Repositories, Container Images and Tags in Mirantis Secure Registry

In Part 1, we explored the capabilities of Mirantis Secure Registry (MSR) deployed on Minikube, and accessed its WebUI using Lens and the port forward capability.

In part 2, I will demonstrate how to:

• Extend our deployment to access MSR using a friendly URL
• Pull and Push Images to and from MSR using the Docker CLI

Accessing MSR on a Friendly URL

If we take a closer look at the URL on which we accessed MSR in part 1 — it is using “https://localhost:64852/” (maybe a random port in your case). This URL is not convenient to use all the time.

Let’s configure MSR to be accessed on the URL “https://devmsr.local.io”.

There are 4 steps involved in patching our existing deployment to support this URL:

1. Enable Ingress Add-on on Minikube
2. Create Certificates
3. Configure the Ingress Object
4. Configure the DNS entry

Let’s look at how to do that.

Enable Ingress Add-on on Minikube

To enable Minikube ingress add-on, follow these steps:

• Open a terminal
• Enable the ingress add-on on profile “devmsr” using the following command:

$ minikube addons enable ingress --profile devmsr

Now let’s create the certificates.

Create Certificates

By default, MSR deployment uses self-signed certificates with SAN names “nginx, localhost, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1”. To support custom DNS names, we need to create certificates with in this case, the SAN name “devmsr.local.io”. To do that, follow these steps:

• Navigate to Lens → Select “devmsr” → Open Terminal
• Create the config file devmsr.local.io.conf with this content:

[req]
distinguished_name=req
[SAN]
subjectAltName=DNS:devmsr.local.io

• Create the config file devmsr.local.io.conf with this content:

openssl req -newkey rsa:2048 -nodes -keyout devmsr.local.io.key -x509 -days 365 -out devmsr.local.io.cert -subj /CN=devmsr.local.io -extensions SAN -config 'devmsr.local.io.conf'

• To use the certificate, create a Kubernetes secret using certificate and key files using the following kubectl command:

kubectl create secret tls devmsr.local.io --cert devmsr.local.io.cert --key devmsr.local.io.key

• Update our deployment to use these certificates using the following helm command:

helm upgrade msr msr --repo https://registry.mirantis.com/charts/msr/msr --version 1.0.0 --set nginx.webtls.create=false --set nginx.webtls.secretName="devmsr.local.io"

Now we need to configure the Ingress object.

Configure the Ingress Object for MSR

To configure Ingress, follow these steps:

• Create Ingress Object for MSR to receive traffic via devmsr.local.io by creating a YAML file:

$ vi msr-ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata: 
  name: msr-ingress 
  annotations: 
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" 
spec: 
  rules: 
    - host: devmsr.local.io 
      http: 
        paths: 
          - path: / 
            pathType: Prefix 
            backend: 
              service: 
                name: msr 
                port: 
                  number: 443

Deploy Ingress object using the following command:

kubectl apply -f msr-ingress.yaml

• Obtain the IP address from the Lens UI or use this kubectl command:

kubectl get ingress

• Add the entry to /etc/hosts file on your workstation (you will need administrator access):

192.168.205.5 devmsr.local.io

Now we have our MSR accessible on a Friendly URI — https://devmsr.local.io

We now can successfully access MSR on a friendly URL.

“You have no repositories…”, that’s right, it is empty because we have not created one yet.

Before we jump right into creating it. Let’s talk about “Repositories”

A Repository is a path to the directory of images and charts on a registry. It stores a collection of different image and chart versions. It can provide additional functionality such as access control, versioning, security checks, auditing, and so on.

A repository is represented using the format:

[REGISTRY_HOST]/[ACCOUNT]/[NAME]

The entire string makes the repository unique.

Now, let us create a new repository. Follow these steps:

• Click on New Repository
• In the Repository Name box, enter “hello-world”
• In the Description box, write a short description(optional).
• Select whether the repository will be Public or Private. For now, let’s keep it public.
• Click the “Create” button

• This creates a “hello-world” repository

• Select the repository by clicking on it.

Upon selecting the repository you’ll see several options tabs representing operations you can perform on the repository.

• Repository Info tab includes README, Repository Permissions and the Docker Pull Command
• Tags tab includes Image Tag name, Type, Digest, Size, Signed or unsigned, last pushed at information.
• Charts tab includes Helm Charts.
• Webhooks provides the capability to invoke a webhook based on various events on the repository.
• Promotions enables us to create Image promotion policies based on custom rules.
• Pruning helps to control the number of images to be stored, and so on.
• Enforcement Policies is a collection of rules used to determine whether an image can be pulled.
• Mirrors enables us to mirror the data in this repository to or from a remote registry.
• Settings are used to control various operations on the repository.
• Activity tracks the events on the repository.

This repository is empty; you can add images into this repository using:

• The Docker push operation from CLI
• Using MSR Repository Mirroring
• Promotion Policies.

A Container Image (Aka Docker Image) is the core foundational artifact for an application to be Cloud-Native, where the application is packaged and shipped to the target environment. The executable form of the image is referred to as a Container.

Container Images are stored within Repositories in a Registry such as Mirantis Secure Registry, Docker Hub, Google Container Registry, and so on.

In the following section, we’ll look at pushing images to our “hello-world” repository using the Docker CLI.

In order to interact with the Registry using the Docker CLI, you need to have Docker installed on your workstation. If you haven’t yet done that, follow the instructions here:

• Install Docker Engine

Once you’ve done the install, verify that the docker engine is running from the terminal.

In order to push an image to the repository, first we need to have an image locally available in the workstation.

Download the “hello-world” image from Docker Hub to the local workstation.

docker image pull docker.io/library/hello-world:linux

The image we pulled is from:

• Registry “docker.io”
• Account/Username: library
• Name: hello-world

Keyword “linux” after “:” (colon) refers to the “tag” name. The full repository string + tag is referred to as an image.

Now, let us push this “hello-world” image to our “devmsr.local.io” registry.

• Rename docker.io/library/hello-world:linux

$ docker image tag docker.io/library/hello-world:linux devmsr.local.io/admin/hello-world:linux

• Authenticate with “devmsr.local.io”

$ docker login devmsr.local.io

• Push image to “devmsr.local.io”

$ docker image push devmsr.local.io/admin/hello-world:linux

• To verify, go to the WebUI, and from the repositories, view under “Tags” section

We have now successfully pushed an image into MSR.

In the next part, I’ll talk about Helm Charts, and how to write a Helm chart and publish it to MSR.

References

• Mirantis Secure Registry(MSR)
• Lens
• Minikube