## create registry dir
mkdir -p /registry && cd "$_"

## create tls certs: a1
# dockreg below will be used as the registry pod service name with which we access the registry
mkdir certs
openssl req \
-newkey rsa:4096 -nodes -sha256 \
-keyout certs/tls.key \
-addext "subjectAltName = DNS:dockreg" \
-x509 -days 365 -out certs/tls.crt

## create docker htpasswd auth: b1
docker run --rm --entrypoint \
htpasswd registry:2.7.0 \
-Bbn alexander sofianos > auth/htpasswd

## registry dir
.
├── auth
│   └── htpasswd
└── certs
    ├── tls.crt
    └── tls.key

## use secret to mount tls certs: a2
# certs-secret is used in yaml
kubectl create secret tls certs-secret \
--cert=/registry/certs/tls.crt \
--key=/registry/certs/tls.key
## use secret to mount htpasswd auth: b2
# auth-secret is used in yaml
kubectl create secret generic auth-secret \
--from-file=/registry/auth/htpasswd 

# resolve the service ip to the registry name
for x in ${NODE_IPS[@]}; do
ssh -tt root@$x "
echo '$REGISTRY_IP dockreg' >> /etc/hosts
printf "continue"; read
"
done

## copy tls.crt as shown below so that it is trusted by docker: a3
# under /etc/docker create this tree where the last dir must be in the format REGISTRY_NAME:PORT_NUM

├── certs.d
│   └── dockreg:5000
│       └── ca.crt

# and where
TLS_CERT='/registry/certs/tls.crt'
CA_CERT='/etc/docker/certs.d/dockreg:5000/ca.crt'

for x in ${NODE_IPS[@]}; do
mkdir -p /etc/docker/certs.d/dockreg:5000
scp $TLS_CERT root@$x:$CA_CERT
done

## try to login: a3,b3
# we only need to do this once
docker login \
dockreg:5000 \
-u alexander \
-p sofianos
# if successful, the login credentials are stored in /root/.docker/config.json

## create kubernetes secret to use for pods to authenticate: a4,b4
kubectl create secret docker-registry \
regcred-secret \
--docker-server=dockreg:5000 \
--docker-username=alexander \
--docker-password=sofianos
# or this
kubectl create secret generic \
regcred \
--from-file=.dockerconfigjson=/root/.docker/config.json \
--type=kubernetes.io/dockerconfigjson