1

I have setup a Kubernetes deployment using Nvidia deepops. My cluster is a single node running on my home network with Zerotier serving as the network bridge between my remote pc for control and the node used as master.

The hosts file on master:

/etc/hosts

# Hosts file -- Don't edit manually!
#
# Ansible managed
# Localhost
127.0.0.1 localhost.localdomain localhost

#
# Hosts managed by Ansible
#
# mgmt01
172.17.0.1    mgmt01-docker0
192.168.50.168    mgmt01-enp41s0  mgmt01  mgmt01.cluster.local
169.254.25.10    mgmt01-nodelocaldns
10.233.91.0    mgmt01-tunl0
172.22.85.169    mgmt01-ztly54iyqb

# Ansible inventory hosts BEGIN
192.168.50.168 mgmt01.cluster.local mgmt01
# Ansible inventory hosts END
::1 localhost6 localhost6.localdomain
192.168.50.168 registry.local

Except I did edit manually. I added the registry.local entry and this allows me to push images while ssh'd in to the master node:

# docker push registry.local/alpine
Using default tag: latest
The push refers to repository [registry.local/alpine]
8ea3b23f387b: Layer already exists

Now I want to be able to push from the control pc, my MacBook, but I get a certificate error:

❯ docker push registry.local/alpine
Using default tag: latest
The push refers to repository [registry.local/alpine]
Get https://registry.local/v2/: x509: certificate is valid for ingress.local, not registry.local

The docker registry service:

❯ k get svc/docker-registry -n deepops-docker -o wide
NAME              TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE   SELECTOR
docker-registry   NodePort   10.233.16.165   <none>        5000:31500/TCP   34d   app=docker-registry,release=docker-registry

What steps can I follow to make the certificate valid for in order to push images to my private registry?

gordon macmillan
  • 123
  • 3
  • 13
  • 1
    nginx ingress uses its own certificate by default. If you want to do it the right way, you might want to check out: https://docs.docker.com/registry/insecure/#use-self-signed-certificates and upload certs to k8s and reference it in ingress object. Does this answer your question? – Matt Apr 21 '21 at 08:09
  • Hi Matt, No not really. My knowledge of nginx ingress and Kubernetes ingress in general, is not very strong. I DO know how to enable Metallb with a selected ip range as well as a separate ingress controller. I am hoping for a quick painless process that would allow me to add/update images in my private registry from within my network. I will not be opening the network ports so that others may use my cluster so having skillfully architected security is not important. – gordon macmillan Apr 21 '21 at 23:04
  • 1
    Try to use [insecure regisrty](https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry). – Matt Apr 30 '21 at 09:08

0 Answers0