Registry Mirror Tools

Kubernetes does not natively provide a registry for hosting the container images you will use to run the applications you want to deploy on Kubernetes. Instead, Kubernetes requires you to use an external solution for storing and sharing container images. There are a variety of Kubernetes-compatible registry options that are compatible with DKP.

How Does it Work?

The first time you request an image from your local registry mirror, it pulls the image from the public registry (such as Docker) and stores it locally before handing it back to you. On subsequent requests, the local registry mirror is able to serve the image from its own storage.

Air-gapped vs Non-air-gapped Environments

In a non-air-gapped environment, you have access to the Internet. You retrieve artifacts from specialized repositories dedicated to them, such as Docker images contained in DockerHub and Helm Charts that come from a dedicated Helm Chart repository. You can also create your own local repository to hold the downloaded container images needed or any custom images you’ve created with the Konvoy Image Builder tool.

In an air-gapped environment, you need a local repository to store Helm charts, Docker images, and other artifacts. Private registries provide security and privacy into enterprise container image storage, whether hosted remotely or on-premises locally in an air-gapped environment. DKP in an air-gapped environment requires a local container registry of trusted images to enable production-level Kubernetes cluster management. However, a local registry is an option in a non-air-gapped environment as well for speed and security.

If you want to use images from this local registry to deploy applications inside your Kubernetes cluster, you’ll need to set up a secret for a private registry. The secret contains your login data, which Kubernetes needs to connect to your private repository.

Local Registry Tools Compatible with DKP

Tools such as JFrog™ Artifactory, Amazon® AWS ECR, Harbor™, and Nexus™ handle multiple types of artifacts in one local repository.

AWS ECR

AWS ECR (Elastic Container Registry) is supported as your air-gapped image registry or a non-air-gapped registry mirror. DKP added support for using AWS ECR as a default registry when uploading image bundles in AWS.

Prerequisites

• Ensure you have followed the steps to create proper permissions in AWS Minimal Permissions and Role to Create Clusters

• Ensure you have created AWS Cluster IAM Policies, Roles, and Artifacts

Upload the Air-gapped Image Bundle to the Local ECR Registry:

A cluster administrator uses DKP CLI commands to upload the image bundle to ECR with parameters:

dkp push bundle --bundle <bundle> --to-registry=<ecr-registry-address>/<ecr-registry-name>

Parameter definitions:

• --bundle <bundle> the group of images. The example below is for the DKP air-gapped environment bundle

• --to-registry=<ecr-registry-address>/<ecr-registry-name> to provide registry location for push

An example command would be:

dkp push bundle --bundle container-images/konvoy-image-bundle-v2.7.0.tar --to-registry=333000009999.dkr.ecr.us-west-2.amazonaws.com/can-test

NOTE: You can aslo set an environment variable with your registry address for ECR:

export REGISTRY_URL=<ecr-registry-URI>

• REGISTRY_URI: the address of an existing local registry accessible in the VPC that the new cluster nodes will be configured to use a mirror registry when pulling images.

• The environment where you are running the dkp push command must be authenticated with AWS in order to load your images into ECR.

Air-gapped Environment Information regarding your AWS ECR Account

The cluster administrator uses existing DKP CLI commands to create the cluster and refer to their internal ECR for image repository. The administrator does not need to provide static ECR registry credentials. See Use a Registry Mirror and Create an EKS Cluster from the CLI for more details.

JFrog Artifactory

JFrog Artifactory can function as a container registry, as well as an automated management tool for binaries and artifacts of all types. If you use JFrog Artifactory or JFrog Container Registry, you must update to a new version of the software. Use a build newer than version 7.11; older versions are not compatible.

Nexus Registry

Nexus Repository is a package registry for your Docker images and Helm Chart repositories and supports Proxy, Hosted, and Group repositories. It can be used a single registry for all your Kubernetes deployments.

Harbor Registry

Install Harbor and configure any HTTP access required, as well as the system level parameters in the harbor.yml file. Then run the installer script. If you are upgrading from a previous version of Harbor, you update the configuration file and migrate your data to fit the database schema of the later version. For information about upgrading, see Upgrading Harbor. A version than Harbor Registry v2.1.1-5f52168e will support OCI images.

While seeding you may see error messages such as the following:

2023/09/12 20:01:18 retrying without mount: POST https://harbor-registry.daclusta/v2/harbor-registry/mesosphere/kube-proxy/blobs/uploads/?from=mesosphere%2Fkube-proxy&mount=sha256%3A9fd5070b83085808ed850ff84acc98a116e839cd5dcfefa12f2906b7d9c6e50d&origin=REDACTED: UNAUTHORIZED: project not found, name: mesosphere: project not found, name: mesosphere

 This appears to indicate that the image was not successfully pushed to your Harbor docker registry, but it is a false positive error message. This will only affect version of the DKP binary newer than DKP 2.4.0. This does not affect any other Local Registry solution such as Nexus or Artifactory. You can safely ignore these error messages. 

Bastion Host

If you have not set up a Bastion Host yet, refer to that section of the documentation.

Related Topic:

If you need to configure a private registry with a registry mirror, see Use a Registry Mirror for details on using that flag.

Next Topic:

Air-gapped Seed the Registry