaces...

kubectl delete secret -n webinc regcred
kubectl create secret -n webinc \
 docker-registry regcred \
    --docker-server=$REGISTRY_DOMAIN \
    --docker-username=$REGISTRY_USER \
    --docker-password=$REGISTRY_PASSWORD

logging in

docker login docker.yourdomain.com

pushing an image up

You may need to tag first, but once you do:

docker push docker.yourdomain.com/username/yourimage:latest

kubernetes configs

Add this to any containers

 containers:
   - name: new-private-container
   ...
 imagePullSecrets:
   - name: regcred

Sources

https://github.com/alexellis/k8s-tls-registry

Profile

Written by Dan Lynch an inventor and entrepreneur who loves the web —  follow him on twitter or github