Table of Contents
Introduction
The container registry (DOCR) is a private Docker image registry that comes with tooling support facilitating seamless integration with both your Docker environment and Kubernetes clusters. This way you can get security and enhanced control over your container.
In this tutorial, you will learn to set up container registry to securely store and distribute your Docker application images.
Table of Contents
- [Prerequisites](#prerequisites)
- [Step 1 – Creating a DOCR Repository](#step-1-creating-a-docr-repository)
- [Step 2 – Configuring DOKS for Private Registries](#step-2-configuring-doks-for-private-registries)
- [Conclusion](#conclusion)
Prerequisites
kubectlanddoctltools installed on your machine.- Authenticate cloud provider API for API calls.
- Create a the cloud provider managed Kubernetes cluster.
Step 1 - Creating a DOCR Repository
In this step, you will create a basic DOCR repository for your DOKS cluster using the doctl utility.
First, explore the available options for working with DOCR repositories via doctl:
doctl registry -h
The output looks similar to:
The subcommands of `doctl registry` create, manage, and allow access to your private container registry.
Usage:
doctl registry [command]
Aliases:
registry, reg, r
Available Commands:
create Create a private container registry
delete Delete a container registry
docker-config Generate a docker auth configuration for a registry
garbage-collection Display commands for garbage collection for a container registry
get Retrieve details about a container registry
kubernetes-manifest Generate a Kubernetes secret manifest for a registry.
login Log in Docker to a container registry
logout Log out Docker from a container registry
options List available container registry options
repository Display commands for working with repositories in a container registry
...
To complete this step of the tutorial, you will focus on the create sub-command to create a basic private container registry:
doctl registry create starterkit-reg-1 --subscription-tier basic
The output looks similar to:
Name Endpoint
starterkit-reg-1 www.progressiverobot.com/starterkit-reg-1
You can have only 1 registry endpoint per account in DOCR. A repository in a registry refers to a collection of container images using different versions (tags).
Step 2 - Configuring DOKS for Private Registries
Given that the DOCR is a private endpoint, you need to configure the DOKS cluster to fetch images from the registry:
doctl registry kubernetes-manifest | kubectl apply -f -
The above command creates a Kubernetes secret in the default namespace.
Next, verify that the secret was created:
kubectl get secrets registry-starterkit-reg-1
The output looks similar to:
NAME TYPE DATA AGE
registry-starterkit-reg-1 kubernetes.io/dockerconfigjson 1 13s
Then, your application Pods can reference it using imagePullSecrets:
apiVersion: apps/v1
kind: Deployment
metadata:
name: starterkit-app
spec: null
replicas: 3
template:
metadata:
labels:
app: starterkit-app
spec: null
containers:
- name: starterkit-app
image: www.progressiverobot.com/myregistry/myimage
imagePullSecrets:
- name: registry-starterkit-reg-1
You can modify the default service account to always use the secret as an imagePullSecret when creating Pods or Deployments.
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "registry-starterkit-reg-1"}]}'
Finally, verify the default service account configuration:
kubectl get serviceaccount default -o yaml
The output looks similar to the following snippet. Verify that the imagePullSecrets points to registry-starterkit-reg-1.
apiVersion: v1
imagePullSecrets:
- name: registry-starterkit-reg-1
kind: ServiceAccount
metadata:
creationTimestamp: '2021-09-17T12:05:46Z'
name: default
namespace: default
resourceVersion: '2017370'
uid: 677b1ef4-3cb5-418f-b798-9029a5641561
secrets:
- name: default-token-zbvww
From now on, any new Pod will have this automatically added to their spec:
...
spec:
imagePullSecrets:
- name: registry-starterkit-reg-1
...
For more information on patching the default service account to use imagePullSecrets, consult the Kubernetes documentation.
Conclusion
In this tutorial, you learned how to create a private DOCR registry for your DOKS cluster. Then, you learned how to patch secrets for DOKS to securely authenticate and pull Docker images for your applications running in the cluster.
Learn More
Next, you will learn how to set up the Ambassador Edge Stack to act as an Ingress controller with some example backend applications to test the setup.
