Proper configuration of registries.yaml to access private docker Registry #5302

fcoulloudon · 2024-01-17T23:27:44Z

fcoulloudon
Jan 17, 2024

Good day everyone!

We have our own Gitlab private registry and I'm struggling (a lot) to have containerd pull images from it.
I have read this documentation:
https://docs.rke2.io/install/containerd_registry_configuration/

And I understood that I can rewrite and host images from other registries but also that I can connect mine.

On the registry side, I created an access token (read_registry) for the group my project is in.
Lets say the project is here:
https://gitlab.url.com/company/gategroup/gate

I want to pull this image:
gitlab.url.com/company/gategroup/gate/builds/master:22ce6760

Right now my registries.yaml looks like this:

mirrors:
  "gitlab.url.com/company/gategroup/gate/":
    endpoint:
      - "https://gitlab.url.com"
config:
  "gitlab.url.com/company/gategroup/gate/":
    auth:
      username: mytokenusername
      password: mytokenpassword
    tls:
      insecure_skip_verify: true

I tried many things modifying registries.yaml on all my nodes and restart rke2 (service rke2-agent restart or service rke2-server restart).

I'm a but confused if I'm using this feature properly (I wan't all namespace/project to be able to pull this image)
I get error 403 all the times...

'''
Failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://gitlab.url.com/jwt/auth?scope=repository%company%2Fgategroup%2Fgate%2Fbuilds%2Fmaster%3Apull&service=container_registry: 403 Forbidden
'''

Using docker login, it works...

What am I doing wrong?
Do I need to specify a version?

Thank you!

Answered by brandond

Jan 17, 2024

The mirrors and config sections should contain ONLY the registry address (hostname and optional port). Your config includes a path, which is incorrect. You are also providing an unnecessary endpoint, as https://gitlab.url.com is the default endpoint for a registry named gitlab.url.com.

You should only need:

config:
  "gitlab.url.com":
    auth:
      username: mytokenusername
      password: mytokenpassword
    tls:
      insecure_skip_verify: true

Note that configuration is on a per-registry basis, so these credentials will be used for ALL access to the registry at gitlab.url.com. There is no way to use the containerd registry config to specify different credentials for different images …

View full answer

brandond · 2024-01-17T23:34:55Z

brandond
Jan 17, 2024
Maintainer

The mirrors and config sections should contain ONLY the registry address (hostname and optional port). Your config includes a path, which is incorrect. You are also providing an unnecessary endpoint, as https://gitlab.url.com is the default endpoint for a registry named gitlab.url.com.

You should only need:

config:
  "gitlab.url.com":
    auth:
      username: mytokenusername
      password: mytokenpassword
    tls:
      insecure_skip_verify: true

Note that configuration is on a per-registry basis, so these credentials will be used for ALL access to the registry at gitlab.url.com. There is no way to use the containerd registry config to specify different credentials for different images in the same registry. If you want to do that, you should use Kubernetes Image Pull Secrets.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Proper configuration of registries.yaml to access private docker Registry #5302

{{title}}

Replies: 1 comment

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Proper configuration of registries.yaml to access private docker Registry #5302

fcoulloudon Jan 17, 2024

Replies: 1 comment

brandond Jan 17, 2024 Maintainer

fcoulloudon
Jan 17, 2024

brandond
Jan 17, 2024
Maintainer