A private Docker registry simplifies managing your application deployments in Kubernetes. Read my tutorial to setup you own private Docker registry in a few minutes.
Kubernetes works with Docker Containers. Docker Containers need to be provided with a Docker registry. If you don’t want to use a public docker registry for publishing the images of your application, you need to setup a private registry.
This article shows you how to deploy a private Docker Registry inside your Kubernetes cluster.
This article originally appeared at my blog.
Do I really need a private Docker Registry?
Short Answer: Yes.
Assume you want to deploy the image
webpage, here is what happens:
---- ------ ---- ---- -------
Normal Scheduled <unknown> default-scheduler Successfully assigned default/webpage-5fc78c945d-sl7gx to k3s-node2
Normal Pulling 15s (x2 over 31s) kubelet, k3s-node2 Pulling image "webpage"
Warning Failed 14s (x2 over 31s) kubelet, k3s-node2 Error: ErrImagePull
Warning Failed 14s (x2 over 31s) kubelet, k3s-node2 Failed to pull image "webpage": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/library/webpage:latest": failed to resolve reference "docker.io/library/webpage:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
Warning Failed 2s (x2 over 30s) kubelet, k3s-node2 Error: ImagePullBackOff
Normal BackOff 2s (x2 over 30s) kubelet, k3s-node2 Back-off pulling image "webpage"
As you see, in the default configuration, Kubernetes looks for images in the public
Can you build the images locally, on each of your Kubernetes cluster nodes? Yes, but it does not work because Kubernetes expects to talk to a Docker Registry API.
Therefore: You need to provide the access to a docker registry. If you don’t want to publish the images of your app in a public registry, the only option is to have a private one.
Private Docker Registry
Setting up a private Docker registry requires these essential steps:
- Create a domain and DNS entry
- Install docker registry
- Add TLS certificates
Domain and DNS Entry
The first step will be done with your ISP web interface or similar means. For my domain
admantium.com, I created the subdomain
docker.adamantium.com. Then I added a DNS entry that points to my Kubernetes cluster.
Install Docker Registry
For the second step, we use the arkade helper tool. Execute the following command, then check the output that all goes well.
>> arkade install docker-registryNAME: docker-registry
LAST DEPLOYED: Sun Apr 26 19:29:33 2020
TEST SUITE: None
= docker-registry has been installed. =
=======================================================================# Find out more at:
# https://github.com/helm/charts/tree/master/stable/registryThanks for using arkade!
Registry credentials: USERNAME SECRET
At the bottom of this output, you will see the username and the password. Copy them now.
To access the registry, you need these parameters: domain name, username, password and an e-mail address. Define all of them as environment variables and put them in your
From now on, whenever you execute a docker command, these parameters will be used.
Provide TLS Certificates
The Docker registry should be accessed with a TLS encrypted connection. In my previous article, I explained how to install the cert-manager, a software package that automatically issues and renews certificates.
For the docker registry, we will build upon the cert-manager. With the following command, you will automatically define a new
letsencrypt-prod-registry, and define an
Ingress resource which forwards requests of the configured domain name to your Docker registry.
>> arkade install docker-registry-ingress --email $DOCKER_EMAIL --domain $DOCKER_REGISTRY=======================================================================
= Docker Registry Ingress and cert-manager ClusterIssuer have been installed =
If you are curious, you can take a look with the following command:
>> kubectl get ingress docker-registry --output=yamlapiVersion: extensions/v1beta1
- host: docker.admantium.com
- ip: 126.96.36.199
When the installation is finished, you should check the log files of the cert-manager to see that the TLS certificates are properly installed.
> kubectl logs -n cert-manager deploy/cert-managerI0502 15:26:54.317163 1 sync.go:379] cert-manager/controller/certificates "level"=0 "msg"="validating existing CSR data" "related_resource_kind"="CertificateRequest" "related_resource_name"="docker-admantium-com-3726166042" "related_resource_namespace"="default" "resource_kind"="Certificate" "resource_name"="docker-admantium-com" "resource_namespace"="default"I0502 15:26:54.317935 1 sync.go:479] cert-manager/controller/certificates "level"=0 "msg"="CertificateRequest is not in a final state, waiting until CertificateRequest is complete" "related_resource_kind"="CertificateRequest" "related_resource_name"="docker-admantium-com-3726166042" "related_resource_namespace"="default" "resource_kind"="Certificate" "resource_name"="docker-admantium-com" "resource_namespace"="default" "state"="Pending"I0502 15:26:54.324391 1 controller.go:135] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="default/docker-registry"
Test: Pushing Images to Private Docker Registry
If all goes well, we can now access the registry. Execute the following command.
> docker login $DOCKER_REGISTRY --username=$DOCKER_USERNAME --password=$DOCKER_PASSWORDLogin Succeeded
Then, tag your image in this manner:
<<DOCKER_REGISTRY>>/<<IMAGE-NAME>>:<<VERSION>>. In my case, I will tag the image as
docker.admantium.com/webpage:latest. Then push this image to the registry.
> docker push docker.admantium.com/webpage:latestThe push refers to repository [docker.admantium.com/webpage]
f6fbf55b4240: Pushing [=============> ] 23.42MB/83.96MB
dba921702de8: Pushing [=====> ] 8.229MB/76.92MB
883a1e8c9056: Pushing [==> ] 17.66MB/326MB
1fbb01ef7573: Pushing [==================================================>] 3.584kB
b54ada1169f0: Pushing [==============> ] 2.241MB/7.621MB
Wonderful, the image can be pushed to the registry. We can now test deploy the
webpage image inside the Kubernetes cluster
kb create deployment --image docker.adamantium.com/webpage
But something is wrong …
>> kb describe pod/webpage-86976f8869-5jgtzName: webpage-86976f8869-5jgtz
Start Time: Sun, 26 Apr 2020 19:57:53 +0200
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled <unknown> default-scheduler Successfully assigned default/test-86976f8869-5jgtz to k3s-node2
Normal Pulling 36s (x3 over 77s) kubelet, k3s-node2 Pulling image "docker.admantium.com/webpage"
Warning Failed 35s (x3 over 75s) kubelet, k3s-node2 Failed to pull image "docker.admantium.com/webpage": rpc error: code = Unknown desc = failed to pull and unpack image "docker.admantium.com/webpage:latest": failed to resolve reference "docker.admantium.com/webpage:latest": unexpected status code [manifests latest]: 401 Unauthorized
Kubernetes is unauthorized to access the registry. So, we need to provide the username and password as a
Configure a Kubernetes Secrete to Access the Registry
On your client, create the secret as follows.
kubectl create secret docker-registry registry-secret \
--docker-email=$DOCKER_EMAIL secret/registry-secret created
Then check this
Secret. The information you just entered will be rendered as a JSON file and used by Kubernetes when your registry is accessed.
> kb describe secret registry-secretName: registry-secret
Annotations: <none>Type: kubernetes.io/dockerconfigjsonData
.dockerconfigjson: 166 bytes
Now we need to provide this secret in the deployment file. Create the entry
spec.template.spec.imagePullSecrets as shown below.
- name: webpage
- name: registry-secret
Now the deployment is successful.
>> kb describe pod/webpage-7b4469547b-cpbrqName: webpage-7b4469547b-cpbrq
Start Time: Sun, 26 Apr 2020 20:43:19 +0200
Controlled By: ReplicaSet/webpage-7b4469547b
Container ID: containerd://a42ac84a8e8fca2e67c5b32a690d00f5b63bd79a71ecd25a5a62764ebb109768
Image ID: docker.admantium.com/webpage@sha256:1c15180d3d08a8d4c8f5e7f368bbf54a7a33c163cf0aacb4cb60f460aee6e441
In order to use your Kubernetes cluster, access to a private Docker registry is a must. In this article, I showed you how to setup a Docker registry inside you Kubernetes cluster, from which you can then deploy applications. Assuming you have the cert-manager installed (see previous article), you just need to install the docker-registry and docker-registry-ingress packages. You will then have a TLS-encrypted connection to your Docker registry. To push the images to this registry, you need to tag the images appropriately and configure the Docker environment variables on you client correctly. Finally, you need to provide the access credentials to the Docker registry inside your Kubernetes Cluster as a
With a private Docker registry, you are ready to go and publish your applications.