Kubernetes containerd - failed to pull image from private registry

Question

I setup kubernetes V1.20.1 with containerd instead of Docker. Now I failed to pull Docker images from my private registry (Harbor).

I already changed the /etc/containerd/config.toml like this:

[plugins."io.containerd.grpc.v1.cri".registry]
  [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
      endpoint = ["https://registry-1.docker.io"]
    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.foo.com"]
      endpoint = ["https://registry.foo.com"]
  [plugins."io.containerd.grpc.v1.cri".registry.configs]
    [plugins."io.containerd.grpc.v1.cri".registry.configs."registry.foo.com"]
      [plugins."io.containerd.grpc.v1.cri".registry.configs."registry.foo.com".auth]
        username = "admin"
        password = "Harbor12345"

But this did not work. The pull failed with the message:

Failed to pull image "registry.foo.com/library/myimage:latest": rpc error: code = Unknown
desc = failed to pull and unpack image "registry.foo.com/library/myimage:latest": failed to 
resolve reference "registry.foo.com/library/myimage:latest": unexpected status code 
[manifests latest]: 401 Unauthorized

My Harbor registry is available via HTTPS with a Let's Encrypt certificate. So https should not be the problem here.

Even if I try to create a docker-secret this did not work:

kubectl create secret docker-registry registry.foo.com --docker-server=https://registry.foo.com --docker-username=admin --docker-password=Harbor12345 --docker-email=info@foo.com

Can anybody give me an example how to configure a private registry in Kubernetes with containerd?

Answer 1

Set imagePullSecrets in the pod/deployment specification:

apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: <your-private-image>
  imagePullSecrets:
  - name: registry.foo.com

More info: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

Answer 2

Create file, put username:password in it and get the base64 code of it:

touch pass.txt 
nano pass.txt
# write like that => username:password 
base64 pass.txt
# get the base64 code: cmxxxxxxxxyyyyyyCg==

nano /etc/containerd/config.toml (use auth="", instead of using username/password):

[plugins."io.containerd.grpc.v1.cri".registry]
  [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
      endpoint = ["https://registry-1.docker.io"]
    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.foo.com"]
      endpoint = ["https://registry.foo.com"]
  [plugins."io.containerd.grpc.v1.cri".registry.configs]
    [plugins."io.containerd.grpc.v1.cri".registry.configs."registry.foo.com".tls] 
       insecure_skip_verify=true
  [plugins."io.containerd.grpc.v1.cri".registry.configs."registry.foo.com".auth]
        auth ="cmxxxxxxxxyyyyyyCg=="

Restart containerd service:

sudo systemctl restart containerd.service

Pull image directly from node:

sudo crictl pull registry.foo.com/imageName:Tag