Step 1: Create a domain record pointing to our Kubernetes Cluster
If you don’t know the IP address, you can find it as EXTERNAL-IP assigned to your nginx-ingress-controller service.
kubectl get svc -n kube-system
For this article let’s say we have a domain called registry.mydomain.com.
Step 2: Installation of cert-manager Kubernetes addon
Having a TLS certificate is one of the requirements to build a Docker Registry.
Fortunately, this is readily achievable with Let’s Encrypt and cert-manager Kubernetes addon.
The addon automates the management and issuance of TLS certificates, and it ensures the certificates are valid periodically. It also attempts to renew them at an appropriate time before their expiration.
The installation of cert-manager is pretty straightforward:
dnsNames it is used by Issuer to issue a TLS certificate
secretName where TLS is stored once it’s obtained
acme config for domain validation (http01 challenge mechanism)
With an HTTP-01 challenge, you prove ownership of a domain by ensuring that a particular file is present at the domain.
Thankfully this is entirely handled by cert-manager-controller which starts up a new Pod, Service, and Ingress just for the validation purpose. Once it’s validated, these resources are deleted.
By applying the certificate resource to the cluster, the cert-manager-controller will start to issue the certificate.
You can follow its progress in Events of the certificate:
kubectl describe certificate docker-registry
Type Reason Age From Message
---- ------ ---- ---- -------
Warning ErrorCheckCertificate 7m cert-manager-controller Error checking existing TLS certificate: secret "docker-registry-tls-certificate" not found
Normal PrepareCertificate 7m cert-manager-controller Preparing certificate with issuer
Normal PresentChallenge 7m cert-manager-controller Presenting http-01 challenge for domain registry.mydomain.com
Normal SelfCheck 7m cert-manager-controller Performing self-check for domain registry.mydomain.com
Normal ObtainAuthorization 5m cert-manager-controller Obtained authorization for domain registry.mydomain.com
Normal IssueCertificate 5m cert-manager-controller Issuing certificate...
Normal CeritifcateIssued 5m cert-manager-controller Certificated issued successfully
Normal RenewalScheduled 4m (x2 over 5m) cert-manager-controller Certificate scheduled for renewal in 1438 hours
If everything goes well, you should find your certificate here: