Closed obeyler closed 4 years ago
Does this bring with it the need for insecure registries? I.e. do we need to make it possible not only for operators to make use of a local image registry but also possibly one with a self-signed cert, an expired cert, or a cert with an untrusted issuer / intermediary chain?
I think so. I already work a little about this Pb this night. I see some trouble
[plugins.cri.registry]
[plugins.cri.registry.mirrors]
[plugins.cri.registry.mirrors."docker.io"]
endpoint = ["((registry-mirrors))"]
Is not enough. :-(
containerd wasn't able to download image k8s.gcr.io/pause:3.1
It also needs
[plugins.cri.registry.mirrors."k8s.gcr.io"]
endpoint = ["((registry-mirrors))"]
Normally we can use wild card
[plugins.cri.registry.mirrors."*"]
endpoint = ["((registry-mirrors))"]
but it fails I'm looking for why but I don't find yet even with this I still have some pb with another image:
Pulling image "quay.io/coreos/flannel:v0.11.0-amd64"
Warning Failed 13s (x3 over 54s) kubelet, 121a9964-9914-4548-b576-69d6ac1f88d8.k8s Failed to pull image "quay.io/coreos/flannel:v0.11.0-amd64": rpc error: code = Unknown desc = failed to pull and unpack image "quay.io/coreos/flannel:v0.11.0-amd64": failed to resolve reference "quay.io/coreos/flannel:v0.11.0-amd64": unexpected status code [manifests v0.11.0-amd64]: 403 Forbidden
Warning Failed 13s (x3 over 54s) kubelet, 121a9964-9914-4548-b576-69d6ac1f88d8.k8s Error: ErrImagePull
Normal BackOff 1s (x3 over 54s) kubelet, 121a9964-9914-4548-b576-69d6ac1f88d8.k8s Back-off pulling image "quay.io/coreos/flannel:v0.11.0-amd64"
Warning Failed 1s (x3 over 54s) kubelet, 121a9964-9914-4548-b576-69d6ac1f88d8.k8s Error: ImagePullBackOff
You can have a look at the PR I start to evaluate how to do here: https://github.com/jhunt/k8s-boshrelease/pull/41 I need to change the property to be able to set an array of string , url instead of just only one url.
Completed in #60
As we are in airgap env we use a private docker registry such as jcr from jfrog. It allows to do upload the docker image onto the JCR registry and not on internet.
To do that the containerd.toml file need to be completed by this option: