Docker real-building private image Warehouse-kurbernetes

1, actual combat purposes

build an enterprise-private mirrored warehouse that meets push and pull mirroring from the development environment . When we use k8s to orchestrate and dispatch containers, the basic unit of the operation is mirroring, so we need to pull the mirror from the repository to the current working node. The use of a public Docker hub is perfectly suited to our needs and is very convenient, but the uploaded image can be accessed by anyone, followed by a charge for the private warehouse of the Docker hub, so the enterprise must build its own private image warehouse for both security and commercial reasons.

2, build a private warehouse 2.1, Production certificate

To ensure the security of the mirrored transport, the general use of HTTPS when pushing and pulling mirrors from the development environment to a private warehouse (note: For normal HTTP methods please refer to the official documentation: https://docs.docker.com/registry/insecure/# Deploy-a-plain-http-registry himself down to the actual combat. , so we need to provide a trusted, well-known SSL/TLS certificate that can be purchased from a reputable third-party certification authority, or you can use let's encrypt to produce a free certificate, and you can produce a self-signed certificate yourself.
Because no real domain name was purchased and the third-party certification authority was not able to authenticate interactively, the decision was made to produce a self-signed certificate, add it to the private warehouse, and then have the Docker client trust the certificate.
Create a directory to store certificates and private keys Certs

  -p certs

Production Certificate and private key

-newkey rsa:4096---keyout certs/domain.key--365-out certs/domain.crt

Note that the domain name is prepared in advance and as a CN, the entire process:

To view the build certificate:

2.2, run the container, start the Mirror warehouse

Using Docker's Open source Registry:2 image,

Execute the following command:

$ Docker run - D -- Restart=  always -- name <  registry-  host>  - v  ' pwd '  /certs:/certs  - e registry_http_addr=  0.0.0.0  :  443  - e registry_http_tls_certificate=  Span class= "ss" >/certs/domain . crt  - e registry_http_tls_key=  /certs/domain . key  - P 443  :  443  Registry:  2  

Parameters	Description
-D	The background silently runs the container.
-restart	Sets the container restart policy.
-name	The naming container.
-V	Mount the host's certs/directory to the container's/certs/directory.
-E Registry_http_addr	Sets the warehouse host address format.
-E Registry_http_tls_certificate	Set the environment variable to tell the location of the container certificate.
-E Registry_http_tls_key	Sets the location of the environment variable to tell the container private key.
-P	Map port 443 of the container to port 443 of host.

：

2.3. Rename the Mirror

full naming format for mirrors: [Registry-host]:[port]/[username]/[imagename], when we use Docker Push, Docker automatically recognizes [Registry-host] Section mirrors the warehouse address for the container.
To rename a mirror using docker tag:

docker tag justmine/healthchecksapi:v1.0 [registry-host]/justmine/healthchecksapi:v1.0

2.4 Push image to private warehouse

docker push [registry-host]/justmine/healthchecksapi:v1.0

Note: In order for Docker running on the current Windows host to trust this certificate, we need to install the certificate on the Windows host, right click on "Install Certificate", select "Local Host", select "Trusted Root certificate" and add the certificate. The mapping of the domain name to the private warehouse host IP is also written to the hosts file of the Windows host.

Successfully push the image from the development environment to the private warehouse!!! Done!!!
So far, a private warehouse that can meet the needs of the enterprise has been formally built.

Next, we will combat k8s use our private warehouse to pull the image.
Source Code Reference: Https://github.com/justmine66/k8s.ecoysystem.apps

Docker actual build private Image Warehouse-kurbernetes