On the other hand, the private registry itself supports reading the HTTP secret as an environment variable in string format. It also can support specifying the file path for the SSL certificate and HTTP basic authentication file as environment variables:
Environment variable name | Description | Sample value |
REGISTRY_HTTP_SECRET | HTTP secret string |
valueFrom: secretKeyRef: name: registry-secrets key: http.secret |
REGISTRY_HTTP_TLS_CERTIFICATE | File path for certificate (domain.crt) | /mnt/domain.crt |
REGISTRY_HTTP_TLS_KEY | File path for private key (domain.key) | /mnt/domain.key |
REGISTRY_AUTH_HTPASSWD_REALM | The realm in which the registry server authenticates | basic-realm |
REGISTRY_AUTH_HTPASSWD_PATH | File path for htpasswd file (registry_passwd) | /mnt/registry_passwd |
REGISTRY_HTTP_HOST | Specify one of Kubernetes node IP and nodePort | 10.138.0.3:30500 |
We'll conduct a deployment to a Kubernetes YAML file for creating a registry, and include the preceding variables inside it, so the registry pods can use them. Now we have PersistentVolumeClaim as pvc-1 that supplies the container image store, and mounts SSL certificate files (domain.crt and domain.key) and an HTTP basic authentication file (registry_passwd) via Secret registry-secrets. As well as reading the HTTP Secret string as an environment variable by Secret registry-secrets. The entire YAML configuration is as follows:
$ cat private_registry.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-private-registry
spec:
replicas: 1
selector:
matchLabels:
run: my-registry
template:
metadata:
labels:
run: my-registry
spec:
containers:
- name: my-registry
image: registry
env:
- name: REGISTRY_HTTP_HOST
value: 10.138.0.3:30500
- name: REGISTRY_HTTP_SECRET
valueFrom:
secretKeyRef:
name: registry-secrets
key: http.secret
- name: REGISTRY_HTTP_TLS_CERTIFICATE
value: /mnt/domain.crt
- name: REGISTRY_HTTP_TLS_KEY
value: /mnt/domain.key
- name: REGISTRY_AUTH_HTPASSWD_REALM
value: basic-realm
- name: REGISTRY_AUTH_HTPASSWD_PATH
value: /mnt/registry_passwd
ports:
- containerPort: 5000
volumeMounts:
- mountPath: /var/lib/registry
name: registry-storage
- mountPath: /mnt
name: certs
volumes:
- name: registry-storage
persistentVolumeClaim:
claimName: "pvc-1"
- name: certs
secret:
secretName: registry-secrets
items:
- key: domain.key
path: domain.key
- key: domain.crt
path: domain.crt
- key: registry_passwd
path: registry_passwd
---
apiVersion: v1
kind: Service
metadata:
name: private-registry-svc
spec:
ports:
- protocol: TCP
port: 5000
nodePort: 30500
type: NodePort
selector:
run: my-registry
$ kubectl create -f private_registry.yaml
deployment.apps "my-private-registry" created
service "private-registry-svc" created
//can scale to multiple Pod (if you have RWX PV set)
$ kubectl scale deploy my-private-registry --replicas=3
deployment "my-private-registry" scaled
$ kubectl get deploy
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
my-private-registry 3 3 3 3 2m
Now your own private registry is ready to use!