Using an external private secure registry with microk8s

We have a private secure registry (on Nexus), and I am able to pull from it using microk8s.docker:

microk8s.docker login -u myname our.registry.url
microk8s.docker pull our.registry.url/testimage:1.0

When I try to do the same for a container in a pod definition, I get an error. I first create a secret:

microk8s.kubectl create secret docker-registry kubernetes-production-docker-registry \
            --docker-server=our.registry.url:443 \
            --docker-username=akaihola \
            --docker-password=******** \
            --docker-email=myname@domain.tld

I then create a Pod definition (testpod.yaml):

apiVersion: v1
kind: Pod
metadata:
  name: testpod
spec:
  containers:
    - name: testcontainer
      image: our.registry.url:443/testimage:1.0
  imagePullSecrets:
    - name: docker-registry

Create the Pod:

microk8s.kubectl create -f testpod.yaml
microk8s.kubectl describe pod testpod

But what I see in the events list is:

Warning  Failed     2s               kubelet, mylaptop     
Failed to pull image "our.registry.url:443/testimage:1.0":
rpc error: code = Unknown desc = Error response from daemon:
Get https://our.registry.url:443/v2/testimage/manifests/1.0:
no basic auth credentials

Does microk8s miss the capability to use external private secure registry? Do I need something like the registry-creds plugin in minikube?

Not overly familiar with microk8s at the moment but I noticed that in your examples the microk8s.docker login command included a typical url but the url specified in the docker-registry secret and the deploy image had the port specified.

What happens when you omit the port in both the secret and image, different error or the same?

I actually had misunderstood the imagePullSecrets name option – what I need to use there is

  imagePullSecrets:
    - name: kubernetes-production-docker-registry

I also indeed had to make sure to either use the port number or leave it out, but be consistent and do the same in both the image tag and the docker server URL when creating the secret.

So all works now! Thanks for your comment!

2 Likes