Docker registry¶
This section covers configuration of the Docker registry that may be deployed,
by default on the seed host. Docker registry configuration is typically applied
in ${KAYOBE_CONFIG_PATH}/docker-registry.yml
. Consult the Docker registry
documentation for further details of
registry usage and configuration.
The registry is deployed during the kayobe seed host configure
command.
Configuring the registry¶
docker_registry_enabled
Whether a docker registry is enabled. Default is
false
. When set totrue
, the Docker registry is deployed on all hosts in thedocker-registry
group. By default this includes the seed host.docker_registry_env
Dict of environment variables to provide to the docker registry container. This allows to configure the registry by overriding specific configuration options, as described at https://docs.docker.com/registry/configuration/ For example, the registry can be configured as a pull through cache to Docker Hub by setting REGISTRY_PROXY_REMOTEURL to “https://registry-1.docker.io”. Note that it is not possible to push to a registry configured as a pull through cache. Default is
{}
.docker_registry_port
The port on which the docker registry server should listen. Default is 4000.
docker_registry_datadir_volume
Name or path to use as the volume for the docker registry. Default is
docker_registry
.
TLS¶
It is recommended to enable TLS for the registry.
docker_registry_enable_tls
Whether to enable TLS for the registry. Default is
false
.docker_registry_cert_path
Path to a TLS certificate to use when TLS is enabled. Default is none.
docker_registry_key_path
Path to a TLS key to use when TLS is enabled. Default is none.
For example, the certificate and key could be stored with the Kayobe
configuration, under ${KAYOBE_CONFIG_PATH}/docker-registry/
. These files
may be encrypted via Ansible Vault.
docker_registry_enable_tls: true
docker_registry_cert_path: "{{ kayobe_config_path }}/docker-registry/cert.pem"
docker_registry_key_path: "{{ kayobe_config_path }}/docker-registry/key.pem"
Basic authentication¶
It is recommended to enable HTTP basic authentication for the registry. This needs to be done in conjunction with enabling TLS for the registry: using basic authentication over unencrypted HTTP is not supported.
docker_registry_enable_basic_auth
Whether to enable basic authentication for the registry. Default is
false
.docker_registry_basic_auth_htpasswd_path
Path to a htpasswd formatted password store for the registry. Default is none.
The password store uses a htpasswd
format. The following example shows how
to generate a password and add it to the kolla
user in the password store.
The password store may be stored with the Kayobe configuration, under
${KAYOBE_CONFIG_PATH}/docker-registry/
. The file may be encrypted via
Ansible Vault.
uuidgen | tr -d '\n' > registry-password
cat registry-password | docker run --rm -i --entrypoint htpasswd httpd:latest -niB kolla > $KAYOBE_CONFIG_PATH/docker-registry/htpasswd
Next we configure Kayobe to enable basic authentication for the registry, and specify the path to the password store.
docker_registry_enable_basic_auth: true
docker_registry_basic_auth_htpasswd_path: "{{ kayobe_config_path }}/docker-registry/htpasswd"
Using the registry¶
Enabling the registry does not automatically set the configuration for Docker engine to use it. This should be done via the docker_registry variable.
TLS¶
If the registry is using a privately signed TLS certificate, it is necessary to configure Docker engine with the CA certificate.
If TLS is enabled, Docker engine should be configured to use HTTPS to communicate with it:
docker_registry_insecure: false
Basic authentication¶
If basic authentication is enabled, Kolla Ansible needs to be configured with the username and password.
kolla_docker_registry_username: <registry username>
kolla_docker_registry_password: <registry password>