Question

DO k8s pull from private registry

Hi, has anyone come across this type of issue: I am trying to setup k8s cluster and I also have a private registry running on a droplet, when I try to deploy an image from my private registry I get this error

Error response from daemon: Get https://artifacotry_ip: http: server gave HTTP response to HTTPS client

ok so I thought I am gonna setup a reverse proxy and add a self-signed certificate to it, you will think yeah this should solve the issue above, which it did, BUT it brings a new issues instead when I deploy again

Error response from daemon: Get https://artifactory_ip: x509: certificate signed by unknown authority

so because k8s is a managed service of digitalocean, I don’t have access to master node to push my certificates there and as you know I cannot ssh to k8s droplets either.

Anyone has any idea how to solve this issue?

Thank you.

Subscribe
Share

@jkwiatkoski is it not possible for the K8s cluster to pull images from a private container registry running in a droplet in the same VPC ? Assuming we have setup TLS on the Private Container Registry using a self-signed cert? So we would have to tell the K8s cluster to use that self-signed cert to do the image pull…

Thanks in advance


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Alternatively you could leverage our DO Container registry! Docs here: https://www.digitalocean.com/docs/images/container-registry/quickstart/

This doesn’t answer your question directly, but have you considered using a Docker registry service to host your images? I’ve found using AWS ECR to be much less of a headache than hosting the images myself.

If you do want to consider that route, I wrote a tool the connect a Digital Ocean K8s cluster to AWS ECR: https://github.com/nabsul/k8s-ecr-login-renew

Hi @MBII,

The reply from @jkwiatkoski suggests that all the nodes that make up the DOKS will only pull from a TLS enabled docker registry - I presume that specifically means that any DO docker registries are TLS enabled.

That being the case, you will need to enable TLS on your Artifactory service that is providing your docker registry.

You may have a “chicken & egg” scenario though if that Artifactory service is being deployed as a container to the DOKS, unless the initial image comes from DO docker registry! :-)

This issue may help you understand the cause of the problem, should you want to use an “insecure” (non-TLS enabled) registry elsewhere:

https://github.com/moby/moby/issues/28321

As mentioned though, you will need to use a TLC certificate that was issued by a public CA, rather than your private CA, and self-signed certificate.

You should find all that you need from the link mentioned by @jkwiatkoski though - failing that search the Digital Ocean Community pages for more help, or use your favourite search engine to discover a walkthrough! ;-)

If you can’t find the docs on Digital Ocean Community pages, and you discover a decent walkthrough - why not add it to the Digital Ocean Community! :-D

Good luck!

Hi there,

Our DOKS nodes are configured to reject pulling from any non secured registries. A simple solution would be to secure your registry with an SSL cert perhaps from https://letsencrypt.org/

Regards,

John Kwiatkoski Senior Developer Support Engineer - Kubernetes