How to you setup a private secure docker-registry.
I have installed via helm
Now how can I make it secure(TLS certs), so I can push and pull to the registry from docker and from kubernetes deployment?
I can see that there is a Helm configuration:
tlsSecretName Name of secret for TLS certsUpdate - current status: I was able to get cert-manager working and install with TLS:
helm install stable/docker-registry --set tlsSecretName=example-com-tlsI am not strong in certificates - but I am unclear about the following:
1.
Can I now create an Ingress(with a secret to cert) that will only accept incomming request with that certificate? I will look at the suggested link from @xzesstence tomorrow
2.
I guess I need to tell docker push where to find the certificate? Maybe this(I will try this tomorrow): https://docs.docker.com/engine/security/certificates/
Check out the official Docker Tutorials https://docs.docker.com/registry/deploying/
and especially the point Get a certificate
So overall in short, you need to get a certificate and place it in /certs (or change the folder mount of the following docker run command -v /cert). Also check the certificate name, either rename to domain.crt or change the filename in the docker run command
then run
docker run -d \
--restart=always \
--name registry \
-v "$(pwd)"/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-p 443:443 \
registry:2
If you don't have a certificate, you can use letsencrypt https://letsencrypt.org/
Maybe you want to checkout this startscript with letsencrypt certs. (untested from my side) The advantage of this is, that you have the letsencrypt service integrated which can renew the license automatically https://gist.github.com/PieterScheffers/63e4c2fd5553af8a35101b5e868a811e
Edit: Since you are using Docker on a Kubernetes Cluster checkout this great tutorial https://medium.com/@jmarhee/in-cluster-docker-registry-with-tls-on-kubernetes-758eecfe8254