I have set up a private docker registry with self-signed certificates.
docker run -d -p 443:5000 --restart=always --name registry -v `pwd`/auth:/auth
-e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -v `pwd`/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/domain.crt
-e REGISTRY_HTTP_TLS_KEY=/domain.key
domain.crt and domain.key are generated using OpenSSL.
To Connect from a remote host,
cp domain.crt /etc/pki/ca-trust/source/anchors/mydockerregistry.com.crt
update-ca-trust
systemctl daemon-reload
systemctl restart docker
After this able to log in from the remote host
docker login mydockerregistry.com --username=test
password: test
I am able to push/pull the image to this registry and it is successful.
Similarly, I tried to deploy this image in the Kubernetes cluster. I created a secret with the registry with a username and password.
kubectl create secret docker-registry my-registry --docker-server=mydockerregistry.com --docker-username=test --docker-password=test --docker-email=abc.com
Also, I did the self-signed certificates from docker registry steps in worker nodes,
cp domain.crt /etc/pki/ca-trust/source/anchors/mydockerregistry.com.crt
update-ca-trust
systemctl daemon-reload
systemctl restart docker
Given the name in the imagePullSecrets of deployment.yaml file. I am trying to create a POD in the Kubernetes cluster (Calico Network) but it is unable to pull the image.
deployment.yaml
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: test-image
labels:
app: test-image
chart: test-image
spec:
containers:
- name: {{ .Chart.Name }}
image: "mydockerregistry.com/test-image:latest"
imagePullPolicy: Always
imagePullSecrets:
- name: my-registry
Warning Failed 45s (x2 over 59s) kubelet, kube-worker-02 Failed to pull image "mydockerregistry.com/test-image:latest": rpc error: code = Unknown desc = unauthorized: authentication required
Warning Failed
45s (x2 over 59s) kubelet, kube-worker-02 Error: ErrImagePull
I checked the docker registry logs,
time="2020-01-13T14:58:05.269921112Z" level=error msg="error authenticating user "": authentication failure" go.version=go1.11.2 http.request.host=mydockerregistry.com http.request.id=02fcccff-9a30-443c-8a00-48bcacb90e99 http.request.method=GET http.request.remoteaddr="10.76.112.148:35454" http.request.uri="/v2/test-image/manifests/latest" http.request.useragent="docker/1.13.1 go/go1.10.8 kernel/3.10.0-957.21.3.el7.x86_64 os/linux arch/amd64 UpstreamClient(Go-http-client/1.1)" vars.name=test-image vars.reference=latest
time="2020-01-13T14:58:05.269987492Z" level=warning msg="error authorizing context: basic authentication challenge for realm "Registry Realm": authentication failure" go.version=go1.11.2 http.request.host=mydockerregistry.com http.request.id=02fcccff-9a30-443c-8a00-48bcacb90e99 http.request.method=GET http.request.remoteaddr="10.76.112.148:35454" http.request.uri="/v2/ca-config-calc/manifests/latest" http.request.useragent="docker/1.13.1 go/go1.10.8 kernel/3.10.0-957.21.3.el7.x86_64 os/linux arch/amd64 UpstreamClient(Go-http-client/1.1)" vars.name=test-image vars.reference=latest
I am able to do docker login myregistrydomain and pull the image from worker node
Anything I am missing in the configuration?
You have a typo in the registry name in the create secret command.
kubectl create secret docker-registry my-registry --docker-server=myregistryregistry.com --docker-username=test --docker-password=test --docker-email=abc.com
Change myregistryregistry.com
to mydockerregistry.com
which you have used with docker login
.
I've been able to successfully pull an image from a secure, private, docker registry into kubernetes using this link.