Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can not pull docker image from private repo when using Minikube

I am attempting to use Minikube for local kubernetes development. I have set up my docker environment to use the docker daemon running in the provided Minikube VM (boot2docker) as suggested:

eval $(minikube docker-env)

It sets up these environment variables:

export DOCKER_TLS_VERIFY="1"
export DOCKER_HOST="tcp://192.168.99.100:2376"
export DOCKER_CERT_PATH="/home/jasonwhite/.minikube/certs"

When I attempt to pull an image from our private docker repository:

docker pull oururl.com:5000/myimage:v1

I get this error:

Error response from daemon: Get https://oururl.com:5000/v1/_ping: x509: certificate signed by unknown authority

It appears I need to add a trusted ca root certificate somehow, but have been unsuccessful so far in my attempts.

I can hit the repository fine with curl using our ca root cert:

curl --cacert /etc/ssl/ca/ca.pem https://oururl.com:5000/v1/_ping
like image 847
Jason White Avatar asked Aug 03 '16 16:08

Jason White


People also ask

How do I pull an image from a private Docker repository?

In order to pull images from your private repository, you'll need to login to Docker. If no registry URI is specified, Docker will assume you intend to use or log out from Docker Hub. Triton comes with several images built-in. You can view the available list with triton images .

How can I retrieve photos from private registry in Kubernetes?

To pull the image from the private registry, Kubernetes needs credentials. The imagePullSecrets field in the configuration file specifies that Kubernetes should get the credentials from a Secret named regcred .


3 Answers

An addon was recently added to Minikube that makes access to private container registries much easier:

minikube addons configure registry-creds
minikube addons enable registry-creds
like image 143
mrts Avatar answered Oct 21 '22 13:10

mrts


I've been unable to find anyway to get the cert into the minikube vm. But, minikube has a command line parameter to pass in an insecure-registry.

minikube start --insecure-registry=<HOST>:5000 

Then to configure authentication on the registry, create a secret.

kubectl create secret docker-registry tp-registry --docker-server=<REGISTRY>:5000 --docker-username=<USERNAME> --docker-password=<PASSWORD> --docker-email=<EMAIL> --insecure-skip-tls-verify=true

Add secret to the default service account as described in the kubernetes docs.

like image 25
Ben Mathews Avatar answered Oct 21 '22 13:10

Ben Mathews


I came up with a work-around for the situation with suggestions from these sources:

https://github.com/docker/machine/issues/1799

https://github.com/docker/machine/issues/1872

I logged into the Minikube VM (minikube ssh), and edited the /usr/local/etc/ssl/certs/ca-certificates.crt file by appending my own ca cert.

I then restarted the docker daemon while still within the VM: sudo /etc/init.d/docker restart

This is not very elegant in that if I restart the Minikube VM, I need to repeat these manual steps each time.

As an alternative, I also attempted to set the --insecure-registry myurl.com:5000 option in the DOCKER_OPTS environment variable (restarted docker), but this didn't work for me.

like image 39
Jason White Avatar answered Oct 21 '22 14:10

Jason White