Private Docker Registry

Creating a Registry and TLS-encrypt with Traefik (Let’s Encrypt) and use Native Basic Auth

Authentication

We are configured with Traefik as a proxy with TLS so we can use Native basic auth

Perhaps it would be possible to use Traefik to work as an Authentication Proxy, but alas I have a good authentication solution that give me nothing. For the time being… Let’s keep things simple shall we?

Native basic auth

Create a htpasswd secret. Run ./create-secret-htpasswd.sh

#!/bin/bash
echo "**** Private Docker Registry ****"
echo "User" && read user 
echo "Password" && read -s pw 
docker run --entrypoint htpasswd registry:2.6 -Bbn ${user} ${pw} \
| docker secret create registry_htpasswd -

Factoid: You can not update them as secrets are immutable by design. It has benefits when doing rollbacks.

Deploy

docker stack deploy -c compose-registry.yml hub

# docker stack deploy -c compose-registry.yml hub
version: '3.5'

services:
   registry:
    image: registry:2.6
    volumes:
      - ~/volume/registry_data:/var/lib/registry
    networks:
      - traefik-ingress
    secrets:
      - registry_htpasswd
    environment:
      REGISTRY_AUTH: htpasswd
      REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
      REGISTRY_AUTH_HTPASSWD_PATH: /run/secrets/registry_htpasswd
    deploy:
      replicas: 1
      labels:
        - "traefik.port=5000"
        - "traefik.frontend.rule=Host:hub.hammar.org"
        - "traefik.enable=true"

networks:
  traefik-ingress:
    external: true

secrets:
  registry_htpasswd:
    external: true

ToDo

Check the http-header thing

References

• Deploy a registry server
• Configuring a registry#htpasswd
• nohaapav/docker-registry