7

I try to setup docker-registry in Kubernetes cluster behind the nginx-ingress controller. The issue is, when I try to push the image into private registry, it tells me:

Get https://registry.local/v2/: x509: certificate is valid for ingress.local, not registry.local

When I curl it, I get response from ingress' backend - 404.

Here's ingress' manifest:

kind: Ingress apiVersion: extensions/v1beta1 metadata: name: docker-ingress annotations: kubernetes.io/ingress.class: "nginx" spec: tls: - hosts: [ 'registry.local' ] - secretName: registry rules: - host: registry.local http: paths: - backend: serviceName: docker-registry servicePort: 5000 path: /

And here's docker-registry manifest:

kind: Deployment apiVersion: extensions/v1beta1 metadata: labels: app: docker-registry name: docker-registry spec: replicas: 1 selector: matchLabels: app: docker-registry template: metadata: labels: app: docker-registry spec: containers: - command: - /bin/registry - serve - /etc/docker/registry/config.yml env: - name: REGISTRY_HTTP_ADDR value: 0.0.0.0:5000 - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY value: /var/lib/registry - name: REGISTRY_HTTP_TLS_CERTIFICATE value: /certs/ca.crt - name: REGISTRY_HTTP_TLS_KEY value: /certs/domain.key image: registry:2.6.2 imagePullPolicy: IfNotPresent name: docker-registry ports: - containerPort: 5000 name: http protocol: TCP volumeMounts: - mountPath: /var/lib/registry name: image-store - mountPath: /certs name: certs volumes: - name: image-store emptyDir: {} - name: certs configMap: name: certs --- kind: Service apiVersion: v1 metadata: labels: app: docker-registry name: docker-registry spec: ports: - name: http port: 5000 protocol: TCP targetPort: 5000 selector: app: docker-registry type: ClusterIP

Separetly, nginx-ingress and docker-registry, work fine, but don't together.

Nothing valuabe from the ingress controller logs can be found.

Improve this question
4
  • 1
    I know this may seem obvious, but does the certificate actually exist? Commented Dec 21, 2018 at 13:56
  • Thank you, dude, for your response. But they did exist. Otherwise, it wouldn't tell certificate is valid.... The only thing about them, they're self-signed. Commented Dec 22, 2018 at 14:06
  • 1
    @acd certificate is valid for ingress.local, not registry.local indicates that the default fake ingress certificate is used. You have to add a valid certificate, i.e. one that matches the FQDN and has been issued by a trusted CA. Commented Dec 25, 2018 at 0:49
  • @030 Thank you for your suggestion, but it's not relevant. Because the cert I've generated (locally) was specifically issued to registry.local address. And, as I mentioned above, with that same cert docker registry, without nginx in front, works fine. And, with that same, another web service works fine behind that same nginx. The issue is with nginx+docker. Commented Dec 26, 2018 at 7:49

1 Answer 1

Reset to default
2

First of all 404 error is resource error in kubernetes. It means your container in the pod is not created by your first script. Even if it is created and you can see it then your labeling is wrong in the second script.

I would suggest you check matchlabels of both YAML scripts. So in your case I can see that matchlabel is docker-registry in the spec section of the first script, but I don't see any docker-registry in the second script. I believe that in your metadata part of ingress script should have "name = docker-registry" instead of "name=docker-ingress".

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.