介绍 (Introduction)

A Docker registry is a storage and content delivery system for named Docker images, which are the industry standard for containerized applications. A private Docker registry allows you to securely share your images within your team or organization with more flexibility and control when compared to public ones. By hosting your private Docker registry directly in your Kubernetes cluster, you can achieve higher speeds, lower latency, and better availability, all while having control over the registry.

Docker注册表是用于命名Docker映像的存储和内容交付系统，这是容器化应用程序的行业标准。 私有Docker注册表使您可以在团队或组织内安全地共享映像，与公共映像相比，它具有更大的灵活性和控制力。 通过直接在Kubernetes集群中托管私有Docker注册表，您可以在控制注册表的同时实现更高的速度，更低的延迟和更好的可用性。

The underlying registry storage is delegated to external drivers. The default storage system is the local filesystem, but you can swap this for a cloud-based storage driver. DigitalOcean Spaces is an S3-compatible object storage designed for developer teams and businesses that want a scalable, simple, and affordable way to store and serve vast amounts of data, and is very suitable for storing Docker images. It has a built-in CDN network, which can greatly reduce latency when frequently accessing images.

基础注册表存储委托给外部驱动程序。 默认存储系统是本地文件系统，但是您可以将其交换为基于云的存储驱动程序。 DigitalOcean Spaces是与S3兼容的对象存储，专为希望以可伸缩，简单且负担得起的方式存储和提供大量数据的开发人员团队和企业而设计，非常适合存储Docker映像。 它具有内置的CDN网络，可以大大减少频繁访问图像时的延迟。

In this tutorial, you’ll deploy your private Docker registry to your DigitalOcean Kubernetes cluster using Helm, backed up by DigitalOcean Spaces for storing data. You’ll create API keys for your designated Space, install the Docker registry to your cluster with custom configuration, configure Kubernetes to properly authenticate with it, and test it by running a sample deployment on the cluster. At the end of this tutorial, you’ll have a secure, private Docker registry installed on your DigitalOcean Kubernetes cluster.

在本教程中，您将使用由DigitalOcean Spaces备份以存储数据的Helm将私有Docker注册表部署到DigitalOcean Kubernetes集群。 您将为指定的Space创建API密钥，使用自定义配置将Docker注册表安装到集群中，配置Kubernetes对其进行正确的身份验证，并通过在集群上运行示例部署对其进行测试。 在本教程的最后，您将在DigitalOcean Kubernetes集群上安装一个安全的私有Docker注册表。

先决条件 (Prerequisites)

Before you begin this tutorial, you’ll need:

在开始本教程之前，您需要：

• Docker installed on the machine that you’ll access your cluster from. For Ubuntu 18.04, visit How To Install and Use Docker on Ubuntu 18.04. You only need to complete the first step. Otherwise, visit Docker’s website for other distributions.

  Docker安装在您将通过其访问集群的机器上。 对于Ubuntu 18.04，请访问如何在Ubuntu 18.04上安装和使用Docker 。 您只需要完成第一步。 否则，请访问Docker的网站以获取其他发行版。

• An account at Docker Hub for storing Docker images you’ll create during this tutorial.

  Docker Hub上的一个帐户，用于存储您将在本教程中创建的Docker映像。

• Git installed on the machine that you’ll use to access the cluster. For Ubuntu 18.04, follow the first step of the How To Install Git on Ubuntu 18.04 tutorial. For other platforms, visit the official website.

  Git安装在将用于访问集群的计算机上。 对于Ubuntu 18.04，请遵循如何在Ubuntu 18.04上安装Git教程的第一步。 对于其他平台，请访问官方网站 。

• A DigitalOcean Kubernetes cluster with your connection configuration configured as the kubectl default. Instructions on how to configure kubectl are shown under the Connect to your Cluster step shown when you create your cluster. To learn how to create a Kubernetes cluster on DigitalOcean, see Kubernetes Quickstart.

  一个DigitalOcean Kubernetes集群，其连接配置配置为kubectl默认。 创建集群时，在“ 连接到集群”步骤下显示有关如何配置kubectl说明。 要了解如何在DigitalOcean上创建Kubernetes集群，请参阅Kubernetes Quickstart 。

• A DigitalOcean Space with API keys (access and secret). To learn how to create a DigitalOcean Space and API keys, see How To Create a DigitalOcean Space and API Key.

  具有API密钥(访问和密钥)的DigitalOcean Space。 要了解如何创建DigitalOcean Space和API密钥，请参阅如何创建DigitalOcean Space和API密钥 。

• The Helm package manager installed on your local machine. To do this, complete Step 1 and add the stable repo from Step 2 of the How To Install Software on Kubernetes Clusters with the Helm 3 Package Manager tutorial.

  安装在本地计算机上的Helm软件包管理器。 为此，请完成步骤1并使用Helm 3 Package Manager教程添加如何在Kubernetes群集上安装软件的步骤2中的stable 仓库 。

• The Nginx Ingress Controller and Cert-Manager installed on the cluster. For a guide on how to do this, see How To Set Up an Nginx Ingress on DigitalOcean Kubernetes Using Helm.

  在群集上安装了Nginx Ingress Controller和Cert-Manager。 有关如何执行此操作的指南，请参见如何使用Helm在DigitalOcean Kubernetes上设置Nginx入口 。

• A domain name with two DNS A records pointed to the DigitalOcean Load Balancer used by the Ingress. If you are using DigitalOcean to manage your domain’s DNS records, consult How to Manage DNS Records to create A records. In this tutorial, we’ll refer to the A records as registry.your_domain and k8s-test.your_domain.

  具有两个DNS A记录的域名指向Ingress使用的DigitalOcean负载均衡器。 如果您使用DigitalOcean来管理域的DNS记录，请参阅如何管理DNS记录以创建A记录。 在本教程中，我们将A记录称为registry.your_domain和k8s-test.your_domain 。

Note: The domain names you use in this tutorial must differ from the one used in the “How To Set Up an Nginx Ingress on DigitalOcean Kubernetes” prerequisite tutorial.

注意：在本教程中使用的域名必须与“如何在DigitalOcean Kubernetes上设置Nginx入口”先决条件教程中使用的域名不同。

第1步-配置和安装Docker注册表 (Step 1 — Configuring and Installing the Docker Registry)

In this step, you’ll create a configuration file for the registry deployment and install the registry to your cluster with the given config using the Helm package manager.

在此步骤中，您将为注册表部署创建一个配置文件，并使用Helm软件包管理器使用给定的配置将注册表安装到您的集群中。

During the course of this tutorial, you will use a configuration file called chart_values.yaml to override some of the default settings for the Docker registry Helm chart. Helm calls its packages, charts; these are sets of files that outline a related selection of Kubernetes resources. You’ll edit the settings to specify DigitalOcean Spaces as the underlying storage system and enable HTTPS access by wiring up Let’s Encrypt TLS certificates.

在本教程的过程中，您将使用一个名为chart_values.yaml的配置文件来覆盖Docker注册表Helm chart的一些默认设置。 Helm称其包裹，图表； 这些文件集概述了Kubernetes资源的相关选择。 您将编辑设置以将DigitalOcean Spaces指定为基础存储系统，并通过连接Let's Encrypt TLS证书启用HTTPS访问。

As part of the Nginx Ingress Controller prerequisite, you created example Services and an Ingress. You won’t need them in this tutorial, so you can delete them by running the following commands:

作为Nginx Ingress Controller前提条件的一部分，您创建了示例服务和一个Ingress。 在本教程中，您将不需要它们，因此可以通过运行以下命令将其删除：

The kubectl delete command accepts the file to delete when passed the -f parameter.

当传递-f参数时，kubectl delete命令接受要删除的文件。

Instead of using the official Docker registry, which has issues with S3 storage providers, we’ll use GitLab’s

我们将使用GitLab的，而不是使用S3存储提供程序有问题的官方Docker注册表。

Create a folder that will serve as your workspace:

创建一个将用作您的工作区的文件夹：

Navigate to it by running:

通过运行以下命令导航到它：

Download the Container Registry repository using git by running the following command:

通过运行以下命令，使用git下载Container Registry存储库：

The output will be similar to this:

输出将类似于以下内容：

   

    Output
   
Cloning into 'container-registry'...
remote: Enumerating objects: 1706, done.
...
Resolving deltas: 100% (13955/13955), done.

The repository is now in the container-registry directory. Navigate to it:

现在，该存储库位于container-registry目录中。 导航到它：

You now have the source code of the container registry. To use it from your cluster, you’ll need to build a Docker image out of it and push it to a public registry, such as Docker Hub.

现在，您有了容器注册表的源代码。 要从您的群集中使用它，您需要从中构建一个Docker映像并将其推送到公共注册表，例如Docker Hub。

Run the following command to build a Docker image of the registry, replacing your_dockerhub_username with your Docker Hub username:

运行以下命令以构建注册表的Docker映像，将your_dockerhub_username替换为Docker Hub用户名：

This command can take some time to finish. The output will be long, and should be similar to this:

此命令可能需要一些时间才能完成。 输出将很长，应该类似于以下内容：

   

    Output
   
...
Successfully built 27322ec15cf7
Successfully tagged your_dockerhub_username/registry:dev

Now that the image is built, to push it to your account, you first need to log in:

现在已经创建了映像，然后将其推送到您的帐户，您首先需要登录：

Input your Docker Hub username and password when prompted. The end of the output should look like:

出现提示时，输入您的Docker Hub用户名和密码。 输出的结尾应如下所示：

   

    Output
   
...
Login Succeeded

You can now push the image:

您现在可以推送图像：

The final output will look like:

最终输出将如下所示：

   

    Output
   
The push refers to repository [docker.io/your_dockerhub_username/registry]
c3baf7582a54: Pushed
bc49969a328b: Pushed
0694fbf8288a: Pushed
3e207b409db3: Mounted from library/alpine
dev: digest: sha256:02399157107a1d72312fb4f383f4c8c53a08f3e206d787a9c9380f446b008184 size: 1156

Now that you’ve built and pushed the registry, navigate back to your workspace:

现在，您已经构建并推送了注册表，请导航回您的工作区：

Create your chart_values.yaml file using your favorite text editor:

使用您喜欢的文本编辑器创建chart_values.yaml文件：

Add the following lines, ensuring you replace the highlighted lines with your details:

添加以下行，确保用您的详细信息替换突出显示的行：

ingress:
  enabled: true
  hosts:
    - registry.your_domain
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/proxy-body-size: "30720m"
  tls:
    - secretName: docker-registry-prod
      hosts:
        - registry.your_domain

storage: s3

secrets:
  htpasswd: ""
  s3:
    accessKey: "your_space_access_key"
    secretKey: "your_space_secret_key"

s3:
  region: your_space_region
  regionEndpoint: your_space_region.digitaloceanspaces.com
  secure: true
  bucket: your_space_name

image:
  repository: your_dockerhub_username/registry
  tag: dev

The first block, ingress, configures the Kubernetes Ingress that will be created as a part of the Helm chart deployment. The Ingress object makes outside HTTP/HTTPS routes point to internal services in the cluster, thus allowing communication from the outside. The overridden values are:

第一个块ingress配置Kubernetes Ingress，它将在Helm图表部署中创建。 Ingress对象使外部HTTP / HTTPS路由指向群集中的内部服务，从而允许来自外部的通信。 覆盖的值是：

• enabled: set to true to enable the Ingress.

  enabled ：设置为true以启用Ingress。

• hosts: a list of hosts from which the Ingress will accept traffic.

  hosts ：Ingress将从中接受流量的主机列表。

• annotations: a list of metadata that provides further direction to other parts of Kubernetes on how to treat the Ingress. You set the Ingress Controller to nginx, the Let’s Encrypt cluster issuer to the production variant (letsencrypt-prod), and tell the nginx controller to accept files with a max size of 30 GB, which is a sensible limit for even the largest Docker images.

  annotations ：元数据列表，可为Kubernetes的其他部分提供有关如何处理Ingress的进一步指导。 您将Ingress Controller设置为nginx ，将我们的加密集群发布者设置为生产版本( letsencrypt-prod )，并告诉nginx控制器接受最大30 GB的文件，这对于最大的Docker镜像也是一个合理的限制。 。

• tls: this subcategory configures Let’s Encrypt HTTPS. You populate the hosts list that defines from which secure hosts this Ingress will accept HTTPS traffic with our example domain name. The secretName (here set to docker-registry-prod) specifies the name of the secret in which the certificate(s) will be stored, and generally must be different for every Ingress you create or deploy.

  tls ：此子类别配置“让我们加密HTTPS”。 您将填充hosts列表，该列表定义了该入口将使用我们的示例域名从哪些安全主机接受HTTPS通信。 secretName (此处设置为secretName docker-registry-prod )指定用于存储证书的密钥的名称，通常对于您创建或部署的每个Ingress都必须是不同的。

Then, you set the file system storage to s3 — the other available option would be filesystem. Here s3 indicates using a remote storage system compatible with the industry-standard Amazon S3 API, which DigitalOcean Spaces fulfills.

然后，将文件系统存储设置为s3 －另一个可用选项是filesystem 。 此处s3指示使用与DigitalOcean Spaces满足的行业标准Amazon S3 API兼容的远程存储系统。

In the next block, secrets, you configure keys for accessing your DO Space under the s3 subcategory. Finally, in the s3 block, you configure the parameters specifying your Space.

在下一个模块secrets ，您将配置密钥以访问s3子类别下的DO Space。 最后，在s3块中，配置用于指定Space的参数。

At the end of the file, you specify the registry image you just pushed as the one that will be deployed, instead of the official Docker registry.

在文件末尾，您将刚刚推送的注册表映像指定为将要部署的注册表映像，而不是正式的Docker注册表。

Save and close the file.

保存并关闭文件。

Now, if you haven’t already done so, set up your A records to point to the Load Balancer you created as part of the Nginx Ingress Controller installation in the prerequisite tutorial. To see how to set your DNS on DigitalOcean, see How to Manage DNS Records.

现在，如果还没有这样做，请设置您的A记录，以指向在先决条件教程中作为Nginx Ingress Controller安装的一部分创建的负载均衡器。 要查看如何在DigitalOcean上设置DNS，请参阅如何管理DNS记录 。

Before installing anything via Helm, you need to refresh its cache. This will update the latest information about your chart repository. To do this run the following command:

在通过Helm安装任何东西之前，您需要刷新其缓存。 这将更新有关图表存储库的最新信息。 为此，请运行以下命令：

Now, you’ll deploy the Docker registry chart with this custom configuration via Helm by running:

现在，您将通过运行Helm通过此自定义配置来部署Docker注册表图表：

You’ll see the following output:

您将看到以下输出：

   

    Output
   
NAME: docker-registry
LAST DEPLOYED: ...
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
1. Get the application URL by running these commands:
  https://registry.your_domain/

The registry is now accessible from the domain name you specified earlier.

现在可以从您之前指定的域名访问注册表。

You’ve configured and deployed a Docker registry on your Kubernetes cluster. Next, you will test the availability of the newly deployed Docker registry.

您已经在Kubernetes集群上配置并部署了Docker注册表。 接下来，您将测试新部署的Docker注册表的可用性。

第2步-测试推拉 (Step 2 — Testing Pushing and Pulling)

In this step, you’ll test your newly deployed Docker registry by pushing and pulling images to and from it. Currently, the registry is empty. To have something to push, you need to have an image available on the machine you’re working from. Let’s use the mysql Docker image for that purpose.

在此步骤中，您将通过向其推送映像和从中提取映像来测试新部署的Docker注册表。 当前，注册表为空。 要推送某些内容，您需要在工作的计算机上有可用的映像。 为此，我们使用mysql Docker镜像。

Start off by pulling mysql from the Docker Hub:

首先从Docker Hub中提取mysql ：

Your output will look like this:

您的输出将如下所示：

   

    Output
   
Using default tag: latest
latest: Pulling from library/mysql
27833a3ba0a5: Pull complete
...
e906385f419d: Pull complete
Digest: sha256:9643e9fbd6330d10686f8922292dcb20995e7b792c17d4e94ddf95255f1d5449
Status: Downloaded newer image for mysql:latest
docker.io/library/mysql:latest

You now have the image available locally. To inform Docker where to push it, you’ll need to tag it with the host name, like so:

现在，您可以在本地使用该图像。 要通知Docker将其推送到何处，您需要使用主机名对其进行标记，如下所示：

Then, push the image to the new registry:

然后，将映像推送到新注册表：

This command will run successfully and indicate that your new registry is properly configured and accepting traffic — including pushing new images. If you see an error, double check your steps against steps 1 and 2.

此命令将成功运行，并指示正确配置了新注册表并接受通信(包括推送新映像)。 如果看到错误，请对照步骤1和2仔细检查您的步骤。

To test pulling from the registry cleanly, first delete the local mysql images with the following command:

为了测试干净地从注册表中拉取，首先使用以下命令删除本地mysql映像：

Then, pull it from the registry:

然后，将其从注册表中拉出：

This command will take a few seconds to complete. If it runs successfully, that means your registry is working correctly. If it shows an error, double check what you have entered against the previous commands.

此命令将花费几秒钟来完成。 如果运行成功，则表明您的注册表运行正常。 如果显示错误，请根据先前的命令再次检查您输入的内容。

You can list Docker images available locally by running the following command:

您可以通过运行以下命令列出本地可用的Docker映像：

You’ll see output listing the images available on your local machine, along with their ID and date of creation.

您将看到输出列出本地计算机上可用的图像以及它们的ID和创建日期的输出。

Your Docker registry is configured. You’ve pushed an image to it and verified you can pull it down. Now let’s add authentication so only certain people can access the images.

您的Docker注册表已配置。 您已将图像推入并确认可以将其拉下。 现在让我们添加身份验证，以便仅某些人可以访问图像。

步骤3 —添加帐户身份验证和配置Kubernetes访问 (Step 3 — Adding Account Authentication and Configuring Kubernetes Access)

In this step, you’ll set up username and password authentication for the registry using the htpasswd utility.

在此步骤中，您将使用htpasswd实用程序为注册表设置用户名和密码身份验证。

The htpasswd utility comes from the Apache webserver, which you can use for creating files that store usernames and passwords for basic authentication of HTTP users. The format of htpasswd files is username:hashed_password (one per line), which is portable enough to allow other programs to use it as well.

htpasswd实用程序来自Apache网络服务器，您可以使用它来创建用于存储用于HTTP用户基本身份验证的用户名和密码的文件。 htpasswd文件的格式为username:hashed_password (每行一个)，该文件具有足够的可移植性，允许其他程序也可以使用它。

You’ll use a Dockerized variant of htpasswd for simplicity. Run the following command to append a login combination to htpasswd_file, replacing username and password with your desired credentials:

为了简单起见，您将使用htpasswd的Dockerized变体。 运行以下命令，将登录组合附加到htpasswd_file ，用所需的凭据替换username和password ：

Docker requires the password to be hashed using the bcrypt algorithm, which is why we pass the -B parameter. The bcrypt algorithm is a password hashing function based on Blowfish block cipher, with a work factor parameter, which specifies how expensive the hash function will be.

Docker要求使用bcrypt算法对密码进行哈希处理，这就是为什么我们传递-B参数的原因。 bcrypt算法是基于Blowfish块密码的密码哈希函数，带有一个工作因子参数，该参数指定哈希函数的价格。

You can repeat this command for as many users as you wish to add.

您可以为希望添加的用户重复此命令。

When you are done, show the contents of htpasswd_file by running the following command:

完成后，通过运行以下命令显示htpasswd_file的内容：

Select and copy the contents shown.

选择并复制显示的内容。

To add authentication to your Docker registry, you’ll need to edit chart_values.yaml and add the contents of htpasswd_file in the htpasswd variable.

要将身份验证添加到Docker注册表中，您需要编辑chart_values.yaml并将htpasswd_file的内容添加到htpasswd变量中。

Open chart_values.yaml for editing:

打开chart_values.yaml进行编辑：

Find the line that looks like this:

找到看起来像这样的行：

htpasswd: ""

Edit it to match the following, replacing htpasswd\_file\_contents with the contents you copied from the htpasswd_file:

编辑它以匹配以下内容，将htpasswd\_file\_contents替换为从htpasswd_file复制的内容：

htpasswd: |-
    htpasswd_file_contents

Be careful with the indentation, each line of the file contents must have four spaces before it. You can remove blank lines, if there are any.

注意缩进，文件内容的每一行之前必须有四个空格。 您可以删除空白行(如果有)。

Once you’ve added your contents, save and close the file.

添加内容后，保存并关闭文件。

To propagate the changes to your cluster, run the following command:

要将更改传播到集群，请运行以下命令：

The output will be similar to the one shown when you first deployed your Docker registry:

输出将与您首次部署Docker注册表时显示的输出类似：

   

    Output
   
Release "docker-registry" has been upgraded. Happy Helming!
NAME: docker-registry
LAST DEPLOYED: ...
NAMESPACE: default
STATUS: deployed
REVISION: 2
TEST SUITE: None
NOTES:
1. Get the application URL by running these commands:
  https://registry.your_domain/

This command calls Helm and instructs it to upgrade an existing release, in your case docker-registry, with its chart defined in stable/docker-registry in the chart repository, after applying the chart_values.yaml file.

在应用chart_values.yaml文件之后，此命令将调用Helm并指示其升级现有版本(在您的情况下为docker-registry ，其图表在图表存储库的stable/docker-registry中定义。

Now, you’ll try pulling an image from the registry again:

现在，您将尝试再次从注册表中提取图像：

The output will look like the following:

输出将如下所示：

   

    Output
   
Using default tag: latest
Error response from daemon: Get https://registry.your_domain/v2/mysql/manifests/latest: no basic auth credentials

It correctly failed because you provided no credentials. This means that your Docker registry authorizes requests correctly.

正确失败了，因为您没有提供凭据。 这意味着您的Docker注册表正确授权了请求。

To log in to the registry, run the following command:

要登录到注册表，请运行以下命令：

Remember to replace registry.your_domain with your domain address. It will prompt you for a username and password. If it shows an error, double check what your htpasswd_file contains. You must specify a username and password combination from the htpasswd_file, which you created earlier in this step.

请记住用您的域名地址替换registry.your_domain 。 它将提示您输入用户名和密码。 如果显示错误，请仔细检查htpasswd_file包含的内容。 您必须从htpasswd_file指定用户名和密码组合，该文件是您在本步骤前面创建的。

To test the login, you can try to pull again by running the following command:

要测试登录，您可以尝试通过运行以下命令再次拉入：

The output will look similar to the following:

输出将类似于以下内容：

   

    Output
   
Using default tag: latest
latest: Pulling from mysql
Digest: sha256:f2dc118ca6fa4c88cde5889808c486dfe94bccecd01ca626b002a010bb66bcbe
Status: Image is up to date for registry.your_domain/mysql:latest

You’ve now configured Docker and can log in securely. To configure Kubernetes to log in to your registry, run the following command:

现在，您已经配置了Docker并且可以安全地登录。 要配置Kubernetes登录到您的注册表，请运行以下命令：

This command creates a secret in your cluster with the name regcred which will contain login info for your registry and parses it as dockerconfigjson, which defines a registry credential in Kubernetes.

该命令在您的集群中创建一个名称为regcred的秘密，该秘密将包含您的注册表的登录信息，并将其解析为dockerconfigjson ，后者在Kubernetes中定义了注册表凭据。

Remember to replace registry.your_domain with your registry domain and to put one of your login credentials you created earlier in place of your_username and your_password.

请记住用您的注册表域替换registry.your_domain ，并将您之前创建的登录凭据之一替换为your_username和your_password 。

You will see the following output:

您将看到以下输出：

   

    Output
   
secret/regcred created

You’ve used htpasswd to create a login config file, configured the registry to authenticate requests, and created a Kubernetes secret containing the login credentials. Next, you will test the integration between your Kubernetes cluster and registry.

您已使用htpasswd创建登录配置文件，将注册表配置为对请求进行身份验证，并创建了包含登录凭据的Kubernetes机密。 接下来，您将测试Kubernetes集群和注册表之间的集成。

步骤4 —通过运行示例部署来测试Kubernetes集成 (Step 4 — Testing Kubernetes Integration by Running a Sample Deployment)

In this step, you’ll run a sample deployment with an image stored in the in-cluster registry to test the connection between your Kubernetes cluster and registry.

在此步骤中，您将使用存储在集群内注册表中的映像运行示例部署，以测试Kubernetes集群与注册表之间的连接。

In the last step, you created a secret, called regcred, containing login credentials for your private registry. It may contain login credentials for multiple registries, in which case you’ll have to update the Secret accordingly.

在最后一步中，您创建了一个名为regcred的秘密，其中包含您的私有注册表的登录凭据。 它可能包含多个注册表的登录凭据，在这种情况下，您必须相应地更新Secret。

You can specify which secret Kubernetes should use when pulling containers in the pod definition by specifying imagePullSecrets. This step is necessary when the Docker registry requires authentication.

您可以通过指定imagePullSecrets来指定在pod定义中提取容器时应该使用哪个秘密imagePullSecrets 。 当Docker注册表需要身份验证时，此步骤是必需的。

You’ll now deploy a sample Hello World image from your private Docker registry to your cluster. First, in order to push it, you’ll pull it to your machine by running the following command:

现在，您将从私有Docker注册表中将示例Hello World映像部署到集群。 首先，为了推送它，您可以通过运行以下命令将其拉到您的计算机上：

Then, tag it by running:

然后，通过运行以下命令对其进行标记：

Finally, push it to your registry:

最后，将其推送到您的注册表：

Delete it from your machine as you no longer need it locally:

从计算机上将其删除，因为您不再需要在本地使用它：

Now, you’ll deploy the sample Hello World application. First, create a new file, hello-world.yaml, using your text editor:

现在，您将部署示例Hello World应用程序。 首先，使用文本编辑器创建一个新文件hello-world.yaml ：

Next, you’ll define a Service and an Ingress to make the app accessible to outside of the cluster. Add the following lines, replacing the highlighted lines with your domains:

接下来，您将定义一个服务和一个Ingress，以使应用程序可以在集群外部访问。 添加以下行，将突出显示的行替换为您的域：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: hello-kubernetes-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - host: k8s-test.your_domain
    http:
      paths:
      - path: /
        backend:
          serviceName: hello-kubernetes
          servicePort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: hello-kubernetes
spec:
  type: NodePort
  ports:
  - port: 80
    targetPort: 8080
  selector:
    app: hello-kubernetes
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-kubernetes
spec:
  replicas: 3
  selector:
    matchLabels:
      app: hello-kubernetes
  template:
    metadata:
      labels:
        app: hello-kubernetes
    spec:
      containers:
      - name: hello-kubernetes
        image: registry.your_domain/paulbouwer/hello-kubernetes:1.8
        ports:
        - containerPort: 8080
      imagePullSecrets:
      - name: regcred

First, you define the Ingress for the Hello World deployment, which you will route through the Load Balancer that the Nginx Ingress Controller owns. Then, you define a service that can access the pods created in the deployment. In the actual deployment spec, you specify the image as the one located in your registry and set imagePullSecrets to regcred, which you created in the previous step.

首先，为Hello World部署定义Ingress，您将通过Nginx Ingress Controller拥有的负载均衡器进行路由。 然后，定义一个服务，该服务可以访问在部署中创建的Pod。 在实际的部署规范中，您将image指定为位于注册表中的image ，并将imagePullSecrets设置为regcred ，这是您在上一步中创建的。

Save and close the file. To deploy this to your cluster, run the following command:

保存并关闭文件。 要将其部署到您的集群，请运行以下命令：

You’ll see the following output:

您将看到以下输出：

   

    Output
   
ingress.extensions/hello-kubernetes-ingress created
service/hello-kubernetes created
deployment.apps/hello-kubernetes created

You can now navigate to your test domain — the second A record, k8s-test.your_domain in this tutorial. You will see the Kubernetes Hello world! page.

现在，您可以导航到您的测试域—本教程中的第二条A记录k8s-test.your_domain 。 您将看到Kubernetes Hello world！ 页。

The Hello World page lists some environment information, like the Linux kernel version and the internal ID of the pod the request was served from. You can also access your Space via the web interface to see the images you’ve worked with in this tutorial.

“ Hello World”页面列出了一些环境信息，例如Linux内核版本以及从中提供请求的Pod的内部ID。 您也可以通过Web界面访问Space，以查看您在本教程中使用过的图像。

If you want to delete this Hello World deployment after testing, run the following command:

如果要在测试后删除此Hello World部署，请运行以下命令：

In this step, you’ve created a sample Hello World deployment to test if Kubernetes is properly pulling images from your private registry.

在此步骤中，您创建了一个示例Hello World部署，以测试Kubernetes是否正确地从私有注册表中提取了映像。

结论 (Conclusion)

You have now successfully deployed your own private Docker registry on your DigitalOcean Kubernetes cluster, using DigitalOcean Spaces as the storage layer underneath. There is no limit to how many images you can store, Spaces can extend infinitely, while at the same time providing the same security and robustness. In production, though, you should always strive to optimize your Docker images as much as possible, take a look at the How To Optimize Docker Images for Production tutorial.

现在，您已经使用DigitalOcean Spaces作为其下的存储层，在DigitalOcean Kubernetes集群上成功部署了自己的私有Docker注册表。 您可以存储多少图像没有限制，空间可以无限扩展，同时提供相同的安全性和鲁棒性。 但是，在生产中，您应该始终努力尽可能地优化Docker映像，请参阅“ 如何优化Docker映像以生产”教程。

翻译自: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-private-docker-registry-on-top-of-digitalocean-spaces-and-use-it-with-digitalocean-kubernetes