Secure Docker registry inside Kubernetes cluster


Kubernetes cluster is running on DigitalOcean (Managed Kubernetes Cluster)

I’m currently busy getting to know Kubernetes, I’ve succesfully migrated an existing non-containerized WordPress installation to a containerized installation on Kubernetes. One struggle I had was the fact that I had to do it with a private repository on Docker Hub (which is at the same time also the maximum amount of private repositories on a unpaid account).

After that I started looking at self-hosted Docker Registry solutions, which isn’t that hard. Run a Docker container with the registry:2.7 and you’re basically “up and running” (in regards to prototyping, obviously a lot has to be considered in terms of security, storage, high-availability etc).

I thought it wouldn’t be that hard to create a Kubernetes deployment with a container template containing a container with registry:2.7 as its image and apply it to the cluster, no sweat, right?!

What I found out was that the registry (which I should’ve known beforehand) is insecure, not using any SSL/TLS and thus required to configure the Docker daemon to allow this as an insecure registry. But… I’m running my cluster on DigitalOcean, both for convenience and that I basically don’t know what I’m doing right now if I had to setup a bare-metal cluster myself.

Because of the previously mentioned limitation I can’t simply add the registry as an insecure registry to the Docker daemon, the individual nodes are ran by DigitalOcean and they don’t guarantee that those kind changes are persisted.

What I’ve tried
I’ve been roaming the internet, trying to find a guide on how to setup a secure Docker registry inside a Kubernetes cluster, but up till now I haven’t found any that gave me any promising results.

I tried the “Manage TLS Certificates in a Cluster” but I saw that I had to pass specific IPs of services and pods, and this didn’t really seem scalable in regards to deploying a Docker registry from scratch using a deployment and not requiring that much manual intervention.

I hope someone might be able to help me get this to work and learn how it works so that I actually understand it. I don’t like to have something running but not actually knowing how it does that and why.