Create Kyma Registry Proxy Connection and a Target Deployment ​
In this tutorial, you will set up a Connection to the on-premise Docker Registry to securely download images to your Kyma cluster.
You will learn ​
- How to set up Cloud Connector.
- How to install the Registry Proxy module and configure the connection.
- How to create a target deployment using an image from the on-premise Docker Registry.
- How to set up a Connection to a Docker Registry with the OAuth authorization.
IMPORTANT
For the basic authorization part, this tutorial assumes that you have a running local Docker registry reachable from a local network on your machine at myregistry.acme:25002 and that you can push and pull images locally. To set up Docker registry, follow Set up Local Docker Registry for Testing. Remember that this Docker Registry instance is only good for testing purposes. For the production setup, you want to choose a Docker Registry instance that is available within the target on-premise network.
Prerequisites ​
- SAP BTP, Kyma runtime enabled
- Connectivity Proxy and Registry Proxy modules added
- Docker Registry instance available within the on-premise network
- kubectl installed
- Kyma CLI installed
- SapMachine 21 JDK or higher installed
- Cloud Connector installed
Prepare Environment ​
Set Up Cloud Connector ​
Run the
go.shscript from the Cloud Connector download.bashNO_CHECK=1 ./go.shNOTE
On your first try, you may need to add an exception in your system settings under Privacy & Security.
Go to the link specified in the output.
bashCloud Connector <version> started on <link to follow>If the link doesn't work, replace the domain with
127.0.0.1, for example:- Cloud Connector outputs
Cloud Connector 2.18.0 started on https://custom.domain:8443 (master). - Open
https://127.0.0.1:8443in the browser.
- Cloud Connector outputs
Log in with the default credentials.
- Username:
Administrator - Password:
manageYou will be prompted to change the password; note it.
- Username:
In your SAP BTP subaccount, go to Connectivity -> Cloud Connectors and choose Download Authentication Data.
In Cloud Connector, go to Define Subaccount -> Add Subaccount.
Choose Next and select Configure using authentication data.
Add the file from the previous step, and choose Next.
Set Up Trust for the On-Premise Docker Registry ​
- In Cloud Connector, go to Configuration and select the On-Premises tab.
- Select + in the Backend Trust Store section, and add the Docker Registry and OAuth server certificates (where applicable) to the allowlist.
IMPORTANT
If you are using the local Docker Registry, as explained in Set up Local Docker Registry for Testing, add the generated self-signed certificate file (domain.crt) to the allowlist.
Configure the Cloud Connector On-Premise Connection ​
Configure Registry Proxy ​
Get the Connection NodePort number:
bashexport NODE_PORT=$(kubectl get connections.registry-proxy.kyma-project.io -n ${NAMESPACE} registry-proxy-myregistry -o jsonpath={.status.nodePort})
Deploy Container from Image Hosted on the On-Premise Docker Registry ​
Ensure that the image exists in the target Docker Registry
Export environment variables referencing the image, for example:
bashexport IMAGE_TAG="0.0.1" export IMAGE_NAME="on-prem-nginx" export IMAGE_PATH="${DOCKER_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}"Authenticate to the target Docker registry to push the test image:
bashdocker login ${DOCKER_REGISTRY} -u ${REG_USER_NAME} -p ${REG_USER_PASSWD} echo -e "FROM nginx:alpine\nRUN echo \"<h1>Test image created on $(date +%F+%T)</h1>\" > /usr/share/nginx/html/index.html" | docker buildx build --push --platform linux/amd64 -t ${IMAGE_PATH} -Create a Secret for authentication with the on-premise Docker registry:
bashkubectl -n ${NAMESPACE} create secret docker-registry on-premise-reg \ --docker-username=${REG_USER_NAME} \ --docker-password=${REG_USER_PASSWD} \ --docker-email=${EMAIL} \ --docker-server=localhost:${NODE_PORT}Deploy a container on the cluster:
Check if the workload was deployed successfully:
bashkubectl -n ${NAMESPACE} get pods -l app=test-workload-on-prem-regAccess the deployed Nginx image at the
https://test-workload-on-prem-reg.${CLUSTER_DOMAIN}address:bashcurl https://test-workload-on-prem-reg.${CLUSTER_DOMAIN}