I am looking for a way to run a private registry for my kubernetes cluster so that self-signed certificates are accepted. This used to work for a long time with no issues, but not anymore an the current versions.
My cluster uses the following versions:
Kubernetes version: v1.26.1
Cloud being used: self hosted bare-metal running KVM where nodes are VMs
Installation method: deb https://apt.kubernetes.io/ kubernetes-xenial main
Host OS: Debian GNU/Linux 11 (bullseye) 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21)
CNI and version: docker.io/flannel/flannel-cni-plugin:v1.1.2
CRI and version: containerd.io 1.6.16 from deb Index of linux/debian/ bullseye stable
My cluster is one master and four workers. I build images on the master and have my private registry there. Most pods run in the kubernetes cluster, a few run on other machines in my LAN. I dislike the idea of running the registry inside the kubernetes cluster. I rather prefer to have it separately so that images remain available even when making changes to the cluster. Thus I did install package docker-registry from the debian buster repos. This used to be no problem over many years when adding “insecure registries” in node configs.
In the modern environment, this does no longer work. Images were not pulled regardless which instructions I did follow in terms of “insecure registries” or “skip verification”. TLS and certificates are necessary, but the right CN is not enough. What seems to be required is the use of SAN and the announcement of features of the private CA to each node. I did not manage to understand if this is due to kubelet 1.26.1 or due to containerd.io 1.6.16 from the docker repo. I did pick the docker repo for the CRI, because it is sufficiently new for kubernetes 1.26.1 and it allows installation of docker-ce in parallel, so that I can easily build on the same machine.
I lack documentation in terms of how to proceed. Would anyone please be so kind to shed some light?
I the meantime, I did implement a workaround where I use a reverse proxy with SSL offloading an public certificates in front of a plain insecure private registry. Pulling now runs through the WAN with restrictions to my own static IPs. However, I would very much prefer a solution with less workarounds and everything in the LAN.
Thanks a lot!