Hosting Private Local Image Registry

One of the first problems I encountered when setting up my kubernetes cluster is where should I store my container images. Surely I don’t want to host it on a remote public / private registry because:

Most of it will just be my personal fun project but it may still contain sensitive information
The idea that I have to download from the internet an image that was built locally from inside my homelab environment is just stupid
Bandwidth consideration, pulling image from internet would take some of my bandwidth and if it happens often it would destroy my precious doom-scrolling time

I’ve heard about harbor and jfrog but upon looking it up again I found that those are too complicated for my use case. Instead I settled on using distribution (or is it called registry?) and running it on a VM using docker.

Seems simple enough right? Not so much apparently. See, the thing about running a registry is somehow all the client (docker, containerd in kubernetes cluster) connecting to the registry needs to use TLS. Even for the ones running completely locally. This means I need to do some additional steps:

Generate SSL certificate for the registry
Make sure the clients are connecting to the registry via domain name with a valid TLS certificate
Configure all clients to trust the certificate

Running The Registry

As mentioned before, I am running the registry locally and don’t want to expose it via public domain. In this case I am using registry.box domain, so I can’t use trusted certificate like Let's Encrypt here. So I just generated my self-signed certificate using openssl. To generate the certificate for that domain, I use the following command

openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -addext "subjectAltName = DNS:registry.box" -x509 -days 365 -out certs/domain.crt

For actually running the registry, I use docker. BUT!!! the one responsible for running the docker command is my ansible script (lol). I really don’t know whether this is a good idea, but at the time I don’t have any simpler solution. Below is the script that I use

1
---
2
- name: Create registry configuration from template
3
  ansible.builtin.template:
4
    src: htpasswd.j2
5
    dest: /opt/htpasswd
6
    mode: '0644'
7

8
- name: Creates cert dir
9
  ansible.builtin.file:
10
    path: /opt/certs
11
    state: directory
12

13
- name: Copy SSL crt for registry.box
14
  ansible.builtin.copy:
15
    content: "{{ domain_crt }}"
16
    dest: "/opt/certs/domain.crt"
17

18
- name: Copy SSL key for registry.box
19
  ansible.builtin.copy:
20
    content: "{{ domain_key }}"
21
    dest: "/opt/certs/domain.key"
22

23
- name: Run registry
24
  ansible.builtin.docker_container:
25
    name: registry
26
    image: registry:2
27
    state: started
28
    restart_policy: always
29
    ports:
30
      - "443:443"
31
    volumes:
32
      - "/opt/htpasswd:/opt/htpasswd"
33
      - "/opt/certs:/certs"
34
      - "/mnt/registry:/var/lib/registry"
35
    env:
36
      REGISTRY_AUTH: "htpasswd"
37
      REGISTRY_AUTH_HTPASSWD_REALM: "Registry Realm"
38
      REGISTRY_AUTH_HTPASSWD_PATH: "/opt/htpasswd"
39
      REGISTRY_HTTP_ADDR: 0.0.0.0:443
40
      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
41
      REGISTRY_HTTP_TLS_KEY: /certs/domain.key

After that I only need to setup DNS A Record from my DNS server (in this case pihole instances) to point the domain registry.box to the IP of that VM.

Trust Isn’t Earned, It’s Enforced

The thing about self signed certificate is, of course no one trust it out of the box. In general, we can mark that a certificate is trusted in a Debian based OS by putting the crt file inside /usr/local/share/ca-certificates directory. In my use case there are two system which directly communicate with image registry: Kubernetes cluster to pull pods images and Github action runner pod to push image of my built applications (which ironically is inside the kubernetes cluster, so I guess only saying only Kubernetes cluster is enough).

For the Kubernetes use case, as far as I’m aware, I have two options:

Manually (?) puts the certificate file in each nodes
Use DaemonSet to do just that as pointed in this docs

I chose the first option to manually add the certificate into each and every nodes. Of course I don’t actually do it manually, I utilized my existing ansible script for installing and/or upgrading k3s cluster as follow:

1
...
2
- name: Copy SSL crt for registry.box
3
  ansible.builtin.copy:
4
    content: "{{ domain_crt }}"
5
    dest: "/usr/local/share/ca-certificates/registry.box.crt"
6

7
- name: Update system's certificate store
8
  ansible.builtin.shell: update-ca-certificates
9
...

The reasoning behind this decision are:

Using DaemonSet means it will unavoidably uses some amount of resources from the node to run the DaemonSet pods
I’m not aware of this option until after I finished setting up my kubernetes cluster

UI / Dashboard

Upon writing this post, I was reminded that my registry is missing one key component and that is UI / dashboard. Up to this point I haven’t had the need to manage and monitor my registry but that will likely change over time. I will eventually need to do garbage collection and see what’s available and not in my registry easily. In order to do so, I googled and found some options:

I settled on using the second option due to its simplicity and straightforwardness. So I modified my ansible script as follow:

1
...
2
- name: Create Docker network
3
  ansible.builtin.docker_network:
4
    name: registry_network
5
    state: present
6

7
- name: Run registry
8
  ansible.builtin.docker_container:
9
    name: registry
10
    image: registry:2
11
    state: started
12
    restart_policy: always
13
    networks:
14
      - name: registry_network
15
    ports:
16
      - "443:443"
17
    volumes:
18
      - "/opt/htpasswd:/opt/htpasswd"
19
      - "/opt/certs:/certs"
20
      - "/mnt/registry:/var/lib/registry"
21
    env:
22
      REGISTRY_AUTH: "htpasswd"
23
      REGISTRY_AUTH_HTPASSWD_REALM: "Registry Realm"
24
      REGISTRY_AUTH_HTPASSWD_PATH: "/opt/htpasswd"
25
      REGISTRY_HTTP_ADDR: 0.0.0.0:443
26
      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
27
      REGISTRY_HTTP_TLS_KEY: /certs/domain.key
28
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: "[http://registry-ui.box]"
29
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: "[HEAD,GET,OPTIONS,DELETE]"
30
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: "[true]"
31
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: "[Authorization,Accept,Cache-Control]"
32
      REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: "[Docker-Content-Digest]"
33

34
- name: Run registry UI
35
  ansible.builtin.docker_container:
36
    name: registry-ui
37
    image: joxit/docker-registry-ui:main
38
    state: started
39
    restart_policy: always
40
    networks:
41
      - name: registry_network
42
    ports:
43
      - "8080:80"
44
    env:
45
      SINGLE_REGISTRY: "true"
46
      REGISTRY_TITLE: Docker Registry UI
47
      DELETE_IMAGES: "true"
48
      SHOW_CONTENT_DIGEST: "true"
49
      NGINX_PROXY_PASS_URL: https://registry
50
      SHOW_CATALOG_NB_TAGS: "true"
51
      CATALOG_MIN_BRANCHES: "1"
52
      CATALOG_MAX_BRANCHES: "1"
53
      TAGLIST_PAGE_SIZE: "100"
54
      REGISTRY_SECURED: "true"
55
      CATALOG_ELEMENTS_LIMIT: "1000"
56
...

Future Work

The smart me from the past thinks that 365 days of certificate validity is a good enough number. Well, it is not, one day I’ll forget about this and my system breaks because the SSL certificate is no longer valid. I need a way to automate this
Monitoring and alerting. I have node exporter installed on all of my VMs so I can use that to monitor CPU, memory, and storage usage. But still no alerting and container specific metrics (cadvisor might be a good fit for this)
Security scanning