2

I am working in my local dev environment

    OS:
       Ubuntu (bionic) 18.0.4 LTS    
    Minikube Version:
       v1.11.0
    Docker Version:
       19.03.10

I am using Jfrog Container Registry as registry to my minikube. I am able do the following:

  1. docker login localhost:443 | or | ip-add:443
  2. docker push ip-add:443/docker-local/test:latest
  3. docker pull ip-add:443/docker-local/test:latest

I have configured Jfrog Container Registry to run behind Nginx Reverse Proxy listening on port 443. Created self-signed certs and Jfrog is using these certs.

Configured docker to use the self-signed certs as follows.

  1. Create certs, copy it to /usr/local/share/ca-certificates/
  2. sudo update-ca-certificates
  3. copy the certificate to /etc/docker/cert.d/192.168.0.114:443/ca.crt
  4. restarted the docker, just be sure

Configure K8 to use the docker login secret by .yaml file as following:

  1. base64 encode ~/.docker/config.json
  2. use it in the following template
apiVersion: v1
kind: Secret
metadata:
 name: myregistrykey
 namespace: awesomeapps
data:
 .dockerconfigjson: UmVhbGx5IHJlYWxseSByZWVlZWVlZWVlZWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGx5eXl5eXl5eXl5eXl5eXl5eXl5eSBsbGxsbGxsbGxsbGxsbG9vb29vb29vb29vb29vb29vb29vb29vb29vb25ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubmdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2cgYXV0aCBrZXlzCg==
type: kubernetes.io/dockerconfigjson

In the deployment.yaml, I use ImagePullSecrets and the name flag.

Now after all this setup where the docker pull is working on terminal, I get error on the pods saying x509 IP Sans.

I went through lot of documentation and K8 issues which was posted recently https://github.com/kubernetes/kubernetes/issues/43924

replicated the steps didn't work out. Can anyone let me know what I am doing wrong? and how can I correct it.

armourshield
  • 317
  • 1
  • 6
  • 16
  • Is your docker registry accessible from kubernetes nodes or cluster ? Check with telnet command from any of the nodes. – Jaskaran Singh Jun 01 '20 at 12:46
  • @JaskaranSingh ssh into the docker, and ran curl for the ip address 192.168.0.114 and it is working. I think the network is there, error in ssl-tls verification. The error, I am getting is this - x509: cannot validate certificate for 192.168.0.114 because it doesn't contain any IP Sans – armourshield Jun 01 '20 at 12:55
  • 1
    Do I understand correctly that you have a Docker on your host with JFrog Container Registry installed and additionally you have a minikube on your host that tries to connect to your registry? Could you tell more how did you create your certs? Did you try to pull/push images directly with Docker from your minikube instance? – Dawid Kruk Jun 02 '20 at 10:38
  • @DawidKruk You are right, I have docker installed in my base host system ubuntu. K8 installed by minikube and docker is installed in the base host system. Docker pull/push is working in the host machine. After JaskaranSingh ssh idea. I went and put the ca cert using docker cp src-sys:host-sys and placed it in /etc/docker/certs.d/192.168.0.114:443/ca.cert – armourshield Jun 03 '20 at 11:42

0 Answers0