BKM: Setup Private Docker Registry with Self Signed Certificates

This article describes the steps to setup a private docker registry with self-signed certificates for development purpose. Please refer to Deploy a Registry Server for production setup.

Prerequisite:

• Assume your private docker registry machine is properly configured to have a fully qualified domain name, that is, hostname -d and hostname -f show your valid domain name and your DNS-resolvable hostname.

• If you use any proxy settings, please do this on all cluster nodes: append <hostname> to your no_proxy setting in /etc/environment and in /etc/systemd/system/docker.service.d/proxy.conf, and then

sudo systemctl daemon-reload
sudo systemctl restart docker

Self-signed Certificates:

mkdir registry
cd registry
setup-cert.sh

The script setup-cert.sh generates a root CA, an intermediate CA (your domain), and a server certificate. The script generates the following files:

• ca-<domain>.cert.crt, <domain>.cert.crt: These certificate files are to be installed to any Ubuntu nodes.
• <domain>-chain.cert.pem: This certificate is to be installed to any CentOS nodes.
• copy-cert.sh: This is a (generated) script to install the certificates.

Install Certificate:

Copy the certificates and script to each cluster node, and run the copy-cert.sh script to install the certificates to the trusted local certificate store. Then restart your docker:

sudo systemctl restart docker

Setup Docker Registry:

Run the following script to launch the docker registry:

cd registry
setup-registry.sh

The setup-registry.sh script prepares your docker registry certificates and then launches the private registry at URL (https://<hostname>:10443).

---

Run the setup-registry script with a port number to customize the attached port.

---

Verify that you can access your docker registry:

curl -vvv https://<hostname>:10443/v2

If there is no error in the TLS handshake, you are ready to use docker push.