Components

Mirantis Secure Registry (MSR) is a containerized application that runs on a Kubernetes cluster. After deploying MSR, you can use your Docker CLI client to log in, push images, and pull images. For high availability, you can horizontally scale your MSR workloads across multiple Kubernetes worker nodes.

Workloads

Descriptions for each of the workloads that MSR creates during installation are available in the table below.

Caution

Do not use these components in your applications, as they are for internal MSR use only.

MSR installation workloads

Name

Name on Kubernetes

Name on Swarm

Description

API

deployment/<release-name>-msr-api

msr_msr-api-server

Executes the MSR business logic, serving the MSR web application and API.

Garant

deployment/<release-name>-msr-garant

msr_msr-garant

Manages MSR authentication.

Jobrunner

deployment/<release-name>-msr-jobrunner-<deployment>

msr_msr-jobrunner

Runs asynchronous background jobs, including garbage collection and image vulnerability scans.

NGINX

deployment/<release-name>-msr-nginx

msr_msr-nginx

Receives HTTP and HTTPS requests and proxies those requests to other MSR components.

Notary server

deployment/<release-name>-msr-notary-server

msr_msr-notary-server

Provides signing and verification for images that are pushed to or pulled from the secure registry.

Notary signer

deployment/<release-name>-msr-notary-signer

msr_msr-notary-signer

Performs server-side timestamp and snapshot signing for Content Trust metadata.

Registry

deployment/<release-name>-msr-registry

msr_msr-registry

Implements pull and push functionality for Docker images and manages how images are stored.

RethinkDB

statefulset/<release-name>-msr-rethinkdb-cluster, deployment/<release-name>-msr-rethinkdb-proxy

msr_msr-rethinkdb

Stores persisting repository metadata.

Scanningstore

statefulset/<release-name>-msr-scanningstore

msr_msr-scanningstore

Stores security scanning data.

eNZi

deployment/<release-name>-enzi-api, statefulset/<release-name>-enzi-worker

msr_msr-enzi-api, msr_msr-enzi-worker

Authenticates and authorizes MSR users.

Third-party components

Name

Name on Kubernetes

Description

PostgreSQL

deployment/postgres-operator

Manages the security scanning database.

cert-manager

deployment/cert-manager, deployment/cert-manager-caininjector, deployment/cert-manager-webhook

Manages certificates for all MSR components.

Note

Third-party components are present only in Kubernetes deployments. Swarm-based installations include only the components listed in the MSR installation workloads table.

The communication flow between MSR workloads is illustrated below:

msr-architecture

Note

The third-party cert-manager component interacts with all of the components displayed in the above diagram.

JobRunner

Descriptions for each of the job types that are run by MSR are available in the table below.

MSR job types

Job type

Description

analytics_report

Uploads an analytics report to Mirantis.

helm_chart_lint

Lints a Helm chart.

helm_chart_lint_all

Lints all charts in all repositories.

onlinegc

Performs garbage collection for all types of MSR data and metadata.

onlinegc_blobs

Performs garbage collection of orphaned image layer data.

onlinegc_events

Performs auto-deletion of repository events.

onlinegc_joblogs

Performs auto-deletion of job logs.

onlinegc_metadata

Performs garbage collection of image metadata.

onlinegc_scans

Performs garbage collection of security scan results for deleted layers.

poll_mirror

Pulls tags from remote repositories as determined by mirroring policies.

push_mirror_tag

Pushes image tags to remote repositories as determined by mirroring policies.

scan_check

Scans image by digest.

scan_check_all

Rescans all previously scanned images.

scan_check_single

Scans single layer of the image.

tag_prune

Deletes tags from remote repositories, as determined by the pruning policies of the repositories.

update_vuln_db

Updates vulnerability database (CVE list).

webhook

Sends a webhook.