私有 Docker Registry 简化了在 Kubernetes 中管理您的应用程序部署。阅读我的教程,在几分钟内设置您自己的私有 Docker Registry
Kubernetes 与 Docker 容器一起使用。Docker 容器需要提供一个 Docker Registry。如果您不想使用公共 docker Registry 来发布应用程序的映像,则需要设置一个私有 Registry
假设您要部署映像webpage,会发生以下情况:
---- ------ ---- ---- -------
Normal Scheduled <unknown> default-scheduler Successfully assigned default/webpage-5fc78c945d-sl7gx to k3s-node2
Normal Pulling 15s (x2 over 31s) kubelet, k3s-node2 Pulling image "webpage"
Warning Failed 14s (x2 over 31s) kubelet, k3s-node2 Error: ErrImagePull
Warning Failed 14s (x2 over 31s) kubelet, k3s-node2 Failed to pull image "webpage": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/library/webpage:latest": failed to resolve reference "docker.io/library/webpage:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
Warning Failed 2s (x2 over 30s) kubelet, k3s-node2 Error: ImagePullBackOff
Normal BackOff 2s (x2 over 30s) kubelet, k3s-node2 Back-off pulling image "webpage"在默认配置中,Kubernetes 在公共docker.io Registry 中查找图像
可以在每个 Kubernetes 集群节点上本地构建映像吗?是的,但它不起作用,因为 Kubernetes 对应 Docker Registry API
因此:您需要提供对 docker Registry 的访问权限。如果您不想在公共注册表中发布应用程序的图像,唯一的选择是拥有一个私有的
私有 Docker Registry
设置私有 Docker Registry 需要以下基本步骤:
- 创建域和DNS
- 安装 docker Registry
- 添加 TLS 证书
域 和 DNS
第一步将通过您的 ISP Web 界面或类似方式完成。对于我的域admantium.com,我创建了子域docker.adamantium.com。然后我添加了一个指向我的 Kubernetes 集群的 DNS
安装 Docker Registry
使用arkade辅助工具。执行以下命令,然后检查输出是否一切正常
>> arkade install docker-registry
NAME: docker-registry
LAST DEPLOYED: Sun Apr 26 19:29:33 2020
NAMESPACE: default
STATUS: deployed
REVISION: 2
TEST SUITE: None
NOTES:
...
=======================================================================
= docker-registry has been installed. =
=======================================================================将看到用户名和密码, 复制它们
要访问 Registry,您需要以下参数:域名、用户名、密码和电子邮件地址。将它们全部定义为环境变量并将它们放入您的.bashrc文件中
export DOCKER_REGISTRY=<<domain>>
export DOCKER_USERNAME=<<admin>>
export DOCKER_PASSWORD=<<password>>
export DOCKER_EMAIL=<<email>>现在开始,无论何时执行 docker 命令,都会使用这些参数
配置 TLS 证书
使用 TLS 加密连接访问 Docker Registry, 在我之前的文章中,我解释了如何安装 cert-manager,这是一个自动颁发和更新证书的软件包
对于 docker Registry,我们将建立在 cert-manager 之上。使用以下命令,您将自动定义一个 new ClusterIssuer,称为letsencrypt-prod-registry,并定义一个Ingress资源,它将配置域名的请求转发到您的 Docker Registry
>> arkade install docker-registry-ingress --email $DOCKER_EMAIL --domain $DOCKER_REGISTRY
=======================================================================
= Docker Registry Ingress and cert-manager ClusterIssuer have been installed =
=======================================================================如果你好奇,你可以用下面的命令看一看
>> kubectl get ingress docker-registry --output=yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod-registry
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-body-size: 200m
spec:
rules:
- host: docker.admantium.com
http:
paths:
- backend:
serviceName: docker-registry
servicePort: 5000
path: /
tls:
- hosts:
- docker.admantium.com
secretName: docker-registry
status:
loadBalancer:
ingress:
- ip: 49.12.45.26安装完成后,您应该检查 cert-manager 的日志文件以查看 TLS 证书是否已正确安装
> kubectl logs -n cert-manager deploy/cert-manager
I0502 15:26:54.317163 1 sync.go:379] cert-manager/controller/certificates "level"=0 "msg"="validating existing CSR data" "related_resource_kind"="CertificateRequest" "related_resource_name"="docker-admantium-com-3726166042" "related_resource_namespace"="default" "resource_kind"="Certificate" "resource_name"="docker-admantium-com" "resource_namespace"="default"
I0502 15:26:54.317935 1 sync.go:479] cert-manager/controller/certificates "level"=0 "msg"="CertificateRequest is not in a final state, waiting until CertificateRequest is complete" "related_resource_kind"="CertificateRequest" "related_resource_name"="docker-admantium-com-3726166042" "related_resource_namespace"="default" "resource_kind"="Certificate" "resource_name"="docker-admantium-com" "resource_namespace"="default" "state"="Pending"
I0502 15:26:54.324391 1 controller.go:135] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="default/docker-registry"测试: 将镜像推送到私有 Docker Registry
如果一切顺利,我们现在可以访问 Registry。执行以下命令
> docker login $DOCKER_REGISTRY --username=$DOCKER_USERNAME --password=$DOCKER_PASSWORD
Login Succeeded然后,以这种方式标记您的图片:<<DOCKER_REGISTRY>>/<<IMAGE-NAME>>:<<VERSION>>。就我而言,我会将图像标记为
docker.admantium.com/webpage:latest. 然后将此映像推送到Registry。
> docker push docker.admantium.com/webpage:latest
The push refers to repository [docker.admantium.com/webpage]
599b6638e2aa: Pushed
81210be95b2f: Pushed
f3629d9fa534: Pushed
403ab6c36d93: Pushed
313be5a92861: Pushed
f6fbf55b4240: Pushing [=============> ] 23.42MB/83.96MB
2fc9f319e2c4: Pushed
de7d7e8f96e8: Pushed
55c928cc6db5: Pushed
e90cdc933987: Pushed
dba921702de8: Pushing [=====> ] 8.229MB/76.92MB
883a1e8c9056: Pushing [==> ] 17.66MB/326MB
1fbb01ef7573: Pushing [==================================================>] 3.584kB
b54ada1169f0: Pushing [==============> ] 2.241MB/7.621MB
0586a03753aa: Waiting
531743b7098c: Waiting现在,镜像可以推送到Registry中。我们现在可以测试webpage在 Kubernetes 集群中部署镜像
kb create deployment --image docker.adamantium.com/webpage但有些不对劲……
>> kb describe pod/webpage-86976f8869-5jgtz
Name: webpage-86976f8869-5jgtz
Namespace: default
Priority: 0
Node: k3s-node2/49.12.64.126
Start Time: Sun, 26 Apr 2020 19:57:53 +0200
Labels: app=webpage
pod-template-hash=86976f8869
Annotations: <none>
Status: Pending
...
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled <unknown> default-scheduler Successfully assigned default/test-86976f8869-5jgtz to k3s-node2
Normal Pulling 36s (x3 over 77s) kubelet, k3s-node2 Pulling image "docker.admantium.com/webpage"
Warning Failed 35s (x3 over 75s) kubelet, k3s-node2 Failed to pull image "docker.admantium.com/webpage": rpc error: code = Unknown desc = failed to pull and unpack image "docker.admantium.com/webpage:latest": failed to resolve reference "docker.admantium.com/webpage:latest": unexpected status code [manifests latest]: 401 UnauthorizedKubernetes 无权访问 Registry。所以,我们需要提供用户名和密码作为Secrets资源
配置 Kubernetes Secrete 以访问 Registry
在您的客户端上,按如下方式创建密钥
kubectl create secret docker-registry registry-secret \
--docker-server=$DOCKER_REGISTRY \
--docker-username=$DOCKER_USERNAME \
--docker-password=$DOCKER_PASSWORD \
--docker-email=$DOCKER_EMAIL secret/registry-secret created然后检查这个Secret。您刚刚输入的信息将呈现为 JSON 文件,并在访问您的 Registry 时由 Kubernetes 使用
> kb describe secret registry-secret
Name: registry-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 166 bytes现在我们需要在部署文件中提供这个秘密。创建条目spec.template.spec.imagePullSecrets,如下所示
apiVersion: apps/v1
kind: Deployment
metadata:
name: webpage
spec:
selector:
matchLabels:
app: webpage
template:
metadata:
labels:
app: webpage
spec:
containers:
- name: webpage
image: docker.admantium.com/webpage:latest
imagePullSecrets:
- name: registry-secret现在部署成功
>> kb describe pod/webpage-7b4469547b-cpbrq
Name: webpage-7b4469547b-cpbrq
Namespace: default
Priority: 0
Node: k3s-node2/49.12.64.126
Start Time: Sun, 26 Apr 2020 20:43:19 +0200
Labels: app=webpage
pod-template-hash=7b4469547b
Annotations: <none>
Status: Running
IP: 10.42.2.151
IPs:
IP: 10.42.2.151
Controlled By: ReplicaSet/webpage-7b4469547b
Containers:
webpage:
Container ID: containerd://a42ac84a8e8fca2e67c5b32a690d00f5b63bd79a71ecd25a5a62764ebb109768
Image: docker.admantium.com/webpage:0.1.0
Image ID: docker.admantium.com/webpage@sha256:1c15180d3d08a8d4c8f5e7f368bbf54a7a33c163cf0aacb4cb60f460aee6e441结论
为了使用您的 Kubernetes 集群,必须访问私有 Docker Registry 。在本文中,我向您展示了如何在 Kubernetes 集群中设置 Docker
Registry,然后您可以从中部署应用程序。假设您已经安装了 cert-manager(请参阅上一篇文章),您只需要安装 docker-registry 和 docker-registry-ingress 包。然后,您将拥有到 Docker Registry 的 TLS 加密连接。要将映像推送到此 Registry,您需要适当地标记映像并在客户端上正确配置 Docker 环境变量。最后,您需要将访问凭证作为Secret
有了私有 Docker Registry,您就可以开始发布应用程序了
发表评论 取消回复