Can not pull docker image from private repo when using Minikube

Question

I am attempting to use Minikube for local kubernetes development. I have set up my docker environment to use the docker daemon running in the provided Minikube VM (boot2docker) as suggested:

eval $(minikube docker-env)

It sets up these environment variables:

export DOCKER_TLS_VERIFY="1"
export DOCKER_HOST="tcp://192.168.99.100:2376"
export DOCKER_CERT_PATH="/home/jasonwhite/.minikube/certs"

When I attempt to pull an image from our private docker repository:

docker pull oururl.com:5000/myimage:v1

I get this error:

Error response from daemon: Get https://oururl.com:5000/v1/_ping: x509: certificate signed by unknown authority

It appears I need to add a trusted ca root certificate somehow, but have been unsuccessful so far in my attempts.

I can hit the repository fine with curl using our ca root cert:

curl --cacert /etc/ssl/ca/ca.pem https://oururl.com:5000/v1/_ping

Are you trying to pull the image on your local machine, or are you trying to create a Kubernetes Pod that can pull the image from within the VM? — springle, Aug 03 '16 at 17:00
I first ran into the problem when attempting to create a pod that needed to pull an image from the private repo to create, so it was the VM attempting to pull the image when it ran into the issue of not being able to verify the x509 certificate — Jason White, Aug 03 '16 at 17:45

Ben Mathews · Answer 1 · 2016-09-23T16:06:46.167

4

I've been unable to find anyway to get the cert into the minikube vm. But, minikube has a command line parameter to pass in an insecure-registry.

minikube start --insecure-registry=<HOST>:5000

Then to configure authentication on the registry, create a secret.

kubectl create secret docker-registry tp-registry --docker-server=<REGISTRY>:5000 --docker-username=<USERNAME> --docker-password=<PASSWORD> --docker-email=<EMAIL> --insecure-skip-tls-verify=true

Add secret to the default service account as described in the kubernetes docs.

edited Sep 23 '16 at 16:06

answered Sep 22 '16 at 17:05

Ben Mathews

2,939
2
19
25

This worked great except I had to run `minikube delete` beforehand. The `--insecure-registry` flag is ignored if the machine already existed (even if it is stopped). You must first `minikube delete` if you want new flags to be respected – heez Aug 03 '18 at 19:49

Jason White · Accepted Answer · 2016-08-03T20:41:29.430

I came up with a work-around for the situation with suggestions from these sources:

https://github.com/docker/machine/issues/1799

https://github.com/docker/machine/issues/1872

I logged into the Minikube VM (minikube ssh), and edited the /usr/local/etc/ssl/certs/ca-certificates.crt file by appending my own ca cert.

I then restarted the docker daemon while still within the VM: sudo /etc/init.d/docker restart

This is not very elegant in that if I restart the Minikube VM, I need to repeat these manual steps each time.

As an alternative, I also attempted to set the --insecure-registry myurl.com:5000 option in the DOCKER_OPTS environment variable (restarted docker), but this didn't work for me.

Now you can use minikube start --insecure-registry='' but you will need to first run minikube delete to get a fresh cluster. — KyleHodgetts, Jan 16 '18 at 13:50

score 3 · Answer 3 · answered Jul 18 '17 at 18:47

3

An addon was recently added to Minikube that makes access to private container registries much easier:

minikube addons configure registry-creds
minikube addons enable registry-creds

answered Jul 18 '17 at 18:47

mrts

16,697
8
89
72

score 1 · Answer 4 · answered Sep 26 '16 at 08:34

1

For an http registry this steps works for me:

1) minikube ssh

2) edit /var/lib/boot2docker/profile and add to $EXTRA_ARGS --insecure-registry yourdomain.com:5000

3) restart the docker daemon sudo /etc/init.d/docker restart

answered Sep 26 '16 at 08:34

wlredeye

984
1
10
20

score 0 · Answer 5 · answered Aug 03 '16 at 16:58

0

The Kubernetes documentation on this is pretty good.

Depending on where your private docker repository is hosted, the solution will look a bit different. The documentation explains how to handle each type of repository.

If you want an automated approach to handle this authentication, you will want to use a Kubernetes secret and specify the imagePullSecrets for your Pod.

answered Aug 03 '16 at 16:58

springle

336
2
9

Thank you for your response, but I'm having issues getting the docker daemon running in the Minikube VM to connect to our repo (let alone any Kubernetes functionality built on top). I believe I need to somehow get the docker daemon in Minkube VM to use a ca cert that I can provide. – Jason White Aug 03 '16 at 17:25

score 0 · Answer 6 · answered Aug 03 '16 at 17:09

0

Sounds like your question has more to do with Docker than Kubernetes. The Docker CLI supports a number of TLS-related options. Since you already have the CA cert, something like this should work:

docker --tlsverify --tlscacert=/etc/ssl/ca/ca.pem pull oururl.com:5000/myimage:v1

answered Aug 03 '16 at 17:09

ivan.sim

8,972
8
47
63

Thank you for the response. I tried executing the command you provided, but I still get an "x509: certificate signed by unknown authority" error. I even unset the DOCKER_TLS_VERIFY, and DOCKER_CERT_PATH, and still the same error. I can only assume there is something about the Docker daemon running in the VM that is complicating things here. – Jason White Aug 03 '16 at 17:41

score 0 · Answer 7 · answered Jul 18 '17 at 19:26

You need to edit /etc/default/docker to look like so:

# Docker Upstart and SysVinit configuration file

#
# THIS FILE DOES NOT APPLY TO SYSTEMD
#
#   Please see the documentation for "systemd drop-ins":
#   https://docs.docker.com/engine/admin/systemd/
#

# Customize location of Docker binary (especially for development testing).
#DOCKERD="/usr/local/bin/dockerd"

# Use DOCKER_OPTS to modify the daemon startup options.
DOCKER_OPTS="--insecure-registry oururl.com:5000"

# If you need Docker to use an HTTP proxy, it can also be specified here.
#export http_proxy="http://127.0.0.1:3128/"

# This is also a handy place to tweak where Docker's temporary files go.
#export DOCKER_TMPDIR="/mnt/bigdrive/docker-tmp"

Make sure to sudo service docker stop and sudo docker start to apply the changes. You should then be able to push/pull to your registry.

this file does not exist , minikube v0.22.2 – Anthony Dahanne Sep 25 '17 at 20:41 — Anthony Dahanne, Sep 25 '17 at 20:41

score 0 · Answer 8 · answered Dec 03 '21 at 09:06

login account minikube
vi ~/.minikube/machines/<PROFILE_NAME>/config.json (in my case vi ~/.minikube/machines/minikube/config.json)
add private repo on InsecureRegistry attribute (json path: HostOptions.EngineOptions.InsecureRegistry)
minikube start again

Can not pull docker image from private repo when using Minikube

8 Answers8

Linked