1

Searching From this tutorial you can setup a private registry using Helm.

It is stated in the documented:
Note: Insecure registries can be used for development, POCs or lab trials. You should not use this in production. There are planty of documents online that guide you through secure registry setup.

Ok, I have searched(and tried) for two days now, and nothing that actually work with openssl and docker-for-mac.

Do you know?

Update:
Steps:
1. Installed cert-manager
2. Follow this, to create a certificate
3. Create an Ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: registry-tls
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
    ingress.kubernetes.io/rewrite-target: /
spec:
  tls:
  - hosts:
      - mydomain.dev
  - secretName: ca-key-pair
  rules:
  - host: mydomain.dev
    http:
      paths:
      - backend:
          serviceName: mottled-hydra-docker-registry
          servicePort: 5000
        path: /reg
  1. Added ca.cert to Keychain on mac
  2. docker push mydomain.dev/mycontainer

Then I get:

The push refers to repository [mydomain.dev/reg/mycontainer]
Get https://mydomain.dev/v2/: x509: certificate is valid for ingress.local, not mydomain.dev

Note?:
1. https://mydomain.dev/v2/
2. ingress.local

kubectl get svc
NAME                            TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
kubernetes                      ClusterIP   10.245.0.1       <none>        443/TCP    4d
mottled-hydra-docker-registry   ClusterIP   10.245.190.70    <none>        5000/TCP   5h

svc for the registry, generated by the Helm chart(cert-manager):

apiVersion: v1                                                                                                                                                                               │
│kind: Service                                                                                                                                                                                │
│metadata:                                                                                                                                                                                    │
│  creationTimestamp: "2019-03-28T12:46:06Z"                                                                                                                                                  │
│  labels:                                                                                                                                                                                    │
│    app: docker-registry                                                                                                                                                                     │
│    chart: docker-registry-1.7.0                                                                                                                                                             │
│    heritage: Tiller                                                                                                                                                                         │
│    release: mottled-hydra                                                                                                                                                                   │
│  name: mottled-hydra-docker-registry                                                                                                                                                        │
│  namespace: default                                                                                                                                                                         │
│  resourceVersion: "692261"                                                                                                                                                                  │
│  selfLink: /api/v1/namespaces/default/services/mottled-hydra-docker-registry                                                                                                                │
│  uid: 742fe252-5157-11e9-851d-ba21af21c59c                                                                                                                                                  │
│spec:                                                                                                                                                                                        │
│  clusterIP: 10.245.190.70                                                                                                                                                                   │
│  ports:                                                                                                                                                                                     │
│  - name: registry                                                                                                                                                                           │
│    port: 5000                                                                                                                                                                               │
│    protocol: TCP                                                                                                                                                                            │
│    targetPort: 5000                                                                                                                                                                         │
│  selector:                                                                                                                                                                                  │
│    app: docker-registry                                                                                                                                                                     │
│    release: mottled-hydra                                                                                                                                                                   │
│  sessionAffinity: None                                                                                                                                                                      │
│  type: ClusterIP                                                                                                                                                                            │
│status:                                                                                                                                                                                      │
│  loadBalancer: {}
Chris G.
  • 23,930
  • 48
  • 177
  • 302
  • How are you exposing your registry? – cookiedough Mar 28 '19 at 16:20
  • Thanks, I will be back in 30 min. with a more in depth description. But in short; 1. openssl generate a certificate on mac, 2. Register the certificate on mac by double click for keychains. 2. Add secret and cert-manager. – Chris G. Mar 28 '19 at 16:25
  • You simply want to tls secure your registry? Do you have a public domain for it? Once your'e back pls post your service and ingress yaml files. – cookiedough Mar 28 '19 at 16:35
  • Yes I have a public domain, and it is working following: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes – Chris G. Mar 28 '19 at 16:38
  • 1
    But using openssl and all with docker is giving a certificate error, I cant remember - will poste as soon I am at a computer – Chris G. Mar 28 '19 at 16:40
  • Any luck with the yaml files? My guess is that you'll need to use a tls line in your ingress to secure it – cookiedough Mar 28 '19 at 20:30
  • Thanks, I just updated and added the yaml for the registry service. I now suspect it to be a namespace issue - looking into to that at the moment – Chris G. Mar 28 '19 at 20:50
  • But also something with the certificate ingress.local – Chris G. Mar 28 '19 at 20:53
  • Did you create the Certificate yaml for the `*.mydomain.dev` domain? Can you add `kubernetes.io/tls-acme: "true"` to your ingress annotations? – cookiedough Mar 28 '19 at 21:04
  • From my "new" understanding, using kubernetes.io/tls-acme is when you want to automate all the Let's Encrypt issuing. But I want to just use my own certificates/key pairs. So I guess, in theory I could skip all the CA stuff, and just use a key pairs between docker <--> registry to force the registry to only support docker users that comes in with this key pair. Hope I am not totally off here :-) – Chris G. Mar 29 '19 at 08:38
  • And it looks like using the cert-manager, it enables me to just distribute the public key to a k8s docker registry. – Chris G. Mar 29 '19 at 08:42
  • You're right about the annotation, if you don't want to automate it, keep it out. The error that says the cert is not valid for your domain is the main issue here, did you make the certificate for your wildcard domain? – cookiedough Mar 29 '19 at 14:44
  • I an getting convinced that it is a Google service account. I created this: https://stackoverflow.com/questions/55416886/authentication-methods-using-a-json-key-file-unauthorized-gcr-login-failed – Chris G. Mar 29 '19 at 16:23

0 Answers0