Docker registry with LetsEncrypt TLS certs and user/password auth

auth htpasswd

testuser:$2y$05$Bl9siDMe7ieQHLM8e7ifaOklKrHmXymbMqfmqXs7zssj6MMGQW4le

docker-compose.yml

# docker-compose.yml
version: '2'

services:

  registry:
    restart: always
    image: registry:2
    ports:
      - 5000:5000
      - 443:5000
    environment:
      REGISTRY_AUTH: htpasswd
      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
      REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
      REGISTRY_HTTP_TLS_LETSENCRYPT_CACHEFILE: /letsencrypt/cache
      REGISTRY_HTTP_TLS_LETSENCRYPT_EMAIL: your@email.com
    volumes:
      - ./data:/var/lib/registry
      - ./auth:/auth
      - ./letsencrypt:/letsencrypt

Registry TLS BasicAuth.md

Docker registry with LetsEncrypt TLS certs and user/password auth

Machine specs

Create a VM with port 443 open to the world (for letsencrypt registration), and a registered DNS ($YOURHOST).

Run registry container

In a directory with the following files as described in this gist:

• docker-compose.yml
• auth/htpasswd (generated with docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword)

Run: docker-compose up -d

On the client machine

docker pull ubuntu && docker tag ubuntu $YOURHOST/ubuntu
docker login $YOURHOST
    Username: testuser
    Password: testpassword
docker push $YOURHOST/ubuntu

I guess it can't be too hard to do this with self-signed - for testing?

I did not try very hard, but using self-signed registries with Docker cli involves manipulation with the OS trusted certs; see Docker documentation.

There might be something we can do with Daplie localhost certificates though: these are valid TLS certs that apply to a valid DNS that redirects to localhost.

I'll try to investigate further.