This document describes how to enable TLS for kube-registry. Before you start, please check if you have all the prerequisite:
- A domain for kube-registry. Assuming it is
myregistrydomain.com
. - Domain certificate and key. Assuming they are
domain.crt
anddomain.key
Pack domain.crt and domain.key into a Secret
$ kubectl --namespace=kube-system create secret generic registry-tls-secret --from-file=domain.crt=domain.crt --from-file=domain.key=domain.key
Run Registry
Please be noted that this sample rc is using emptyDir as storage backend for simplicity.
apiVersion: v1 kind: ReplicationController metadata: name: kube-registry-v0 namespace: kube-system labels: k8s-app: kube-registry version: v0 # kubernetes.io/cluster-service: "true" spec: replicas: 1 selector: k8s-app: kube-registry version: v0 template: metadata: labels: k8s-app: kube-registry version: v0 # kubernetes.io/cluster-service: "true" spec: containers: - name: registry image: registry:2 resources: # keep request = limit to keep this container in guaranteed class limits: cpu: 100m memory: 100Mi requests: cpu: 100m memory: 100Mi env: - name: REGISTRY_HTTP_ADDR value: :5000 - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY value: /var/lib/registry - name: REGISTRY_HTTP_TLS_CERTIFICATE value: /certs/domain.crt - name: REGISTRY_HTTP_TLS_KEY value: /certs/domain.key volumeMounts: - name: image-store mountPath: /var/lib/registry - name: cert-dir mountPath: /certs ports: - containerPort: 5000 name: registry protocol: TCP volumes: - name: image-store emptyDir: {} - name: cert-dir secret: secretName: registry-tls-secret
Expose External IP for Kube-Registry
Modify the default kube-registry service to LoadBalancer
type and point the DNS record of myregistrydomain.com
to the service external ip.
apiVersion: v1 kind: Service metadata: name: kube-registry namespace: kube-system labels: k8s-app: kube-registry # kubernetes.io/cluster-service: "true" kubernetes.io/name: "KubeRegistry" spec: selector: k8s-app: kube-registry type: LoadBalancer ports: - name: registry port: 5000 protocol: TCP
To Verify
Now you should be able to access your kube-registry from another docker host.
Views: 7