我已经在我的 Kubernetes 集群中设置了一个私有 docker 注册表。部署如下
apiVersion: apps/v1
kind: Deployment
metadata:
name: registry
labels:
app: registry
spec:
replicas: 1
selector:
matchLabels:
app: registry
template:
metadata:
labels:
app: registry
spec:
volumes:
- name: auth-vol
secret:
secretName: "registry-credentials"
containers:
- image: registry:2
name: registry
imagePullPolicy: IfNotPresent
env:
- name: REGISTRY_AUTH
value: "htpasswd"
- name: REGISTRY_AUTH_HTPASSWD_REALM
value: "k8s_user"
- name: REGISTRY_AUTH_HTPASSWD_PATH
value: "/auth/htpasswd"
ports:
- containerPort: 5000
volumeMounts:
- name: auth-vol
mountPath: /auth
我正在使用以下 Ingress 进行路由
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: registry-ingress
spec:
rules:
- host: "registry.<my domain>"
http:
paths:
- path: "/"
pathType: Prefix
backend:
service:
name: registry
port:
number: 80
在外部,我有一个负载均衡器终止 SSL,然后将请求转发到 HTTP 流量的适当入口端口。从网络外部,我可以毫无问题地从注册表中推/拉。但是,从网络内部,当我尝试部署某些东西并运行时,出现以下错误kubectl pod describe <pod>
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 26s default-scheduler Successfully assigned default/server-6df575c99c-ltwqr to k8s-root-default-pool-3de67
Normal BackOff 24s (x2 over 25s) kubelet Back-off pulling image "registry.<mydomain>/server:0.0.1"
Warning Failed 24s (x2 over 25s) kubelet Error: ImagePullBackOff
Normal Pulling 11s (x2 over 25s) kubelet Pulling image "registry.<mydomain>/server:0.0.1"
Warning Failed 11s (x2 over 25s) kubelet Failed to pull image "registry.<mydomain>/server:0.0.1": rpc error: code = Unknown desc = Error response from daemon: Get https://registry.<mydomain>/v2/: x509: certificate is valid for haproxy-controller.default, not registry.<mydomain>.io
Warning Failed 11s (x2 over 25s) kubelet Error: ErrImagePull
看起来好像该请求正在访问 HAProxy Ingress 控制器证书,而不是到外部世界并访问负载均衡器的 SSL 证书。我应该这样做有更好的方法吗?