Components

Mirantis Secure Registry (MSR) is a containerized application that runs on a Kubernetes cluster. After deploying MSR, you can use your Docker CLI client to log in, push images, and pull images. For high availability, you can horizontally scale your MSR workloads across multiple Kubernetes worker nodes.

Workloads

Descriptions for each of the workloads that MSR creates during installation are available in the table below.

Caution

Do not use these components in your applications, as they are for internal MSR use only.

MSR installation workloads

Name

Full name

Description

API

deployment/<release-name>-msr-api

Executes the MSR business logic, serving the MSR web application and API.

Garant

deployment/<release-name>-msr-garant

Manages MSR authentication.

Jobrunner

deployment/<release-name>-msr-jobrunner-<deployment>

Runs asynchronous background jobs, including garbage collection and image vulnerability scans.

NGINX

deployment/<release-name>-msr-nginx

Receives HTTP and HTTPS requests and proxies those requests to other MSR components.

Notary server

deployment/<release-name>-msr-notary-server

Provides signing and verification for images that are pushed to or pulled from the secure registry.

Notary signer

deployment/<release-name>-msr-notary-signer

Performs server-side timestamp and snapshot signing for Content Trust metadata.

Registry

deployment/<release-name>-msr-registry

Implements pull and push functionality for Docker images and manages how images are stored.

RethinkDB

statefulset/<release-name>-msr-rethinkdb-cluster, deployment/<release-name>-msr-rethinkdb-proxy

Stores persisting repository metadata.

Scanningstore

statefulset/<release-name>-msr-scanningstore

Stores security scanning data.

eNZi

deployment/<release-name>-enzi-api, statefulset/<release-name>-enzi-worker

Authenticates and authorizes MSR users.

Third-party components

Name

Full name

Description

PostgreSQL

deployment/postgres-operator

Manages the security scanning database.

cert-manager

deployment/cert-manager, deployment/cert-manager-caininjector, deployment/cert-manager-webhook

Manages certificates for all MSR components.

The communication flow between MSR workloads is illustrated below:

msr-architecture

Note

The third-party cert-manager component interacts with all of the components displayed in the above diagram.

JobRunner

Descriptions for each of the job types that are run by MSR are available in the table below.

MSR job types

Job type

Description

analytics_report

Uploads an analytics report to Mirantis.

helm_chart_lint

Lints a Helm chart.

helm_chart_lint_all

Lints all charts in all repositories.

onlinegc

Performs garbage collection for all types of MSR data and metadata.

onlinegc_blobs

Performs garbage collection of orphaned image layer data.

onlinegc_events

Performs auto-deletion of repository events.

onlinegc_joblogs

Performs auto-deletion of job logs.

onlinegc_metadata

Performs garbage collection of image metadata.

onlinegc_scans

Performs garbage collection of security scan results for deleted layers.

poll_mirror

Pulls tags from remote repositories as determined by mirroring policies.

push_mirror_tag

Pushes image tags to remote repositories as determined by mirroring policies.

scan_check

Scans image by digest.

scan_check_all

Rescans all previously scanned images.

scan_check_single

Scans single layer of the image.

tag_prune

Deletes tags from remote repositories, as determined by the pruning policies of the repositories.

update_vuln_db

Updates vulnerability database (CVE list).

webhook

Sends a webhook.