containersolutions / registry-tooling Goto Github PK

View Code? Open in Web Editor NEW

71.0 9.0 18.0 11.4 MB

Install a secure Docker registry on any Kubernetes cluster with a single command

License: Apache License 2.0

Shell 92.58% Dockerfile 7.42%

registry-tooling's Introduction

Registry Tooling

Tools for working with Docker registries, especially those using self-signed certificates.

Currently there are two features:

configuring local clients to access a registry secured with a self-signed cert
easy installation of a secure Docker registry onto a Kubernetes cluster using a self-signed certificate

Installation

$ git clone https://github.com/ContainerSolutions/registry-tooling.git

At the moment there is no install script, just run the reg-tool.sh script from the directory you downloaded it into.

Configuring a Client to Access a Registry with a Self-signed Certificate

If you have a registry running with a self-signed certificate, it can be a pain to provide access to external Docker clients, such as Docker for Mac running on a dev's laptop. The registry tool can quickly take care of installing the registry certificate and also (optionally) configuring /etc/hosts to make the registry address resolvable. For example, if there is registry called test-docker-reg available at 192.168.1.103:

$ sudo ./reg-tool.sh install-cert \
         --cert-file ca.crt \
         --reg-name test-docker-reg:5000 \
         --add-host 192.168.1.103 test-docker-reg
Installing certificate
Assuming running Docker for Mac - adding certificate to Docker keychain

Certificate added - restart Docker for Mac to take effect

Exposing registry via /etc/hosts
497
442

Successfully configured localhost

And now the following should work:

$ docker tag alpine:latest test-docker-reg:5000/test-image
$ docker push test-docker-reg:5000/test-image
The push refers to a repository [test-docker-reg:5000/test-image]
011b303988d2: Pushed
latest: digest: sha256:1354db23ff5478120c980eca1611a51c9f2b88b61f24283ee8200bf9a54f2e5c size: 528

This works on both Linux and Mac hosts. When using Docker for Mac, the certificate will be added to the system keychain.

Certificates can also be retrieved from URLs or a Kubernetes secret.

If the registry address is already resolvable, omit the --add-host flag to prevent /etc/hosts being edited.

Installing a Secure Registry on Kubernetes

Whilst there is an existing cluster addon to start a registry, it suffers from several flaws:

It does not use TLS. This means all transfers are unencrypted.
Each cluster node runs an instance of haproxy (the kube-registry-proxy image).
Another proxy has to be set-up to enable access from developer's machines

Using this tool will:

Install a registry on the current cluster with a self-signed certificate.
Configure all nodes to access the registry via TLS.
Use NodePorts to avoid the need to run haproxy.
Support easy installation of the certificate on local clients (e.g. developer's latops).

It will not currently configure a storage backend; please take a look at the config files to see how to do this.

The script has been tested with minikube and GCE clusters.

WARNING: This will do funky stuff like edit /etc/hosts. It will warn before doing this, but please be aware that it could break things. If you want to get a secure registry running on existing cluster already handling load, I suggest you look at what the scripts do and run the steps manually.

Usage

The script will target whichever cluster kubectl currently points at. Assuming your cluster is up-and-running, try:

$ ./reg-tool.sh install-k8s-reg

Once that completes, you should have running registry with certificates copied to all nodes and networking configured. You can then configure the local Docker daemon to access the registry with:

$ sudo ./reg-tool.sh install-cert --add-host

or, if using minikube:

$ sudo ./reg-tool.sh install-cert --add-host $(minikube ip)

This command should work on any Linux or Docker for Mac host whose kubectl is pointing at a cluster running a configured registry. We can then test with:

$ docker pull redis
...
$ docker tag redis kube-registry.kube-system.svc.cluster.local:31000/redis
$ docker push kube-registry.kube-system.svc.cluster.local:31000/redis
...
$ kubectl run r1 --image kube-registry.kube-system.svc.cluster.local:31000/redis

Please note that it can sometimes take a few minutes for DNS to update.

Minikube

If you're using minikube, note that you can also use the Docker daemon in the VM to access the registry. Rather than using the script to install a certificate you can just do:

$ eval $(minikube docker-env)

If you do a minikube stop followed by a minikube start, you'll need to rerun ./reg-tool.sh as minikube start will overwrite /etc/hosts and create new certs.

Further Development

Was this useful to you? Or would you like to see different features?

Container Solutions are currently looking at developing tooling for working with images and registries on clusters. Please get in touch if you'd like to hear more or discuss ideas.

registry-tooling's People

Contributors

Stargazers

Watchers

Forkers

centular yubozhao adreznec blackwhites alexhayton nurrony deathcoder trammel akalinovski 40a lizrice kamal2222ahmed jim-manolo mcurry-brierley andyjsharp isabella232 tonci77 pengliuibm

registry-tooling's Issues

Certificate not copied to nodes correctly

There seems to be a bug that means the cert isn't being copied to the minikube VM. Not clear why the volume mount isn't working.

Use shorter name

kube-registry.kube-system.svc.cluster.local:31000 is a bit much to type.

Static kubectl version

The images include a statically linked version of kubectl. This won't work for some people who have different versions of k8s. A better, cleaner, solution would be to use the API.

The Job "copy-certs-172.17.4.99" is invalid on kubectl v1.5.1

$ cat /etc/*-release file.
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"
[..]

$ kubectl version

Client Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.1", GitCommit:"82450d03cb057bab0950214ef122b67c83fb11df", GitTreeState:"clean", BuildDate:"2016-12-14T00:57:05Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}

Server Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.1+coreos.0", GitCommit:"cc65f5321f9230bf9a3fa171155c1213d6e3480e", GitTreeState:"clean", BuildDate:"2016-12-14T04:08:28Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}

$ ./reg-tool.sh install-k8s-reg

Installs a Docker registry in your Kubernetes cluster and configures it
[...]
Do you want to continue? (y/n) Y

Tidying up any old registry jobs

Creating new registry certificate
job "create-certs" created

Waiting for job to complete.............................
Copying certs to nodes
The Job "copy-certs-172.17.4.99" is invalid: spec.template.spec.containers[0].name: Invalid value: "copy-certs-172.17.4.99": must match the regex a-z0-9? (e.g. 'my-name' or '123-abc')

reg-tool.sh doesn't seem to handle RBAC

I'm getting these errors in the create-certs pod:

╰ 21:44:49 $ kubectl logs create-certs-f24ng 
Error from server (Forbidden): secrets "registry-cert" is forbidden: User "system:serviceaccount:default:default" cannot delete resource "secrets" in API group "" in the namespace "default"
Error from server (Forbidden): secrets "registry-cert" is forbidden: User "system:serviceaccount:default:default" cannot delete resource "secrets" in API group "" in the namespace "kube-system"
Error from server (Forbidden): secrets "registry-key" is forbidden: User "system:serviceaccount:default:default" cannot delete resource "secrets" in API group "" in the namespace "kube-system"
Generating a 4096 bit RSA private key
.................................................................................++
..............................................................................................................................................++
writing new private key to 'certs/domain.key'
-----
Error from server (Forbidden): secrets is forbidden: User "system:serviceaccount:default:default" cannot create resource "secrets" in API group "" in the namespace "default"

I don't see any mention of "rbac" in the script, so I'm guessing it was written before RBAC was a thing.

get taints and add them to the template

My k8s master had a taint applied that prevented your script from running on this node.

I added to the temporary file you create:

tolerations:
        - key: "node-role.kubernetes.io/master"
          operator: "Exists"
          effect: "NoSchedule"

This allows the pod to be scheduled on the master, as well.

create-certs and copy-certs are unable to connect to k8s

When starting

./reg-tool.sh install-k8s-reg

The scripts stays in the 'Waiting for job to complete' phase indefinitely.

The logs of the create-certs-20cm2 pod show:

Error from server (Forbidden): User "system:serviceaccount:default:default" cannot delete secrets in the namespace "default". (delete secrets registry-cert)
Error from server (Forbidden): User "system:serviceaccount:default:default" cannot delete secrets in the namespace "kube-system". (delete secrets registry-cert)
Error from server (Forbidden): User "system:serviceaccount:default:default" cannot delete secrets in the namespace "kube-system". (delete secrets registry-key)
Generating a 4096 bit RSA private key
...................................++
.................++
writing new private key to 'certs/domain.key'
-----
Error from server (Forbidden): User "system:serviceaccount:default:default" cannot create secrets in the namespace "default". (post secrets)

If I could pass my ~/.kube/config file with authentication and certificates to the create_certs and copy_certs containers, the operation would succeed.

Change registry port to match nodeport

The registry listens on port 5000 by default. If we changed this to match the nodeport, it would allow pods to talk to the registry on the same address.

Error "group map is already registered" in Kubernetes 1.6.0

To reproduce the error

$ minikube start --kubernetes-version 1.6.0
...

$ ./reg-tool.sh install-k8s-reg
...

$ kubectl get pods --show-all
NAME                                                    READY     STATUS             RESTARTS   AGE
copy-certs-497761da-1a50-11e7-a9d0-080027dc1105-1wlgn   0/1       CrashLoopBackOff   3          1m
create-certs-3s3m3                                      0/1       Completed          0          1m

$ kubectl logs copy-certs-497761da-1a50-11e7-a9d0-080027dc1105-1wlgn
copying certs
error: group map[apps:0xc82038eb60 autoscaling:0xc82038ec40 batch:0xc82038ecb0 extensions:0xc82038ed90 policy:0xc82038ee00 rbac.authorization.k8s.io:0xc82038ee70 :0xc82038eaf0 authorization.k8s.io:0xc82038ebd0 componentconfig:0xc82038ed20 authentication.k8s.io:0xc82038ef50 federation:0xc82038ea80] is already registered

Versions

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.1", GitCommit:"b0b7a323cc5a4a2019b2e9520c21c7830b7f708e", GitTreeState:"clean", BuildDate:"2017-04-03T23:37:53Z", GoVersion:"go1.8", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.0", GitCommit:"fff5156092b56e6bd60fff75aad4dc9de6b6ef37", GitTreeState:"dirty", BuildDate:"1970-01-01T00:00:00Z", GoVersion:"go1.7", Compiler:"gc", Platform:"linux/amd64"}

Use Kubernetes CSR

Rather than create our own cert, we should ask kubernetes for one (now that we can do that).

https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/

Make portable

The script should be easily installable.

Probably the simplest solution is to make the script standalone by moving the k8s yaml files into here docs in the script.