1

Is there are way to authenticate and pull image from a insecure nexus registry to a containerd instance (GKE Containerd node pool) like for docker where we can create docker configjson secret. Coudn't find any doc related to this.

LahiruSenevirathne
  • 67
  • 1
  • 7
  • If you are using the Nexus docker registry, you should be able to configure a pull secret just like you do for any other docker registry. – Gari Singh Nov 17 '21 at 09:26
  • We have a pull secret which is working for Docker node pools but not for containerd node pool. Getting the error Http: server gave HTTP response to HTTPS client – LahiruSenevirathne Nov 17 '21 at 09:46
  • Could you share more details about what you want to achieve? In GCP/GKE best practice is to use [Artifact Registry](https://cloud.google.com/artifact-registry) or [Cloud Source Repositories](https://cloud.google.com/source-repositories) depends on your scenario. – PjoterS Nov 17 '21 at 13:18
  • We have a insecure nexus registry and we have created imagepull secret for that as well. It is working fine for docker runtime nodes. We recently created a new node pool which is a containerd runtime node pool. The pods scheduled on that containerd nodes cant pull images. Getting the error Http: server gave HTTP response to HTTPS client – LahiruSenevirathne Nov 19 '21 at 07:58
  • If I understand correctly, when you are using GKE nodes with `Container-Optimized OS with Docker (cos)` it's working normally, but if you will use `Container-Optimized OS with Containerd (cos_containerd) (default)` it's not working? Please share full error output. This new nodepool is in the same Cluster/project? Could you try to use GCP [Artifact Registry](https://cloud.google.com/artifact-registry) if you will encounter the same issue? – PjoterS Nov 24 '21 at 13:10
  • yes thats correct. On `Container-Optimized OS with Containerd (cos_containerd)` when a pod is scheduled it gives a `imagePullBackoof` with error `Http: server gave HTTP response to HTTPS client ` – LahiruSenevirathne Nov 30 '21 at 05:58
  • Without your configuration is hard to guess. Easiest way to pull custom images on GKE is to use `Artifact Registry`. Is this an option to user GCP `Artifact Registry`? Did you add `insecure_skip_verify = true` in your configuration? Did you see [this doc](https://github.com/containerd/cri/blob/master/docs/registry.md)? There is a few issues on stack like [this](https://stackoverflow.com/questions/65681045/) or on github like [this](https://github.com/containerd/containerd/issues/4938) Without your configuration it's hard to guess. – PjoterS Nov 30 '21 at 08:10
  • Also did you try `crictl --debug pull registry_name/image` or enable `crictl config --set pull-image-on-create=true` which is by default set to false as per [Container Runtime Interface (CRI) CLI](https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md) – PjoterS Nov 30 '21 at 08:32
  • Thing is how to configure this on GKE Node pool for normal instance which has containerd runtime I can add `insecure_skip_verify = true` to the toml config how do I achieve this in a autoscaling node pool? – LahiruSenevirathne Nov 30 '21 at 19:47
  • Could you please edit your question and provide what exactly you want to achieve? According to your last comment you want to use insecure nexus with GKE containerd with autoscaling. Are there any further requirements? Is there any reason why you cannot use Docker GKE? Or maybe its theoretical question? In GKE nodes you cannot set startup script so I am not sure if you will be able to use insecure nexus registry. Also is there any reason why you cannot use google `cloud container registry` or `artifact registry`? – PjoterS Dec 02 '21 at 08:44

0 Answers0