Skip to content
Snippets Groups Projects
Normal view Permalink
docker-registry.rst 4.66 KiB
Newer Older
  • Learn to ignore specific revisions
    • Mark Goddard's avatar
    Docker registry TLS
    Mark Goddard committed
    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 
    .. _configuration-docker-registry:

===============
Docker registry
===============

This section covers configuration of the Docker registry that may be deployed,
by default on the seed host. Docker registry configuration is typically applied
in ``${KAYOBE_CONFIG_PATH}/docker-registry.yml``. Consult the `Docker registry
documentation <https://docs.docker.com/registry/>`__ for further details of
registry usage and configuration.

The registry is deployed during the ``kayobe seed host configure`` command.

Configuring the registry
========================

``docker_registry_enabled``
    Whether a docker registry is enabled. Default is ``false``. When set to
    ``true``, the Docker registry is deployed on all hosts in the
    ``docker-registry`` group. By default this includes the seed host.
``docker_registry_env``
    Dict of environment variables to provide to the docker registry container.
    This allows to configure the registry by overriding specific configuration
    options, as described at https://docs.docker.com/registry/configuration/
    For example, the registry can be configured as a pull through cache to
    Docker Hub by setting REGISTRY_PROXY_REMOTEURL to
    "https://registry-1.docker.io".  Note that it is not possible to push to a
    registry configured as a pull through cache. Default is ``{}``.
``docker_registry_port``
    The port on which the docker registry server should listen. Default is
    4000.
``docker_registry_datadir_volume``
    Name or path to use as the volume for the docker registry. Default is
    ``docker_registry``.

TLS
---

It is recommended to enable TLS for the registry.

``docker_registry_enable_tls``
    Whether to enable TLS for the registry. Default is ``false``.

``docker_registry_cert_path``
    Path to a TLS certificate to use when TLS is enabled. Default is none.

``docker_registry_key_path``
    Path to a TLS key to use when TLS is enabled. Default is none.

For example, the certificate and key could be stored with the Kayobe
configuration, under ``${KAYOBE_CONFIG_PATH}/docker-registry/``. These files
may be encrypted via Ansible Vault.

.. code-block:: yaml
   :caption: ``docker-registry.yml``

   docker_registry_enable_tls: true
   docker_registry_cert_path: "{{ kayobe_config_path }}/docker-registry/cert.pem
   docker_registry_key_path: "{{ kayobe_config_path }}/docker-registry/key.pem
    Mark Goddard's avatar
    Docker registry basic auth  
    Mark Goddard committed
    62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 
    Basic authentication
--------------------

It is recommended to enable HTTP basic authentication for the registry. This
needs to be done in conjunction with enabling TLS for the registry: `using
basic authentication over unencrypted HTTP is not supported
<https://docs.docker.com/registry/deploying/#native-basic-auth>`__.

``docker_registry_enable_basic_auth``
    Whether to enable basic authentication for the registry. Default is
    ``false``.

``docker_registry_basic_auth_htpasswd_path``
    Path to a `htpasswd
    <https://httpd.apache.org/docs/2.4/programs/htpasswd.html>`__ formatted
    password store for the registry.  Default is none.

The password store uses a ``htpasswd`` format. The following example shows how
to generate a password and add it to the ``kolla`` user in the password store.
The password store may be stored with the Kayobe configuration, under
``${KAYOBE_CONFIG_PATH}/docker-registry/``. The file may be encrypted via
Ansible Vault.

.. code-block:: console

   uuidgen | tr -d '\n' > registry-password
   cat registry-password | docker run --rm -i --entrypoint htpasswd httpd:latest -niB kolla > $KAYOBE_CONFIG_PATH/docker-registry/htpasswd

Next we configure Kayobe to enable basic authentication for the registry, and
specify the path to the password store.

.. code-block:: yaml
   :caption: ``docker-registry.yml``

   docker_registry_enable_basic_auth: true
   docker_registry_basic_auth_htpasswd_path: "{{ kayobe_config_path }}/docker-registry/htpasswd"
    Mark Goddard's avatar
    Docker registry TLS
    Mark Goddard committed
    99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 
    Using the registry
==================

Enabling the registry does not automatically set the configuration for Docker
engine to use it. This should be done via the :ref:`docker_registry variable
<configuration-hosts-docker>`.

TLS
---

If the registry is using a privately signed TLS certificate, it is necessary to
:ref:`configure Docker engine with the CA certificate
<configuration-hosts-docker>`.

If TLS is enabled, Docker engine should be configured to use HTTPS to
communicate with it:

.. code-block:: yaml
   :caption: ``kolla/globals.yml``

   docker_registry_insecure: false
    Mark Goddard's avatar
    Docker registry basic auth  
    Mark Goddard committed
    120 121 122 123 124 125 126 127 128 129 130 131 
    
Basic authentication
--------------------

If basic authentication is enabled, Kolla Ansible needs to be configured with
the username and password.

.. code-block:: yaml
   :caption: ``kolla.yml``

   kolla_docker_registry_username: <registry username>
   kolla_docker_registry_password: <registry password>