diff --git a/_data/toc.yaml b/_data/toc.yaml index c950234998..feeca86a57 100644 --- a/_data/toc.yaml +++ b/_data/toc.yaml @@ -1591,6 +1591,8 @@ manuals: title: Join Windows worker nodes to your cluster - path: /datacenter/ucp/3.0/guides/admin/configure/join-nodes/use-a-load-balancer/ title: Use a load balancer + - path: /datacenter/ucp/3.0/guides/admin/configure/integrate-with-multiple-registries/ + title: Integrate with multiple registries - sectiontitle: Monitor and troubleshoot section: - path: /datacenter/ucp/3.0/guides/admin/monitor-and-troubleshoot/ diff --git a/datacenter/ucp/3.0/guides/admin/configure/integrate-with-multiple-registries.md b/datacenter/ucp/3.0/guides/admin/configure/integrate-with-multiple-registries.md new file mode 100644 index 0000000000..6cbcce67c3 --- /dev/null +++ b/datacenter/ucp/3.0/guides/admin/configure/integrate-with-multiple-registries.md @@ -0,0 +1,68 @@ +--- +title: Integrate with multiple registries +description: Integrate UCP with multiple registries +keywords: trust, registry, integrate, UCP, DTR +--- + +Universal Control Plane can pull and run images from any image registry, +including Docker Trusted Registry and Docker Store. + +If your registry uses globally-trusted TLS certificates, everything works +out of the box, and you don't need to configure anything. But if your registries +use self-signed certificates or certificates issues by your own Certificate +Authority, you need to configure UCP to trust those registries. + +## Trust Docker Trusted Registry + +To configure UCP to trust a DTR deployment, you need to update the +[UCP system configuration](ucp-configuration-file.md) to include one entry for +each DTR deployment: + +``` +[[registries]] + host_address = "dtr.example.org" + ca_bundle = """ +-----BEGIN CERTIFICATE----- +... +-----END CERTIFICATE-----""" + +[[registries]] + host_address = "internal-dtr.example.org:444" + ca_bundle = """ +-----BEGIN CERTIFICATE----- +... +-----END CERTIFICATE-----""" +``` + +You only need to include the port section if your DTR deployment is running +on a port other than 443. + +You can customize and use the script below to generate a file named +`trust-dtr.toml` with the configuration needed for your DTR deployment. + +``` +# Replace this url by your DTR deployment url and port +DTR_URL=https://dtr.example.org +DTR_PORT=443 + +dtr_full_url=${DTR_URL}:${DTR_PORT} +dtr_ca_url=${dtr_full_url}/ca + +# Strip protocol and default https port +dtr_host_address=${dtr_full_url#"https://"} +dtr_host_address=${dtr_host_address%":443"} + +# Create the registry configuration and save it it +cat < trust-dtr.toml + +[[registries]] + # host address should not contain protocol or port if using 443 + host_address = $dtr_host_address + ca_bundle = """ +$(curl -sk $dtr_ca_url)""" +EOL +``` + +You can then append the content of `trust-dtr.toml` to your current UCP +configuration to make UCP trust this DTR deployment. +[Learn how to customize your UCP configuration file](external-auth/enable-ldap-config-file.md).