k8s 从私有仓库摘取镜像报错 with ErrImagePull: "rpc error: code = Unknown desc = Error response from daemon: Get http://*.*.*.*:5000/v2/: net/http: HTTP/1.x transport connection broken: malformed HTTP response \"\\x15\\x03\\x01\\x00\\x02\\x02\""

docker 私有仓库地址配置

cat /etc/docker/daemon.json 
{
    "registry-mirrors": ["http://f1361db2.m.daocloud.io","https://docker.mirrors.ustc.edu.cn"],
    "insecure-registries":["172.10.10.10:5000","172.10.10.11:5000"],
    "max-concurrent-downloads": 20
}

• registry-mirrors SSL安全镜像加速源
• insecure-registries 不安全（非SSL）的镜像源
  官网有更详细的配置说明 https://docs.docker.com/engine/reference/commandline/dockerd//#daemon-configuration-file

配置完成后重启docker

systemctl restart docker 

登录Docker

docker login 172.10.10.10:5000

输入用户名、密码后登录成功，查看 ~/.docker/config.json会看到如下：

cat ~/.docker/config.json
{
    "auths": {
        "172.10.10.10:5000": {
            "auth": "ZG9j...Y2tlcg=="
        },
        "172.10.10.11:5000": {
            "auth": "YWR...RtaW4="
        }
    },
    "HttpHeaders": {
        "User-Agent": "Docker-Client/18.03.1-ce (linux)"
    }
}

我有两个私库，如果只有一个私库应该是这样：

{
    "auths": {
        "172.10.10.10:5000": {
            "auth": "ZG9...2tlcg=="
        }
    },
    "HttpHeaders": {
        "User-Agent": "Docker-Client/18.03.1-ce (linux)"
    }
}

创建一个Secret来保存你的验证口令

创建一个名为dockercfg-192的secret

kubectl create secret docker-registry dockercfg-192 --docker-server=172.10.10.10:5000 --docker-username=username --docker-password=password --docker-email=m@m.com.cn

• --docker-server 是你的私有仓库
• --docker-username 是你的 Docker 用户名
• --docker-password 是你的 Docker 密码
• --docker-email 是你的 Docker 邮箱

查看创建的dockercfg-192

kubectl get secret |grep dockercfg-192
dockercfg-192                  kubernetes.io/dockerconfigjson        1         16h

创建一个Deployment来自私库的镜像

cat my-nginx-2.yaml

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: my-nginx-97
spec:
  replicas: 2
  template:
    metadata:
      labels:
        run: my-nginx-97
    spec:
      containers:
      - name: my-nginx-97
        image: 172.10.10.10:5000/test/nginx-lb:1.7.9
        ports:
        - containerPort: 80
      imagePullSecrets:
      - name: dockercfg-192

imagePullSecrets 告诉 Kubernets 应该从名为 dockercfg-192 的 Secret 里获取验证口令

运行命令创建

kubectl create -f  my-nginx-2.yaml

[root@kube-node1 work]# kubectl get pods -o wide
NAME                                        READY     STATUS    RESTARTS   AGE       IP            NODE
my-nginx-97-658cb94796-6qwjs                1/1       Running   0          55m       172.30.75.4   kube-node2
my-nginx-97-658cb94796-mxpxp                1/1       Running   0          55m       172.30.20.2   kube-node4

https://docs.docker.com/engine/reference/commandline/dockerd//#daemon-configuration-file
https://k8smeetup.github.io/docs/tasks/configure-pod-container/pull-image-private-registry/
https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry