Question

DO k8s pull from private registry

Hi, has anyone come across this type of issue: I am trying to setup k8s cluster and I also have a private registry running on a droplet, when I try to deploy an image from my private registry I get this error

Error response from daemon: Get https://artifacotry_ip: http: server gave HTTP response to HTTPS client

ok so I thought I am gonna setup a reverse proxy and add a self-signed certificate to it, you will think yeah this should solve the issue above, which it did, BUT it brings a new issues instead when I deploy again

Error response from daemon: Get https://artifactory_ip: x509: certificate signed by unknown authority

so because k8s is a managed service of digitalocean, I don’t have access to master node to push my certificates there and as you know I cannot ssh to k8s droplets either.

Anyone has any idea how to solve this issue?

Thank you.

Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Alternatively you could leverage our DO Container registry! Docs here: https://www.digitalocean.com/docs/images/container-registry/quickstart/

This doesn’t answer your question directly, but have you considered using a Docker registry service to host your images? I’ve found using AWS ECR to be much less of a headache than hosting the images myself.

If you do want to consider that route, I wrote a tool the connect a Digital Ocean K8s cluster to AWS ECR: https://github.com/nabsul/k8s-ecr-login-renew

Hi @MBII,

The reply from @jkwiatkoski suggests that all the nodes that make up the DOKS will only pull from a TLS enabled docker registry - I presume that specifically means that any DO docker registries are TLS enabled.

That being the case, you will need to enable TLS on your Artifactory service that is providing your docker registry.

You may have a “chicken & egg” scenario though if that Artifactory service is being deployed as a container to the DOKS, unless the initial image comes from DO docker registry! :-)

This issue may help you understand the cause of the problem, should you want to use an “insecure” (non-TLS enabled) registry elsewhere:

https://github.com/moby/moby/issues/28321

As mentioned though, you will need to use a TLC certificate that was issued by a public CA, rather than your private CA, and self-signed certificate.

You should find all that you need from the link mentioned by @jkwiatkoski though - failing that search the Digital Ocean Community pages for more help, or use your favourite search engine to discover a walkthrough! ;-)

If you can’t find the docs on Digital Ocean Community pages, and you discover a decent walkthrough - why not add it to the Digital Ocean Community! :-D

Good luck!