搭建私有TLS认证registry

本文主要使用openssl+registry:2，在centos7.2上部署，docker版本为v17.06
搭建步骤：

1. 生成自签名证书

证书默认只支持域名访问，所以需要修改/etc/pki/tls/openssl.cnf来支持ip访问

[root@registry certs]# vim /etc/pki/tls/openssl.cnf[ v3_ca ]subjectAltName = IP:10.10.84.110

创建证书

[root@registry ~]# mkdir /etc/docker/certs.d/10.10.84.110:5000[root@registry ~]# openssl req -x509 -days 3650 -nodes -newkey rsa:2048 \-keyout /opt/docker/registry/certs/domain.key \-out /opt/docker/registry/certs/domain.crt-----Country Name (2 letter code) [XX]:86State or Province Name (full name) []:ZhejiangLocality Name (eg, city) [Default City]:HangzhouOrganization Name (eg, company) [Default Company Ltd]:citycloudOrganizational Unit Name (eg, section) []:noc      Common Name (eg, your name or your server's hostname) []:10.10.84.110:5000Email Address []:zt@citycloud.com.cn注意CN名字10.10.84.110:5000

2. 创建带有TLS认证的registry容器

[root@registry ~]# docker pull registry:2[root@registry ~]# docker run -d --name registry2.0 --restart always \-v /opt/docker/registry/data:/var/lib/registry \-p 10.10.84.110:5000:5000 \-v /opt/docker/registry/certs:/certs \-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \registry:2

3. 测试

[root@registry ~]# cp /opt/docker/registry/certs/domain.crt  /etc/docker/certs.d/10.10.84.110:5000/ca.crt[root@registry ~]# docker tag hello-world 10.10.84.110:5000/hello-world[root@registry certs]# docker push 10.10.84.110:5000/hello-world

其他客户端需要使用此私有仓库，需要创建目录/etc/docker/certs.d/10.10.84.110:5000/，并将ca.crt文件放在此目录下

参考文章：
http://blog.csdn.net/gqtcgq/article/details/51163558
https://docs.docker.com/registry/deploying/#support-for-lets-encrypt