Skip to content

Use private image registry with container runtime

Suppose we have a harbor instance runs at 192.168.0.5. The url of our Harbor instance is (https://reg.casd.local) and it uses self-signed certificate or singed by a private CA.

There are many container runtimes, in this tutorial here we only shows two: - Docker - Containerd

1. Add the certificate as trusted in your system. (Optional)

If the certificate which enables the https of your harbor is a self-signed certificate, you only need to copy the certificate. If your certificate is signed by a CA, you need to copy the CA certificate.

First add the certificate as accepted root ca in your system.

# The debian distro only accepts pem or crt as valid certificate. If your certificate is in other format, you need to
# convert it to the valid format.
cp your-ca.crt /usr/local/share/ca-certificates/.

# update the certificate cache
sudo update-ca-certificates

# test it with a site which uses the certificate or signed by the certificate
curl https://target-url

# if the certificate is added correctly, you should not see error message

If you are admin of the Harbor server too, don't copy the private key in any case.

2. Docker client use private image registry

There is two ways to connect a docker engine to a private image registry: - Add the certificate of the private image registry as trusted certificate. - Add the private image registry as the allowed insecure-registries (by default only localhost is allowed)

2.1 Add the private image registry as the allowed insecure-registries

This solution is quite simple after you installed docker engine under debian, a directory /etc/docker should be created.

# create a daemon.json file in /etc/docker
sudo vim /etc/docker/daemon.json

# put the below line in it, where reg.casd.local is the url of the private image registry. If the service runs on 80 or
# 443, you don't need to specify the prot. If it runs on another port (e.g. 5000). You need to put "reg.casd.local:5000"
{
    "insecure-registries" : [ "reg.casd.local" ]
}

# update the docker daemon
sudo systemctl daemon-reload
sudo systemctl restart docker

Now let's do some test. Here we recommend you to add the docker group to current user. Because docker login will create credential files and stores on your user home directory. And sudo will change the home directory.

# add docker group to current user
sudo usermod -aG docker $USER

# 1. login to the private registry
docker login reg.casd.local

# 2. Download an image from docker hub
docker pull redis

# 3. tag it to push to private registry, here reg.casd.local is the url. casd is the project name
docker tag redis reg.casd.local/casd/redis 

# 4. push the image to the private registry
docker push reg.casd.local/casd/redis

# 5. pull image from the private registry
docker pull reg.casd.local/casd/redis

2.2 Add the certificate

As we mentioned before, the url of our Harbor instance is (https://reg.casd.local) and it uses a certificate signed by a private CA.

In your server which runs the docker runtime, you can put all trusted CA inside this folder /etc/docker/certs.d. For each registry, you need to create a sub-folder named with the url or IP of the image registry. For example, the url our image registry is reg.casd.local. So the folder should be like /etc/docker/certs.d/reg.casd.local Then you put the CA certificate in this folder. (Tested under debian)

2.3 Add the private repo as content trust(To be tested)

export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://reg.casd.local:4443

K8s integration

Even thought the containerd daemon can pull/push images from the private registry, k8s deployment does not work directly we still need to add a secret to host the login password of the registry

# general form
kubectl create secret docker-registry <secret-name> \
--docker-server=<your-registry-server-url> \
--docker-username=<your-name> \
--docker-password=<your-pword> \
--docker-email=<your-email>

# for example
kubectl create secret docker-registry harbor-auth \
--docker-server="reg.casd.local" \
--docker-email=pengfei.liu@casd.eu \
--docker-username='toto' \
--docker-password='changeMe'

In the deployment.yaml which uses images from the private registry, you need to add the imagePullSecrets: spec which specifies the credential to access the private registry.

Below is an example, as the above secret creation example, the secret name is harbor-auth

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mario
spec:
  replicas: 1
  selector:
    matchLabels:
      app: mario
  template:
    metadata:
      labels:
        app: mario
    spec:
      containers:
        - name: mario
          image: reg.casd.local/casd/docker-supermario
          ports:
            - name: http
              containerPort: 8080
      imagePullSecrets:
        - name: harbor-auth