Docker Registry SSL
A local Docker Registry is created to host custom Blender & Flamenco Containers.
By default, Kubernetes expects an SSL/TLS Docker Registry connection and the Docker Registry requires a FQDN and not an IP Address.
Self-Signed Certificate
The Docker Registry uses a self-signed certificate for the domain name registry.cluster.home
. Because we can update Docker and containerd known certificates to accept the self-signed cert this is the simplest approach. Although self-signed certificates aren’t as secure as third party issued certificates.
A self-signed Docker Registry must also be added to the systems permitted Certificate Authorities (CA).
In this project, this is performed by Ansible Playbooks.
The docker-registry playbook will perform the following actions:
- Install Docker Registry
- Create self-signed (full-chain) certs for the Registry
- Configure Docker to trust and push to the local self-signed Docker Registry by adding the CA cert to /etc/docker/certs.d/.
The k8s-install playbook will perform the following actions:
- Configure containerd to trust the self-signed CA by updating /etc/containerd/certs.d/.
Lets Encrypt
You could use a third party certificate service like Lets Encrypt. This would require periodic renewal but be more trustworthy.