{"id":18299803,"url":"https://github.com/containersolutions/registry-tooling","last_synced_at":"2025-04-05T13:35:19.166Z","repository":{"id":87118070,"uuid":"65923258","full_name":"ContainerSolutions/registry-tooling","owner":"ContainerSolutions","description":"Install a secure Docker registry on any Kubernetes cluster with a single command","archived":false,"fork":false,"pushed_at":"2019-04-05T09:10:15.000Z","size":11675,"stargazers_count":71,"open_issues_count":8,"forks_count":18,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-03-21T05:11:50.075Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ContainerSolutions.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-08-17T16:20:36.000Z","updated_at":"2025-02-11T21:32:46.000Z","dependencies_parsed_at":null,"dependency_job_id":"272d2173-601a-4b1e-bca8-a17857b7bc41","html_url":"https://github.com/ContainerSolutions/registry-tooling","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ContainerSolutions%2Fregistry-tooling","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ContainerSolutions%2Fregistry-tooling/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ContainerSolutions%2Fregistry-tooling/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ContainerSolutions%2Fregistry-tooling/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ContainerSolutions","download_url":"https://codeload.github.com/ContainerSolutions/registry-tooling/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247342641,"owners_count":20923633,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-05T15:10:24.552Z","updated_at":"2025-04-05T13:35:19.140Z","avatar_url":"https://github.com/ContainerSolutions.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Registry Tooling\n\nTools for working with Docker registries, especially those using self-signed\ncertificates.\n\nCurrently there are two features:\n\n - [configuring local clients](https://github.com/ContainerSolutions/registry-tooling#configuring-a-client-to-access-a-registry-with-a-self-signed-certificate) to access a registry secured with a self-signed\n   cert\n - easy [installation of a secure Docker registry](https://github.com/ContainerSolutions/registry-tooling#installing-a-secure-reigstry-on-kubernetes)  onto a Kubernetes cluster\n   using a self-signed certificate\n\n## Installation\n\n```\n$ git clone https://github.com/ContainerSolutions/registry-tooling.git\n```\n\nAt the moment there is no install script, just run the `reg-tool.sh` script from\nthe directory you downloaded it into. \n\n## Configuring a Client to Access a Registry with a Self-signed Certificate\n\nIf you have a registry running with a self-signed certificate, it can be a pain\nto provide access to external Docker clients, such as Docker for Mac running on\na dev's laptop.  The registry tool can quickly take care of installing the\nregistry certificate and also (optionally) configuring /etc/hosts to make the registry\naddress resolvable. For example, if there is registry called `test-docker-reg`\navailable at 192.168.1.103:\n\n```\n$ sudo ./reg-tool.sh install-cert \\\n         --cert-file ca.crt \\\n         --reg-name test-docker-reg:5000 \\\n         --add-host 192.168.1.103 test-docker-reg\nInstalling certificate\nAssuming running Docker for Mac - adding certificate to Docker keychain\n\nCertificate added - restart Docker for Mac to take effect\n\nExposing registry via /etc/hosts\n497\n442\n\nSuccessfully configured localhost\n```\n\nAnd now the following should work:\n\n```\n$ docker tag alpine:latest test-docker-reg:5000/test-image\n$ docker push test-docker-reg:5000/test-image\nThe push refers to a repository [test-docker-reg:5000/test-image]\n011b303988d2: Pushed\nlatest: digest: sha256:1354db23ff5478120c980eca1611a51c9f2b88b61f24283ee8200bf9a54f2e5c size: 528\n```\n\nThis works on both Linux and Mac hosts. When using Docker for Mac, the\ncertificate will be added to the system keychain.\n\nCertificates can also be retrieved from URLs or a Kubernetes secret.\n\nIf the registry address is already resolvable, omit the `--add-host` flag to\nprevent `/etc/hosts` being edited.\n\n## Installing a Secure Registry on Kubernetes\n\nWhilst there is an existing [cluster addon to start a\nregistry](https://github.com/kubernetes/kubernetes/tree/master/cluster/addons/registry),\nit suffers from several flaws:\n\n - It does not use TLS. This means all transfers are unencrypted.\n - Each cluster node runs an instance of haproxy (the kube-registry-proxy image).\n - Another proxy has to be set-up to enable access from developer's machines\n\nUsing this tool will:\n\n - Install a registry on the current cluster with a self-signed certificate.\n - Configure all nodes to access the registry via TLS.\n - Use NodePorts to avoid the need to run haproxy.\n - Support easy installation of the certificate on local clients (e.g.\n   developer's latops).\n\nIt will not currently configure a storage backend; please take a look at the\nconfig files to see how to do this.\n\nThe script has been tested with\n[minikube](https://github.com/kubernetes/minikube) and GCE clusters. \n\nWARNING: This will do funky stuff like edit /etc/hosts. It will warn before\ndoing this, but please be aware that it could break things. If you want to get a\nsecure registry running on existing cluster already handling load, I suggest you\nlook at what the scripts do and run the steps manually.\n\n### Usage\n\nThe script will target whichever cluster `kubectl` currently points at.\nAssuming your cluster is up-and-running, try:\n\n```\n$ ./reg-tool.sh install-k8s-reg\n```\n\nOnce that completes, you should have running registry with certificates copied\nto all nodes and networking configured. You can then configure the local Docker\ndaemon to access the registry with:\n\n```\n$ sudo ./reg-tool.sh install-cert --add-host\n```\n\nor, if using minikube:\n\n```\n$ sudo ./reg-tool.sh install-cert --add-host $(minikube ip)\n```\n\n\nThis command should work on any Linux or Docker for Mac host whose kubectl is\npointing at a cluster running a configured registry. We can then test with:\n\n\n```\n$ docker pull redis\n...\n$ docker tag redis kube-registry.kube-system.svc.cluster.local:31000/redis\n$ docker push kube-registry.kube-system.svc.cluster.local:31000/redis\n...\n$ kubectl run r1 --image kube-registry.kube-system.svc.cluster.local:31000/redis\n```\n\nPlease note that it can sometimes take a few minutes for DNS to update.\n\n## Minikube\n\nIf you're using minikube, note that you can also use the Docker daemon in the VM\nto access the registry. Rather than using the script to install a certificate\nyou can just do:\n\n```\n$ eval $(minikube docker-env)\n```\n\nIf you do a `minikube stop` followed by a `minikube start`, you'll need to rerun\n`./reg-tool.sh` as `minikube start` will overwrite `/etc/hosts` and create new\ncerts.\n\n## Further Development\n\nWas this useful to you? Or would you like to see different features? \n\nContainer Solutions are currently looking at developing tooling for working with\nimages and registries on clusters. Please get in touch if you'd like to hear\nmore or discuss ideas.\n\n - adrian.mouat@container-solutions.com\n - [@adrianmouat](https://twitter.com/adrianmouat)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainersolutions%2Fregistry-tooling","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontainersolutions%2Fregistry-tooling","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainersolutions%2Fregistry-tooling/lists"}