The step to set up secure docker registry service in K8s is different from docker. There are some adjustments and changes to apply.
Toolkits we need to achieve our goal:
- openssl
- htpasswd
- skopeo
Create SSL/TLS Certificate and Key
Use openssl command to generate certificate and private key for setup secure connection:
1 | ## create certs |
Then copy the crt file to every host under /etc/docker/certs.d/<${DOCKER_REGISTRY_URL}>:5000
folder for self-signed certificate trust.
Notice that if the docker daemon json file has enabled the insecure registry, it will not verify the ssl/tls cert! You get docker user account and password, then you can login without certs!
Create Docker User Info
1 | ## create auth file |
Generate Secret
1 | ## create secrets |
Bind Image Pull Secret to Service Account
see document in K8s.
1 | ## patch creds to default service account in test-1 |
Or you can specify imagePullSecrets in yaml explicitly, for example:
1 | apiVersion: v1 |
Create Secure Docker Registry
1 | ## notice the |
So far the secure docker registry in K8s is up and running in default namespace, it’s host network true so can be accessed from remote. Later can expose it by ingress.
Update Docker User Info
See this post.
1 | ## create new htpasswd file |
Skopeo Operation
Please refer my skopeo blog for more details.
1 | skopeo copy \ |