Private Registry for K8s Cluster

August 7, 2020 - 2 mins read

raspberrypi4_modelb

With your own Private Registry for Kubernetes Cluster, you can have full control over the docker registry and improve overall performance

Private Registry on Kubernetes Cluster

(Total Setup Time: 10 mins)

Docker Registry is the official implementation for storing and distributing Docker images.

Preparing Private Registry

(5mins)

First, create the self-signed certificate:

mkdir -p certs
openssl req \
  -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
  -x509 -days 365 -out certs/domain.crt

Second, install the certificate in the master node and all of your leaf nodes:

sudo mkdir -p /etc/docker/certs.d/myregistrydomain.com:5000
sudo cp certs/domain.crt /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt
sudo cp certs/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crt
sudo update-ca-certificates
sudo systemctl restart docker

Third, start and deploy registry:

docker run -d \
  --restart=always \
  --name registry \
  -v "$(pwd)"/certs:/certs \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  -p 443:443 \
  registry:2

Using Private Registry

(5 mins)

First, following up with my previous Jenkins Maven Agents, I pushed them to the private registry:

docker tag seehiong/jenkins-agent:1.0 myregistrydomain.com/my-jenkins-agent
docker push myregistrydomain.com/my-jenkins-agent
docker pull myregistrydomain.com/my-jenkins-agent

Second, navigate to Jenkins > Configure Clouds, and change the docker image to the private registry:

Docker image: myregistrydomain.com/my-jenkins-agent

And that’s it, the Private Registry on Kubernetes Cluster is setup properly for subsequent usage

Troubleshooting

Get https://myregistrydomain.com/v2/: read: connection reset by peer

For the leaf nodes to connect to myregistrydomain.com, you need to setup Hosts file:

sudo vi /etc/hosts

192.168.100.100 myregistrydomain.com

Get https://myregistrydomain.com/v2/: x509: certificate signed by unknown authority

For the docker version I am using, I need to trust the cert at the OS level:

sudo cp certs/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crt
sudo update-ca-certificates
sudo systemctl restart docker