-
Notifications
You must be signed in to change notification settings - Fork 760
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Containerd fails to authenticate to a private Google Cloud Registry #990
Comments
I also tried using [plugins.cri.registry.auths]
[plugins.cri.registry.auths."gcr.io"] instead of [plugins.cri.registry.configs."gcr.io".auth] The output is
|
Can you try using this?
Take note of the "https" at the config. I think it points to the endpoint. |
Unfortunately, that didn't solve the issue, although you are right that the endpoint must be used there. The
I also tried the https change including the credential instead of having it empty.
In both cases, the
Note the 401 error instead the 403. It seams |
Finally it's working (a day and a half fighting).
This is how the config looks: [plugins.cri.registry]
[plugins.cri.registry.mirrors]
[plugins.cri.registry.mirrors."docker.io"]
endpoint = ["https://registry-1.docker.io"]
[plugins.cri.registry.mirrors."gcr.io"]
endpoint = ["https://gcr.io"]
[plugins.cri.registry.auths]
[plugins.cri.registry.auths."https://gcr.io"]
username = "_json_key"
password = "{\n \"type\": \"service_account\",\n \"project_id\": ...
email = "an@email.com"
auth = "X2pz...." Where:
Maybe there are some redundant fields. I'll check it out... |
Thank you @j0nd0n7 for the detailed steps! |
I'm unable to get this to work and it's driving me nuts :-) @j0nd0n7 solution mostly makes sense but, if replicate it, I receive 401s from GCR. It should not be necessary to duplicate username|password and auth; either username|password or auth should be required since auth = f(username,password) I would also prefer to use an access token rather than a service account. Please see the thread referenced by @mikebrow above: containerd/cri#1482 The |
What I'd like to achieve is to use a private Google Cloud Registry to pull images from microk8s.
To configure the registry, I opted to modify the
containerd-template.toml
file instead of using ImagePullSecrets.These is what I tried:
First I created a keyfile.json from the Google Cloud Console like explained here:
The result is a text file with a JSON value (the long term credentials).
Second (These are my different tries)
try 1) Edit the
/var/snap/microk8s/current/args/containerd-template.toml
Note
_json_key
is a especial username GCP uses to authenticate through json keyfile.Then restart microk8s
microk8s.stop && microk8s.start
When I check if
microk8s.ctr image pull gcr.io/my_project_id/my_image:tag
works this is the outputtry 2)
As I read here that
plugins.cri.registry.configs."gcr.io".auth
fields have the same meaning that the.docker/config.json
fields, I logged in to the private registrycat keyfile.json | docker login -u _json_key --password-stdin https://gcr.io
(to generate the entries in.docker/config.json
)That added these content to the config:
Then I take the
auth
token value and replaced theusername
andpassword
entries with anauth
entry in the file/var/snap/microk8s/current/args/containerd-template.toml
like this:Then restart microk8s
microk8s.stop && microk8s.start
When I check if
microk8s.ctr image pull gcr.io/my_project_id/my_image:tag
works this is the outputI really appreciate some directions to address this registry config.
Thank you
The text was updated successfully, but these errors were encountered: