私有registry及证书配置

      以静态pod运行资源清单

apiVersion: v1
kind: Pod
metadata:
  labels:
    component: registry
  name: registry
  namespace: default
spec:
  nodeName: node01
  containers:
  - env:
    - name: REGISTRY_AUTH
      value: htpasswd
    - name: REGISTRY_AUTH_HTPASSWD_REALM
      value: Registry Realm
    - name: REGISTRY_AUTH_HTPASSWD_PATH
      value: auth/htpasswd
    - name: REGISTRY_HTTP_ADDR
      value: 0.0.0.0:443
    - name: REGISTRY_HTTP_TLS_CERTIFICATE
      value: /certs/fullchain.cer
    - name: REGISTRY_HTTP_TLS_KEY
      value: /certs/registry.huoyancredit.com.key
    name: registry
    image: registry
    imagePullPolicy: IfNotPresent
    ports:
    - containerPort: 443
      hostPort: 443
    volumeMounts:
    - name: self-registry-mirrors
      mountPath: /var/lib/registry
      readOnly: false
    - name: auth
      mountPath: /auth
      readOnly: true
    - name: certs
      mountPath: /certs
      readOnly: true
  hostNetwork: false
  volumes:
  - name: self-registry-mirrors
    hostPath:
      path: /data
      type: DirectoryOrCreate
  - name: auth
    hostPath:
      path: /opt/auth
      type: Directory
  - name: certs
    hostPath:
      path: /opt/certs
      type: Directory

　　

　　以docker container运行

docker run  -d --restart=always -v /opt/auth/:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -v /opt/certs/:/certs -e  REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.cer -e REGISTRY_HTTP_TLS_KEY=/certs/registry.huoyancredit.com.key -p 443:443 registry

docker run  -d --restart=always  -v /registry:/var/lib/registry -v /root/.acme.sh/mirrors.huoyancredit.com:/certs -e  REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.cer -e REGISTRY_HTTP_TLS_KEY=/certs/mirrors.huoyancredit.com.key -p 443:443 registry

　　私有仓库web

docker run -itd -p 8080:8080 --name registry-web -e REGISTRY_URL=https://mirrors.huoyancredit.com/v2 -e REGISTRY_NAME=local hyper/docker-registry-web

　

文档：
    https://blog.csdn.net/snipercai/article/details/78589368
    https://github.com/mkuchin/docker-registry-web

Do not use registry as registry container name, it will break REGISTRY_NAME environment variable
	docker run -d -p 5000:5000 --name registry-srv registry:2
 	docker run -it -p 8080:8080 --name registry-web --link registry-srv -e REGISTRY_URL=http://registry-srv:5000/v2 -e REGISTRY_NAME=localhost:5000 hyper/docker-registry-web

Connecting to docker registry with basic authentication and self-signed certificate
	docker run -it -p 8080:8080 --name registry-web --link registry-srv 
           -e REGISTRY_URL=https://registry-srv:5000/v2 
           -e REGISTRY_TRUST_ANY_SSL=true 
           -e REGISTRY_BASIC_AUTH="YWRtaW46Y2hhbmdlbWU=" 
           -e REGISTRY_NAME=localhost:5000 hyper/docker-registry-web

No authentication, with config file
	Create configuration file config.yml，Any property in this config may be overridden with environment variable, for example property registry.auth.enabledwill become REGISTRY_AUTH_ENABLED
registry:
  # Docker registry url
  url: http://registry-srv:5000/v2
  # Docker registry fqdn
  name: localhost:5000
  # To allow image delete, should be false
  readonly: false
  auth:
    # Disable authentication
    enabled: false

   Run with docker

   	docker run -p 5000:5000 --name registry-srv -d registry:2
	docker run -it -p 8080:8080 --name registry-web --link registry-srv -v $(pwd)/config.yml:/conf/config.yml:ro hyper/docker-registry-web

With authentication enabled

Generate private key and certificate

mkdir conf
openssl req -new -newkey rsa:4096 -days 365 -subj "/CN=localhost" 
        -nodes -x509 -keyout conf/auth.key -out conf/auth.cert

Create registry config conf/registry-srv.yml

version: 0.1    
 
storage:
  filesystem:
    rootdirectory: /var/lib/registry
    
http:
  addr: 0.0.0.0:5000   
    
auth:
  token:
    # external url to docker-web authentication endpoint
    realm: http://localhost:8080/api/auth
    # should be same as registry.name of registry-web
    service: localhost:5000
    # should be same as registry.auth.issuer of registry-web
    issuer: 'my issuer'
    # path to auth certificate
    rootcertbundle: /etc/docker/registry/auth.cert

Start docker registry

	docker run -v $(pwd)/conf/registry-srv.yml:/etc/docker/registry/config.yml:ro 
            -v $(pwd)/conf/auth.cert:/etc/docker/registry/auth.cert:ro -p 5000:5000  --name registry-srv -d registry:2 

 Create configuration file conf/registry-web.yml

 registry:
  # Docker registry url
  url: http://registry-srv:5000/v2
  # Docker registry fqdn
  name: localhost:5000
  # To allow image delete, should be false
  readonly: false
  auth:
    # Enable authentication
    enabled: true
    # Token issuer
    # should equals to auth.token.issuer of docker registry
    issuer: 'my issuer'
    # Private key for token signing
    # certificate used on auth.token.rootcertbundle should signed by this key
    key: /conf/auth.key

 Start registry-web

 docker run -v $(pwd)/conf/registry-web.yml:/conf/config.yml:ro 
           -v $(pwd)/conf/auth.key:/conf/auth.key -v $(pwd)/db:/data 
           -it -p 8080:8080 --link registry-srv --name registry-web hyper/docker-registry-web

Web UI will be available on http://localhost:8080 with default admin user/password admin/admin.



delete images from repository,only deleted the metadata
添加delete并restart container
cat /etc/docker/registry/config.yml

version: 0.1
log:
  fields:
    service: registry
storage:
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
  delete:
    enabled: true
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3