I need to set up a private registry recently to demonstrate some of the Kubernetes features. Docker-registry helm chart on the lightweight Kubernetes, K3s, serves my purposes nicely.

1. Create a Certificate

Create a self-sign cert with the cfssl tool.

Prepare the following myca.json file

{

"CN": "k3s",

"hosts": [ "k3s" ],

"key": {

"algo": "rsa",

"size": 2048

},

"names": [

{

"C": "SG",

"ST": "SG",

"L": "Singapore"

}

]

}

Generate self-signed root ca cert,

cfssl gencert -initca myca.json | cfssljson -bare myca

Create the following serverRuest.json file,

{

"CN": "registry",

"hosts": [ "ubuntu" ],

"key": {

"algo": "rsa",

"size": 2048

}

}

Generate server certificate with the command below,

cfssl gencert -ca=myca.pem -ca-key=myca-key.pem -config=ca-config.json -profile=server -hostname=ubuntu serverRequest.json | cfssljson -bare registry

Now we have the certificate, registry.pem and the key file registry-key.pem created. Create the Kubernetes’ TLS secret in the K3s cluster,

kubectl -n kube-system create secret tls registry-ingress-tls --cert=registry.pem --key=registry-key.pem

2. Deploy the Helm Chart

Create the following helmchart CRD, registry.yaml

apiVersion: helm.cattle.io/v1

kind: HelmChart

metadata:

name: docker-registry

namespace: kube-system

spec:

chart: stable/docker-registry

targetNamespace: kube-system

valuesContent: |-

service:

name: registry

type: LoadBalancer

persistence:

enabled: true

tlsSecretName: registry-ingress-tls

I am using the latest K3s (V0.6.1) the CRD apiVersion for helmchart is changed slightly. (Thanks to the K3s team, they fixed the helm chart issue immediately after I reported it for V0.6.0, and released V0.6.1)

Apply it. We have docker-registry running. Validate the docker registry is working by the following command,

curl -ks https://ubuntu:5000/v2/_catalog

As I am using K3s LoadBalancer, port 5000 is available on the host.

3. Push images with Docker

Before we can push the image to the private registry. We need to make the CA is trustable to the Docker engine. Update the settings using the CA’s certificate, myca.pem

sudo mkdir -p /etc/docker/certs.d/ubuntu:5000

sudo cp myca.pem /etc/docker/certs.d/ubuntu:5000/ca.crt

Now we can build the image and push the image to the private registry we set up.

4. Use the image in K3s cluster

Similarly, to use the K3s images from the private Docker registry, the CA’s certificate needs to be trusted first. It seems like currently, the containerd engine could not define the trusted CA from the configuration.

However, it can be fixed by putting the CA into the host system’s trusted CA chain. Run the following command.

sudo mkdir -p /usr/local/share/ca-certificates/myregistry sudo cp registry/myca.pem /usr/local/share/ca-certificates/myregistry/myca.crt sudo update-ca-certificates

Notice, the cert on the specific directory have to be named with crt extension. restart the K3s service to let the change in effect.

Now we set up the registry, the images inside can be referenced in the K3s cluster and run.