...
| Code Block |
|---|
[root@k8s-worker01 ~]# mkdir certs
[root@k8s-worker01 ~]#
[root@k8s-worker01 ~]# openssl req \
> -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
> -x509 -days 365 -out certs/domain.crt
Generating a 4096 bit RSA private key
...................................................++
........................................................................++
writing new private key to 'certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:kr
State or Province Name (full name) []:seoul
Locality Name (eg, city) [Default City]:seoul
Organization Name (eg, company) [Default Company Ltd]:sptek
Organizational Unit Name (eg, section) []:engops
Common Name (eg, your name or your server's hostname) []:registry.thesanse.com
Email Address []:sooabia22@sptek.co.kr
[root@k8s-worker01 ~]# cd certs
[root@k8s-worker01 certs]# ls
domain.crt domain.key
[root@k8s-worker01 certs]# ls
domain.crt domain.key
[root@k8s-worker01 certs]#
|
| Code Block |
|---|
[root@k8s-worker01 ~]# docker swarm init --advertise-addr 52.231.65.113
Swarm initialized: current node (0zhxqeqg5zcidk4mte87htlej) is now a manager.
To add a worker to this swarm, run the following command:
docker swarm join \
--token SWMTKN-1-2pe05um3cnu3z8ktyxkjmozujgmmvffdct4dz81bd2dghurjyr-eu3oqllp4b637iksavox60t0x \
52.231.65.113:2377
To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.
[root@k8s-worker01 ~]#
[root@k8s-worker01 ~]#
[root@k8s-worker01 ~]#
[root@k8s-worker01 ~]# docker secret create domain.crt certs/domain.crt
ulpoxrnjasokhz9tv3yx0cocy
[root@k8s-worker01 ~]#
[root@k8s-worker01 ~]#
[root@k8s-worker01 ~]# docker secret create domain.key certs/domain.key
5gbj3r3s81bmxp4s1ueduzdtm
[root@k8s-worker01 ~]#
[root@k8s-worker01 ~]# docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS
0zhxqeqg5zcidk4mte87htlej * k8s-worker01 Ready Active Leader
[root@k8s-worker01 ~]#
[root@k8s-worker01 ~]#
[root@k8s-worker01 ~]#
[root@k8s-worker01 ~]# docker node update --label-add registry=true 0zhxqeqg5zcidk4mte87htlej
0zhxqeqg5zcidk4mte87htlej
[root@k8s-worker01 ~]#
[root@k8s-worker01 ~]#
[root@k8s-worker01 ~]# docker service create \
> --name registry \
> --secret domain.crt \
> --secret domain.key \
> --constraint 'node.labels.registry==true' \
> --mount type=bind,src=/mnt/registry,dst=/var/lib/registry \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/run/secrets/domain.crt \
> -e REGISTRY_HTTP_TLS_KEY=/run/secrets/domain.key \
> --publish published=443,target=443 \
> --replicas 1 \
> registry:2
7bzq5bkrm51i9nmjtyaqyizkq
[root@k8s-worker01 ~]#
[root@k8s-worker01 ~]# mkdir auth
[root@k8s-worker01 ~]# docker run \
> --entrypoint htpasswd \
> registry:2 -Bbn testuser testpassword > auth/htpasswd
[root@k8s-worker01 ~]# docker container stop registry
registry
[root@k8s-worker01 ~]# docker run -d \
> -p 5000:5000 \
> --restart=always \
> --name registry2 \
> -v "$(pwd)"/auth:/auth \
> -e "REGISTRY_AUTH=htpasswd" \
> -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
> -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
> -v "$(pwd)"/certs:/certs \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
> registry:2
fe488ab1873a563e868a336dfbdb962f10429d2adf813d41d7eb5b46a4f6c565
|
| Info |
$ docker run -d \
--restart=always \
--name registry \
-v "$(pwd)"/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-p 443:443 \
registry:2[root@k8s-worker01 ~]# docker login registry.thesanse.com:5000
Username: testuser
Password:
Error response from daemon: Get https://registry.thesanse.com:5000/v1/users/: x509: certificate signed by unknown authority
|