I am attempting to use Minikube for local kubernetes development. I have set up my docker environment to use the docker daemon running in the provided Minikube VM (boot2docker) as suggested:
eval $(minikube docker-env)It sets up these environment variables:
export DOCKER_TLS_VERIFY="1"
export DOCKER_HOST="tcp://192.168.99.100:2376"
export DOCKER_CERT_PATH="/home/jasonwhite/.minikube/certs"When I attempt to pull an image from our private docker repository:
docker pull oururl.com:5000/myimage:v1I get this error:
Error response from daemon: Get https://oururl.com:5000/v1/_ping: x509: certificate signed by unknown authorityIt appears I need to add a trusted ca root certificate somehow, but have been unsuccessful so far in my attempts.
I can hit the repository fine with curl using our ca root cert:
curl --cacert /etc/ssl/ca/ca.pem https://oururl.com:5000/v1/_pingThe Kubernetes documentation on this is pretty good.
Depending on where your private docker repository is hosted, the solution will look a bit different. The documentation explains how to handle each type of repository.
If you want an automated approach to handle this authentication, you will want to use a Kubernetes secret and specify the imagePullSecrets for your Pod.
You need to edit /etc/default/docker to look like so:
# Docker Upstart and SysVinit configuration file
#
# THIS FILE DOES NOT APPLY TO SYSTEMD
#
# Please see the documentation for "systemd drop-ins":
# https://docs.docker.com/engine/admin/systemd/
#
# Customize location of Docker binary (especially for development testing).
#DOCKERD="/usr/local/bin/dockerd"
# Use DOCKER_OPTS to modify the daemon startup options.
DOCKER_OPTS="--insecure-registry oururl.com:5000"
# If you need Docker to use an HTTP proxy, it can also be specified here.
#export http_proxy="http://127.0.0.1:3128/"
# This is also a handy place to tweak where Docker's temporary files go.
#export DOCKER_TMPDIR="/mnt/bigdrive/docker-tmp"Make sure to sudo service docker stop and sudo docker start to apply the changes. You should then be able to push/pull to your registry.
Sounds like your question has more to do with Docker than Kubernetes. The Docker CLI supports a number of TLS-related options. Since you already have the CA cert, something like this should work:
docker --tlsverify --tlscacert=/etc/ssl/ca/ca.pem pull oururl.com:5000/myimage:v1I've been unable to find anyway to get the cert into the minikube vm. But, minikube has a command line parameter to pass in an insecure-registry.
minikube start --insecure-registry=<HOST>:5000 Then to configure authentication on the registry, create a secret.
kubectl create secret docker-registry tp-registry --docker-server=<REGISTRY>:5000 --docker-username=<USERNAME> --docker-password=<PASSWORD> --docker-email=<EMAIL> --insecure-skip-tls-verify=trueAdd secret to the default service account as described in the kubernetes docs.
I came up with a work-around for the situation with suggestions from these sources:
https://github.com/docker/machine/issues/1799
https://github.com/docker/machine/issues/1872
I logged into the Minikube VM (minikube ssh), and edited the /usr/local/etc/ssl/certs/ca-certificates.crt file by appending my own ca cert.
I then restarted the docker daemon while still within the VM: sudo /etc/init.d/docker restart
This is not very elegant in that if I restart the Minikube VM, I need to repeat these manual steps each time.
As an alternative, I also attempted to set the --insecure-registry myurl.com:5000 option in the DOCKER_OPTS environment variable (restarted docker), but this didn't work for me.
An addon was recently added to Minikube that makes access to private container registries much easier:
minikube addons configure registry-creds
minikube addons enable registry-credsFor an http registry this steps works for me:
1) minikube ssh
2) edit /var/lib/boot2docker/profile and add to $EXTRA_ARGS --insecure-registry yourdomain.com:5000
3) restart the docker daemon sudo /etc/init.d/docker restart