This guide focuses on configuring access to a private Docker registry with self-signed certificates.
If focuses on:
- Secure automatic mounting of a registry certificate to notebook containers, and
- Using the SDK API to configure the properties necessary to access a private registry.
Using custom certificates with a private Docker registry requires the configuration of Docker access credentials using Kubernetes Secrets and PodDefaults as described in the Accessing Docker and Cloud Storage guide.
Pre-requisites
- A private Docker registry reachable from the cluster over the network.
- Configuration of the Nodes of the cluster where Kaptain is running to accept the self-signed certificates used by the registry. More information is available in the Konvoy and Kommander air-gapped installation guides.
Creating Docker credentials and registry certificate secrets
Access to a private Docker registry with self-signed certificate requires:
- A Docker configuration file (known as Docker
config.json
) which contains the registry URL and authentication information (login and password encoded in base64 format), and - A CA certificate file for the private Docker registry to validate its authenticity.
Example Docker config.json
:
Example CA certificate file:
To create a Secret
from the credentials file config.json
run the
following command:
Be sure to replace <kaptain_namespace>
with the namespace you use for creating notebooks.
In this example, we used a namespace named ‘user’.
Verify the Secret
is created:
To create a Secret
from the certificate file certificate.crt
run the
following command:
Verify the Secret
is created:
Create PodDefaults for mounting secrets to Jupyter Notebooks
To make the Docker credentials Secret
available for selection in the Notebook
creation dialogue, create a PodDefault
referencing them. Create
a file named pod-defaults.yaml
with the following contents:
Create a PodDefault
resource from file using the following command:
After that, the Docker credentials and registry certificate secrets
will be available for selection in the Notebook Spawner UI and, if
selected, will be mounted as /home/kubeflow/.docker/config.json
and
/home/kubeflow/.tls/certificate.crt
correspondingly:
Configure the SDK to use the private Docker registry with self-signed certificates
In order for the Kaptain SDK to authenticate with a private Docker
registry with self-signed certificates, a custom Config
object is required:
The code above creates a default Config
object which automatically
uses a Docker credentials file (config.json
) mounted to
/home/kubeflow/.docker/config.json
. This configuration works for both self-hosted Docker registries
as well as public registries.
In order to add a certificate verification option to the model training
and tuning steps, it is required to provide two additional properties:
docker_registry_url
and docker_registry_certificate_provider
.
DockerRegistryCertificateProvider.default()
is a utility method which
reads the registry certificate from the default location
/home/kubeflow/.tls/certificate.crt
. If the certificate is
mounted in the non-default location, use the
DockerRegistryCertificateProvider.from_file(<path/to/certificate.crt>)
method to specify the location.
Once the Config
properties are set, it is sufficient to provide it to
the Model
constructor to override the defaults and to enable private
registry support. Note in the example below that the image_name
uses a private registry for
pushing and pulling images with the model trainer code and dependencies: