If you install CP4BA production deployment by airgap, a private image registry must be used to store all images in your local environment. You can follow the steps below to deploy simple registry server. It needs to be accessible from OCP nodes. The local environment is Redhat and docker as example.
1. Prepare the certificate
You can obtain a certificate from a certificate authority (CA). Create a certs directory in your local environment and copy the .crt and .key files from the CA into the certs directory.
This is an example to create a self-signed certificate for testing, and all certificates are created under certs/ by running the following command.
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout /certs/domain.key -x509 -days 3000 -out /certs/domain.crt -subj "/CN=<hostname>" -addext "subjectAltName = DNS:<hostname>"
2. Basic authentication
The simplest way to achieve access restriction is through basic authentication. This example uses native basic authentication using htpasswd to store the secrets.
Create a password file with one entry for the user <user_local_environment>, with password <password_local_environment>.
$ mkdir auth
$ docker run \
--entrypoint htpasswd \
httpd:2 -Bbn <user_local_environment> <password_local_environment> > auth/htpasswd
3. Deploy the registry server, directing it to use the TLS certificate. This command bind-mounts the certs/ directory into the container at /certs/, and sets environment variables that tell the container where to find the domain.crt and domain.key file. The registry runs on port 443, the default HTTPS port. And basic authentication.
Example by running the following command:
docker run -d \
--restart=always \
--name registry \
-v "$(pwd)"/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v "$(pwd)"/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-p 443:443 \
registry:2
4. Add insecure registry to docker
You can use the command below to add insecure registry to docker, if the file daemon.json does not exist, you can add it.
sudo vi /etc/docker/daemon.json
{
"insecure-registries":["<hostname_local_environment:443>","<hostname_local_environment>"]
}
After that, restart the docker by the command sudo systemctl restart docker to validate
Now the simple docker registry is ready for using, you can test it by docker pull/tag/push.