[英]Is it possible to start Self-Signed Docker Registry in Kubernetes and have other service use that as the registry to get its image?
I followed some instructions from these links (do not know whether it was a right thing to do) 我遵循了这些链接中的一些说明(不知道这样做是否正确)
Create a server.key 创建一个server.key
Create a csr.info 创建一个csr.info
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = US
ST = oh
L = cincinnati
O = engg
OU = prod
CN = prateek.svc.cluster.local
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = registry.prateek.svc.cluster.local
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
Created the server.csr (openssl req -new -key server.key -out server.csr -config csr.conf) 创建了server.csr(openssl req -new -key server.key -out server.csr -config csr.conf)
Create the CertificateSigningRequest in K8s 在K8s中创建CertificateSigningRequest
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: registry.prateek
spec:
groups:
- system:authenticated
request: $(cat server.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
EOF
kubectl describe csr registry.prateek
Name: registry.prateek
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certificates.k8s.io/v1beta1","kind":"CertificateSigningRequest","metadata":{"annotations":{},"name":"registry.prateek","namespace":""},"spec":{"groups":["system:authenticated"],"request":"LS0sdfsfsdsfd=","usages":["digital signature","key encipherment","server auth"]}}
CreationTimestamp: Thu, 11 Apr 2019 11:15:42 -0400
Requesting User: docker-for-desktop
Status: Pending
Subject:
Common Name: prateek.svc.cluster.local
Serial Number:
Organization: engg
Organizational Unit: prod
Country: US
Locality: cincinnati
Province: oh
Subject Alternative Names:
DNS Names: registry.prateek.svc.cluster.local
Events: <none>
apiVersion: apps/v1
kind: Deployment
metadata:
name: registry
namespace: prateek
labels:
app: registry
spec:
replicas: 1
selector:
matchLabels:
app: registry
template:
metadata:
labels:
app: registry
spec:
containers:
- name: registry
image: prateek/registry
imagePullPolicy: IfNotPresent
ports:
- containerPort: 443
env:
- name: REGISTRY_HTTP_ADDR
value: "0.0.0.0:443"
- name: REGISTRY_HTTP_TLS_CERTIFICATE
value: "/certs/certificate"
- name: REGISTRY_HTTP_TLS_KEY
value: "/certs/key"
volumeMounts:
- name: cert-files
mountPath: /certs
volumes:
- name: cert-files
secret:
secretName: registry-credentials
apiVersion: v1
kind: Service
metadata:
name: registry
namespace: prateek
spec:
selector:
app: registry
ports:
- protocol: TCP
port: 443
targetPort: 443
type: LoadBalancer
apiVersion: v1 kind: Service metadata: name: registry namespace: prateek spec: selector: app: registry ports: - protocol: TCP port: 443 targetPort: 443 type: LoadBalancer
curl https://registry.prateek.svc.cluster.local/v2/_catalog -k {"repositories":["prateek/echo"]}
Normal Pulling 10s (x2 over 25s) kubelet, docker-for-desktop pulling image "registry.prateek/prateek/echo:latest"
Warning Failed 10s (x2 over 25s) kubelet, docker-for-desktop Failed to pull image "registry.prateek/prateek/echo:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://registry.prateek/v2/: Service Unavailable
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello
namespace: cequence
labels:
app: hello
spec:
replicas: 1
selector:
matchLabels:
app: hello
template:
metadata:
labels:
app: hello
spec:
containers:
- name: hello
image: registry.prateek.svc.cluster.local/prateek/echo:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 5678
args: ["-text=hello"]
Warning Failed 1s kubelet, docker-for-desktop Failed to pull image "registry.prateek.svc.cluster.local/prateek/echo:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://registry.prateek.svc.cluster.local/v2/: Service Unavailable
Warning Failed 1s kubelet, docker-for-desktop Failed to pull image "registry.prateek.svc.cluster.local/prateek/echo:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://registry.prateek.svc.cluster.local/v2/: Service Unavailable
I do not that this is even possible. 我不认为这是可能的。 Run a docker registry as a service and point other service in the namespace to use that registry deployment in the cluster.
将Docker注册表作为服务运行,并在命名空间中指向其他服务以在群集中使用该注册表部署。 Any suggestion is welcome
欢迎任何建议
The container daemon is running outside of kubernetes. 容器守护程序正在kubernetes外部运行。
Therefore, if you want to pull the image, you need to make sure that the registry is reachable from the node directly, without using kubernetes mechanisms like a service. 因此,如果要提取映像,则需要确保可以直接从节点访问注册表,而无需使用诸如服务之类的kubernetes机制。 (Not like you tested it in step 9 through a pod, you must be able to work directly on the node!)
(不像您在第9步中通过Pod测试的那样,您必须能够直接在节点上工作!)
The usual options are to create a DNS entry or hosts.txt entry to point to a node where either through a hostPort
(container) or nodePort
(service) the registry is accessible or you use an appropriate ingress. 通常的选择是创建一个DNS条目或hosts.txt条目,以指向一个节点,该节点可以通过
hostPort
(容器)或nodePort
(服务)访问注册表,或者您使用适当的入口。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.