Kaptain DocumentationThis guide focuses on configuring access to a private Docker registry with self-signed certificates.
If focuses on:
- Secure automatic mounting of a registry certificate to notebook containers, and
- Using the SDK API to configure the properties necessary to access a private registry.
Using custom certificates with a private Docker registry requires the configuration of Docker access credentials using Kubernetes Secrets and PodDefaults as described in the Accessing Docker and Cloud Storage guide.
Pre-requisites
- A private Docker registry reachable from the cluster over the network.
- Configuration of the Nodes of the cluster where Kaptain is running to accept the self-signed certificates used by the registry. More information is available in the Konvoy and Kommander air-gapped installation guides.
Creating Docker credentials and registry certificate secrets
Access to a private Docker registry with self-signed certificate requires:
- A Docker configuration file (known as Docker
config.json) which contains the registry URL and authentication information (login and password encoded in base64 format), and - A CA certificate file for the private Docker registry to validate its authenticity.
Example Docker config.json:
Example CA certificate file:
To create a Secret from the credentials file config.json run the
following command:
Be sure to replace <kaptain_namespace> with the namespace you use for creating notebooks.
In this example, we used a namespace named ‘user’.
Verify the Secret is created:
To create a Secret from the certificate file certificate.crt run the
following command:
Verify the Secret is created:
NOTE:
It is recommended to name the files with the Secret config.json for
Docker credentials and certificate.crt for the registry CA certificate,
as this will allow the SDK to automatically use them from the default locations.
It is also possible to use custom names for the files in a secret but it will
require custom configuration of the SDK Config object.
Create PodDefaults for mounting secrets to Jupyter Notebooks
To make the Docker credentials Secret available for selection in the Notebook
creation dialogue, create a PodDefault referencing them. Create
a file named pod-defaults.yaml with the following contents:
WARNING:
Volume name and mountPath must be unique across all PodDefault objects to avoid conflicts when
mounting Secrets to Pods.
Create a PodDefault resource from file using the following command:
After that, the Docker credentials and registry certificate secrets
will be available for selection in the Notebook Spawner UI and, if
selected, will be mounted as /home/kubeflow/.docker/config.json and
/home/kubeflow/.tls/certificate.crt correspondingly:
Configure the SDK to use the private Docker registry with self-signed certificates
In order for the Kaptain SDK to authenticate with a private Docker
registry with self-signed certificates, a custom Config object is required:
The code above creates a default Config object which automatically
uses a Docker credentials file (config.json) mounted to
/home/kubeflow/.docker/config.json. This configuration works for both self-hosted Docker registries
as well as public registries.
In order to add a certificate verification option to the model training
and tuning steps, it is required to provide two additional properties:
docker_registry_url and docker_registry_certificate_provider.
DockerRegistryCertificateProvider.default() is a utility method which
reads the registry certificate from the default location
/home/kubeflow/.tls/certificate.crt. If the certificate is
mounted in the non-default location, use the
DockerRegistryCertificateProvider.from_file(<path/to/certificate.crt>)
method to specify the location.
Once the Config properties are set, it is sufficient to provide it to
the Model constructor to override the defaults and to enable private
registry support. Note in the example below that the image_name uses a private registry for
pushing and pulling images with the model trainer code and dependencies: