How to Install Mirantis Secure Registry on Rancher
Howdy, Rancher users! If you’re looking for a private container registry on your Rancher Kubernetes Engine cluster, we’ve got good news: Mirantis Secure Registry now integrates with any Kubernetes distribution, making it a simple, secure, and easy-to-install foundation for your secure software supply chain.
In this article, we’ll walk you through the simple set up process using Helm and the open source Lens Kubernetes platform. But first, let’s briefly break down why your organization would want to use a private container registry in the first place.
Why do I need a private container registry?
A registry is a repository for container images, the building blocks of cloud native applications. It provides a “single source of truth” for application components that can be used across your organization and across the software supply chain.
Many individual developers and small teams use a public registry such as Docker Hub when they’re first starting with containerization, but anyone can contribute to a public registry, making it a prime target for malicious actors looking to corrupt containers and quietly insinuate themselves into supply chains. For enterprises and other security-conscious organizations, using a public registry is a huge risk — a lot like storing valuable physical assets out on the sidewalk. As Edward Ionel notes, “public repositories do not have security features such as privacy and access control, making it impossible for them to meet enterprise requirements.”
So these organizations need a private registry, which is a repository for container images that they control, and for which they can determine criteria for access. That security is essential, but the right private registry can offer much more.
Why use Mirantis Secure Registry?
Many private registries like Amazon Elastic Container Registry are cloud-based solutions that can’t integrate very tightly with your infrastructure, and are ultimately out of your hands, charging you for all data storage and transfer. But Mirantis Secure Registry 3.0 deploys on your Kubernetes cluster — perfect for Rancher users seeking a secure registry solution that works with a variety of architectures. Public cloud, private cloud, hybrid, on-prem…however you’re running Rancher, your secure registry is there for you, right on your clusters.
And that means that Mirantis Secure Registry can integrate tightly with your tools and processes — from role-based access control to CI/CD tools, the secure registry synergizes with your existing infrastructure while adding new functionality like automatic image signing and promotion.
Security teams will be able to breathe easier, too, because Mirantis Secure Registry provides binary-level image scanning for vulnerabilities from our vulnerability database that is updated daily. Not only do you not have to worry about contaminated public registries, but you can scan the binaries and libraries that may underlie common open source components in your software.
How to install Mirantis Secure Registry on Rancher
In this walkthrough, we’re going to install Mirantis Secure Registry on a cluster managed by Rancher using Helm.
From the Global view in Rancher, select your cluster and select Launch kubectl.
Mirantis Secure Registry has a few prerequisites that you need to install on the cluster. The first is cert-manager, which is required to manage certificates on the cluster. In the shell, run the following command to install cert-manager:
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml
Once those pods have started, you will need to install the Postgres Operator, which gives Mirantis Secure Registry a place to store its vulnerability database. Use the following command:
helm repo add postgres-operator https://opensource.zalando.com/postgres-operator/charts/postgres-operator/
helm repo up
helm install postgres-operator postgres-operator/postgres-operator \
--set configKubernetes.spilo_runasuser=101 \
--set configKubernetes.spilo_runasgroup=103 \
--set configKubernetes.spilo_fsgroup=103
Now all you need to do is run a simple Helm install command:
helm install msr msr \
--repo https://registry.mirantis.com/charts/msr/msr \
--version 1.0.0
The pods will take a few minutes to launch and get ready. You can check on their status with:
kubectl get pods
Once all “msr-*” pods have the status “Running,” you’re ready to go. Installation is as simple as that!
To explore Mirantis Secure Registry further, click here.