Introducing r.g4v.dev
— linux, docker-registry, kubernetes, helm — 3 min read
I am somewhat addicted to making helm charts with 57 charts and counting now. And as such, I often find myself building or tweaking docker images to see how they work, or make it easier to deploy.
I'll admit, the effort to go through making a new repo on docker hub, with all that clicking, just to be able to deploy an image to test on my Kubernetes cluster is well.... Okay like 5 clicks, but now I don't have to!
I've always been envious of @jessfraz's docker registry, apparently originally setup when docker hub was super slow, so I've wanted to setup my own for fun.
🎉🎉🎉🎉 So I'm now introducing https://r.g4v.dev 🎉🎉🎉🎉
Right now I'm just using it for throw away images. I don't know if I'll ever publish something serious on there since I'm running it out of my apartment.
That being said, moving on to how its done!
How its done
Basic Docker registry is open source and commonly used, so I started there. The registry speaks HTTP, and there's already a lot of very common instructions out there. I started with the docker-regstiry helm chart and went from there.
Once installed i found out that essentially out of the box you had 2 modes. Everyone reads/write or Logged in users read/write. For my purposes, I wanted something without credentials to be able to deploy to Kubernetes, so #2 was out, and I didn't want random strangers to write, so #1 was out, unless I keep it beind my firewall.
I did start looking at some of the other systems, Harbor (which i think is a registry), Artifactory, and whatever else I could find. But I kept coming back to the simplicity of docker-registry.
Okay, next steps, cause I've seen it done, how do I get docker-registry to do the right thing. Turns out the auth system, other than http basic, supports open id connect. So I looked into keycloak support. Its actually really cool, docker-regiistry + keycloak work really well. But that didn't allow to me have anonymous reads.
Next I found out about . Its essentially a simple proxy in between. I ended up using ldap as a source, but I could write rules as to which repos could be accessed by which user, including anonymous. Sweet, that so problem was handled.
Next. I wanted a web interface. I've wanted to use reg server for a while, and while i could run them on a separate domain, I wanted them to match up. I knew docker-registry took over /, and all the sub paths by default, so that wasn't going to work out. Well it turns out that docker-registry prefix all of its urls with /v1/ or /v2/. So I changed the mapping to only handle /v1/, everything else goes to reg-server. Bam! that worked out great.
Okay, now that it all works correctly!
Now what? Apparently it supports clair, which is a vulnerability scanner for docker. So off I go again. I found out that clair provides a helm chart, so I figure nice and easy.
Well the version they use is way newer than the one reg-server supports.
Luckily jess fraz published her own version of clair, so I just swapped the image the helm chart was using.
Bam, reports to the images I have.
For those who want to do the exact same setup, all the details are in my helmfile repo, but that's the overall setup. I'm pretty happy with it, I can publish and delete images super fast, since its all local, then when i'm happy, push it up to docker hub.