Skip to content

Commit

Permalink
Show TLS instructions for registry mirror
Browse files Browse the repository at this point in the history
Signed-off-by: Alex Ellis (OpenFaaS Ltd) <[email protected]>
  • Loading branch information
alexellis committed Nov 4, 2024
1 parent f732a85 commit 4454e38
Showing 1 changed file with 20 additions and 5 deletions.
25 changes: 20 additions & 5 deletions docs/tasks/registry-mirror.md
Original file line number Diff line number Diff line change
Expand Up @@ -58,10 +58,12 @@ Before doing so, you'll need to:

1. Create a file named `hub.txt` in your home directory.
2. Set the `USERNAME` variable to your Docker Hub username.
3. If you're using cloud-hypervisor, set the `BRIDGE` variable to `192.168.129.1`

```bash
export USERNAME=""
export TOKEN=$(cat ~/hub.txt)
export BRIDGE="192.168.128.1"

cat >> /tmp/registry.yml <<EOF
version: 0.1
Expand All @@ -83,14 +85,20 @@ proxy:
password: $TOKEN
http:
addr: 192.168.128.1:5000
addr: $BRIDGE:5000
relativeurls: false
draintimeout: 60s
EOF
sudo mv /tmp/registry.yml /etc/registry/config.yml
# Enable self-signed TLS from the TLS certificate and key
# managed by actuated for server <> microVM communication
tls:
certificate: /var/lib/actuated/certs/server.crt
key: /var/lib/actuated/certs/server.key
EOF
```

As the certificate is expired, actuated will automatically restart the `registry` service to use the new certificate.

Install and start the registry with a systemd unit file:

```bash
Expand Down Expand Up @@ -140,7 +148,7 @@ on:

jobs:
build:
runs-on: [actuated]
runs-on: [actuated-4cpu-8gb]
steps:

- name: Setup mirror
Expand All @@ -167,10 +175,17 @@ find /var/lib/registry/ -name "alpine"
/var/lib/registry/docker/registry/v2/repositories/library/alpine
```

Add actuated's bridge <> VM CA bundle to the trust store on the server, to test the registry via curl:

```bash
sudo cp /var/lib/actuated/certs/ca.crt /usr/local/share/ca-certificates/actuated-ca.crt
sudo update-ca-certificates
```

You can also use the registry's API to query which images are available:

```bash
curl -i http://192.168.128.1:5000/v2/_catalog
curl -i https://192.168.128.1:5000/v2/_catalog

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Expand Down

0 comments on commit 4454e38

Please sign in to comment.