Closed pbochynski closed 1 week ago
We decided to make dependency on the APIGateway
module to reuse the built-in kyma-gateway
and to not manage our own dnsentry, certificates, and gateway.
when I use hostPrefix
configuration option than I can push to the url via docker CLI, but kubernetes cannot pull the image when scheduling a pod in arbitrary namespace (given exposed-registry-auth
as imagePullSecret)
It looks as if the secret that is propagated accross namespaces doesnt have proper registry URL in the .dockerconfigjson
field (it has the default url, not the one I changed via hostPrefix
option)
Also.. when using the dafult host registry-default-kyma-system
I experience the same problem - image can be pushed ( by docker cli ) but not pulled.
@kwiatekus I think the problem is caused because you used the wrong registry secret. I don't know what the exposed-registry-auth
is but the name of the right one is located in the DockerRegistry CR status. Example:
apiVersion: operator.kyma-project.io/v1alpha1
kind: DockerRegistry
metadata:
finalizers:
- dockerregistry-operator.kyma-project.io/deletion-hook
name: default
namespace: default
spec:
externalAccess:
enabled: true
hostPrefix: test-registry
status:
conditions:
- lastTransitionTime: "2024-07-04T07:38:35Z"
message: Configuration ready
reason: Configured
status: "True"
type: Configured
- lastTransitionTime: "2024-07-04T07:38:53Z"
message: DockerRegistry installed
reason: Installed
status: "True"
type: Installed
externalAccess:
enabled: "True"
pullAddress: test-registry...
pushAddress: test-registry...
secretName: dockerregistry-config-external
internalAccess:
enabled: "True"
pullAddress: localhost:32137
pushAddress: dockerregistry.default.svc.cluster.local:5000
secretName: dockerregistry-config
served: "True"
state: Ready
storage: filesystem
You can follow this tutorial to make sure you do everything correctly.
dockerregistry-config-external
is not propagated to every namespace. hence the problem. I schedule pod in default namespace, while the docker registry secret for external access is only available in kyma-system.
You are right. I forget about propagation.
In the latest main the status no longer contains the details how to use it (secret name and the pull/push addresses).
Description Provide a way to expose the docker registry using TLS certificates. It can be an optional setting that utilizes istio/api-gateway features.
Reasons Some customers use tools that enforce secure access to the registry with TLS.
AC
Warning
Execution
/docs/user
)