Your Web News in One Place

An Interest In:

Web News this Week

Search Archive

Some of Our Sources

View All Sources

Help Webnuz

Referal links:

Sign up for GreenGeeks web hosting
August 10, 2020 03:35 pm GMT

Kubernetes: Private Docker Registry in 5 Minutes

A private Docker registry simplifies managing your application deployments in Kubernetes. Read my tutorial to setup you own private Docker registry in a few minutes.

Kubernetes works with Docker Containers. Docker Containers need to be provided with a Docker registry. If you dont want to use a public docker registry for publishing the images of your application, you need to setup a private registry.

This article shows you how to deploy a private Docker Registry inside your Kubernetes cluster.

This article originally appeared at my blog.

Do I really need a private Docker Registry?

Short Answer: Yes.

Assume you want to deploy the image webpage, here is what happens:

  ----     ------     ----               ----                -------  Normal   Scheduled  <unknown>          default-scheduler   Successfully assigned default/webpage-5fc78c945d-sl7gx to k3s-node2  Normal   Pulling    15s (x2 over 31s)  kubelet, k3s-node2  Pulling image "webpage"  Warning  Failed     14s (x2 over 31s)  kubelet, k3s-node2  Error: ErrImagePull  Warning  Failed     14s (x2 over 31s)  kubelet, k3s-node2  Failed to pull image "webpage": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/library/webpage:latest": failed to resolve reference "docker.io/library/webpage:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed  Warning  Failed     2s (x2 over 30s)   kubelet, k3s-node2  Error: ImagePullBackOff  Normal   BackOff    2s (x2 over 30s)   kubelet, k3s-node2  Back-off pulling image "webpage"

As you see, in the default configuration, Kubernetes looks for images in the public docker.io registry.

Can you build the images locally, on each of your Kubernetes cluster nodes? Yes, but it does not work because Kubernetes expects to talk to a Docker Registry API.

Therefore: You need to provide the access to a docker registry. If you dont want to publish the images of your app in a public registry, the only option is to have a private one.

Private Docker Registry

Setting up a private Docker registry requires these essential steps:

  • Create a domain and DNS entry
  • Install docker registry
  • Add TLS certificates

Domain and DNS Entry

The first step will be done with your ISP web interface or similar means. For my domain admantium.com, I created the subdomain docker.adamantium.com. Then I added a DNS entry that points to my Kubernetes cluster.

Install Docker Registry

For the second step, we use the arkade helper tool. Execute the following command, then check the output that all goes well.

>> arkade install docker-registryNAME: docker-registryLAST DEPLOYED: Sun Apr 26 19:29:33 2020NAMESPACE: defaultSTATUS: deployedREVISION: 2TEST SUITE: NoneNOTES:...======================================================================== docker-registry has been installed.                                 ========================================================================# Find out more at:# https://github.com/helm/charts/tree/master/stable/registryThanks for using arkade!Registry credentials: USERNAME SECRET

At the bottom of this output, you will see the username and the password. Copy them now.

To access the registry, you need these parameters: domain name, username, password and an e-mail address. Define all of them as environment variables and put them in your .bashrc file.

export DOCKER_REGISTRY=<<domain>>export DOCKER_USERNAME=<<admin>>export DOCKER_PASSWORD=<<password>>export DOCKER_EMAIL=<<email>>

From now on, whenever you execute a docker command, these parameters will be used.

Provide TLS Certificates

The Docker registry should be accessed with a TLS encrypted connection. In my previous article, I explained how to install the cert-manager, a software package that automatically issues and renews certificates.

For the docker registry, we will build upon the cert-manager. With the following command, you will automatically define a new ClusterIssuer, called letsencrypt-prod-registry, and define an Ingress resource which forwards requests of the configured domain name to your Docker registry.

>> arkade install docker-registry-ingress --email $DOCKER_EMAIL --domain $DOCKER_REGISTRY======================================================================== Docker Registry Ingress and cert-manager ClusterIssuer have been installed ========================================================================

If you are curious, you can take a look with the following command:

>> kubectl get ingress docker-registry --output=yamlapiVersion: extensions/v1beta1kind: Ingressmetadata:  annotations:    cert-manager.io/cluster-issuer: letsencrypt-prod-registry    kubernetes.io/ingress.class: nginx    nginx.ingress.kubernetes.io/proxy-body-size: 200mspec:  rules:  - host: docker.admantium.com    http:      paths:      - backend:          serviceName: docker-registry          servicePort: 5000        path: /  tls:  - hosts:    - docker.admantium.com    secretName: docker-registrystatus:  loadBalancer:    ingress:    - ip: 49.12.45.26

When the installation is finished, you should check the log files of the cert-manager to see that the TLS certificates are properly installed.

> kubectl logs -n cert-manager deploy/cert-managerI0502 15:26:54.317163       1 sync.go:379] cert-manager/controller/certificates "level"=0 "msg"="validating existing CSR data" "related_resource_kind"="CertificateRequest" "related_resource_name"="docker-admantium-com-3726166042" "related_resource_namespace"="default" "resource_kind"="Certificate" "resource_name"="docker-admantium-com" "resource_namespace"="default"I0502 15:26:54.317935       1 sync.go:479] cert-manager/controller/certificates "level"=0 "msg"="CertificateRequest is not in a final state, waiting until CertificateRequest is complete" "related_resource_kind"="CertificateRequest" "related_resource_name"="docker-admantium-com-3726166042" "related_resource_namespace"="default" "resource_kind"="Certificate" "resource_name"="docker-admantium-com" "resource_namespace"="default" "state"="Pending"I0502 15:26:54.324391       1 controller.go:135] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="default/docker-registry"

Test: Pushing Images to Private Docker Registry

If all goes well, we can now access the registry. Execute the following command.

> docker login $DOCKER_REGISTRY --username=$DOCKER_USERNAME --password=$DOCKER_PASSWORDLogin Succeeded

Then, tag your image in this manner: <<DOCKER_REGISTRY>>/<<IMAGE-NAME>>:<<VERSION>>. In my case, I will tag the image as
docker.admantium.com/webpage:latest. Then push this image to the registry.

> docker push docker.admantium.com/webpage:latestThe push refers to repository [docker.admantium.com/webpage]599b6638e2aa: Pushed81210be95b2f: Pushedf3629d9fa534: Pushed403ab6c36d93: Pushed313be5a92861: Pushedf6fbf55b4240: Pushing [=============>                                     ]  23.42MB/83.96MB2fc9f319e2c4: Pushedde7d7e8f96e8: Pushed55c928cc6db5: Pushede90cdc933987: Pusheddba921702de8: Pushing [=====>                                             ]  8.229MB/76.92MB883a1e8c9056: Pushing [==>                                                ]  17.66MB/326MB1fbb01ef7573: Pushing [==================================================>]  3.584kBb54ada1169f0: Pushing [==============>                                    ]  2.241MB/7.621MB0586a03753aa: Waiting531743b7098c: Waiting

Wonderful, the image can be pushed to the registry. We can now test deploy the webpage image inside the Kubernetes cluster

kb create deployment --image docker.adamantium.com/webpage

But something is wrong ...

>> kb describe pod/webpage-86976f8869-5jgtzName:         webpage-86976f8869-5jgtzNamespace:    defaultPriority:     0Node:         k3s-node2/49.12.64.126Start Time:   Sun, 26 Apr 2020 19:57:53 +0200Labels:       app=webpage              pod-template-hash=86976f8869Annotations:  <none>Status:       Pending...Events:  Type     Reason     Age                From                Message  ----     ------     ----               ----                -------  Normal   Scheduled  <unknown>          default-scheduler   Successfully assigned default/test-86976f8869-5jgtz to k3s-node2  Normal   Pulling    36s (x3 over 77s)  kubelet, k3s-node2  Pulling image "docker.admantium.com/webpage"  Warning  Failed     35s (x3 over 75s)  kubelet, k3s-node2  Failed to pull image "docker.admantium.com/webpage": rpc error: code = Unknown desc = failed to pull and unpack image "docker.admantium.com/webpage:latest": failed to resolve reference "docker.admantium.com/webpage:latest": unexpected status code [manifests latest]: 401 Unauthorized

Kubernetes is unauthorized to access the registry. So, we need to provide the username and password as a Secrets resource.

Configure a Kubernetes Secrete to Access the Registry

On your client, create the secret as follows.

kubectl create secret docker-registry registry-secret \--docker-server=$DOCKER_REGISTRY \--docker-username=$DOCKER_USERNAME \--docker-password=$DOCKER_PASSWORD \--docker-email=$DOCKER_EMAIL secret/registry-secret created

Then check this Secret. The information you just entered will be rendered as a JSON file and used by Kubernetes when your registry is accessed.

> kb describe secret registry-secretName:         registry-secretNamespace:    defaultLabels:       <none>Annotations:  <none>Type:  kubernetes.io/dockerconfigjsonData====.dockerconfigjson:  166 bytes

Now we need to provide this secret in the deployment file. Create the entry spec.template.spec.imagePullSecrets as shown below.

apiVersion: apps/v1kind: Deploymentmetadata:  name: webpagespec:  selector:    matchLabels:      app: webpage  template:    metadata:      labels:        app: webpage    spec:      containers:        - name: webpage          image: docker.admantium.com/webpage:latest      imagePullSecrets:        - name: registry-secret

Now the deployment is successful.

>>  kb describe pod/webpage-7b4469547b-cpbrqName:         webpage-7b4469547b-cpbrqNamespace:    defaultPriority:     0Node:         k3s-node2/49.12.64.126Start Time:   Sun, 26 Apr 2020 20:43:19 +0200Labels:       app=webpage              pod-template-hash=7b4469547bAnnotations:  <none>Status:       RunningIP:           10.42.2.151IPs:  IP:           10.42.2.151Controlled By:  ReplicaSet/webpage-7b4469547bContainers:  webpage:    Container ID:   containerd://a42ac84a8e8fca2e67c5b32a690d00f5b63bd79a71ecd25a5a62764ebb109768    Image:          docker.admantium.com/webpage:0.1.0    Image ID:       docker.admantium.com/webpage@sha256:1c15180d3d08a8d4c8f5e7f368bbf54a7a33c163cf0aacb4cb60f460aee6e441

Conclusion

In order to use your Kubernetes cluster, access to a private Docker registry is a must. In this article, I showed you how to setup a Docker registry inside you Kubernetes cluster, from which you can then deploy applications. Assuming you have the cert-manager installed (see previous article), you just need to install the docker-registry and docker-registry-ingress packages. You will then have a TLS-encrypted connection to your Docker registry. To push the images to this registry, you need to tag the images appropriately and configure the Docker environment variables on you client correctly. Finally, you need to provide the access credentials to the Docker registry inside your Kubernetes Cluster as a Secret.

With a private Docker registry, you are ready to go and publish your applications.


Original Link: https://dev.to/admantium/kubernetes-private-docker-registry-in-5-minutes-5a0f

Share this article:    Share on Facebook
View Full Article

Dev To

An online community for sharing and discovering great ideas, having debates, and making friends

More About this Source Visit Dev To