Docker Registry SSL

A local Docker Registry is created to host custom Blender & Flamenco Containers.

By default, Kubernetes expects an SSL/TLS Docker Registry connection and the Docker Registry requires a FQDN and not an IP Address.

Self-Signed Certificate

The Docker Registry uses a self-signed certificate for the domain name registry.cluster.home. Because we can update Docker and containerd known certificates to accept the self-signed cert this is the simplest approach. Although self-signed certificates aren’t as secure as third party issued certificates.

A self-signed Docker Registry must also be added to the systems permitted Certificate Authorities (CA).

In this project, this is performed by Ansible Playbooks.

The docker-registry playbook will perform the following actions:

1. Install Docker Registry
2. Create self-signed (full-chain) certs for the Registry
3. Configure Docker to trust and push to the local self-signed Docker Registry by adding the CA cert to /etc/docker/certs.d/.

The k8s-install playbook will perform the following actions:

1. Configure containerd to trust the self-signed CA by updating /etc/containerd/certs.d/.