Microk8s – Private Registry

Published by Felipe Crochik on

Docker Private Registry

To setup Microk8s, see previous post

Enable required microk8s add-ons: 

microk8s.enable ingress registry

In order to push images from your development machine to a Microk8s docker private registry, you may want to expose it outside of the host.

Note: these instructions can easily be adapted to expose a docker private registry container running on any kubernetes cluster – not just microk8s

Create User Credentials

Create credentials to be use when accessing registry.

Create password

The easiest way is to use htpasswd on a docker container (please note that docker is no longer part of microk8s but you can install it using snap)

docker run --entrypoint htpasswd registry:2 -bn <user> <password> >> auth

Important:

  • the file MUST be called auth or you will get an 503 error when trying to access the repo
  • If you generate the password using bcrypt (-B) you may get a 500 error when trying to access the repo. Inspecting the logs for the nginx pod you may see something like:
stderr F 2019/05/12 17:34:15 [crit] 1306#1306: *18049 crypt_r() failed (22: Invalid argument), ...

Create Secret

kubectl create secret generic basic-auth --namespace=container-registry --from-file=auth

HTTPS

Create Let’s Encrypt certificate

See this post: how to generate certificates using a docker container

Create tls secret

Find the fullchain.pem and privkey.pem files generated by letsencrypt and then create the secret:

kubectl create secret tls tlssecret --cert=fullchain.pem --key=privkey.pem --namespace=container-registry

Create ingress for registry

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: registry
  namespace: container-registry
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required b2-4ac.com'
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
spec:
  rules:
  - host: registry.b2-4ac.com
    http:
      paths:
      - backend:
          serviceName: registry
          servicePort: 5000
  tls:
  - hosts:
    - registry.b2-4ac.com
    secretName: tlsecret

Replace registry.b2-4ac.com with your public hostname

You can use kubectl to apply or the kubernetes dashboard.

Test

Make sure that you have adjusted the DNS to point to your Microk8s host and that the port 80 is accessible to you.

On your browser navigate to:

https://<host>/v2

you should be prompted to enter your credentials and after that should get a boring “{}” response 🙂

Configure kubernetes

kubectl create secret docker-registry docker-registry.b2-4ac.com --docker-username=<user> --docker-password=<password>

Login from your development machine

docker login docker-registry.b2-4ac.com

References

Categories: TL;DR
Tags:

0 Comments

Leave a Reply

Avatar placeholder

Related Posts

TL;DR

Grafana – reset admin password

If you have deployed grafana to your k8s cluster using the helm chart and for some reason can’t login using the password stored in the secret, this is how you reset it. The password is Read more…

TL;DR

Multipass – Remote-SSH development environment on your Mac

This is a little experiment to run ubuntu linux on your Mac using multipass to develop SPAs using a vscode Remote-SSH development environment. This is not the quickest way to setup a remote development environment Read more…

TL;DR

AWS Credentials

Get the role name wget http://169.254.169.254/latest/meta-data/iam/info will get something like: { "Code" : "Success", "LastUpdated" : "2020-03-06T20:34:08Z", "InstanceProfileArn" : "arn:aws:iam::3940394039403:instance-profile/ProfileName", "InstanceProfileId" : "kasdjaksjakjsa" } or better yet, get the role name from: wget http://169.254.169.254/latest/meta-data/iam/security-credentials It Read more…