rancher pull from insecure docker registry

Rancher
1

I have 4 VM in local network:

1 - docker container - rancher
2 - rancher node
3 - rancher node
4 - docker container - registry

Linux mint 22, Rancher 2.10.1, cluster - v1.31.3+rke2r1 amd, calico.

I want to deploy app from server#4 private registry. If I start docker registry without ssl sertificate, rancher writes “http: server gave HTTP response to HTTPS client”.

I tried to append insecure registry record to /etc/default/docker.json on server#1, no difference.

If I start docker registry with ssl sertificate, rancher writes “tls: failed to verify certificate: x509: sertificate signed by unknown authority”.

Certificate:
openssl req -x509 -nodes -days 365 -subj  "/CN=192.168.63.136" -addext "subjectAltName=IP:192.168.63.136" -newkey rsa:2048 -keyout domain.key -out domain.crt
and start docker registry with 
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key --volume=/data/certs:/certs

I added certificate to container and host-server#1. I tried to add record to files

/var/lib/rancher/k3s/agent/etc/containerd/hosts.toml

/etc/rancher/k3s/registries.yaml

/var/lib/rancher/k3s/agent/etc/containerd/certs.d/192.168.63.136:5000/hosts.toml

I noticed that rancher rewrites file /var/lib/rancher/k3s/agent/etc/containerd/certs.d/192.168.63.136:5000/hosts.toml after start with same content, bit without skip_verify = true:

server = "https://192.168.63.136"
[host."https://192.168.63.136"]
  capabilities = ["pull", "resolve"]
  skip_verify = true

If I set image value to http://ip:port/image_name, rancher writes that it’s invalid format.

What I need to do to bypass tls verification? It’s local network, I’m not able to get even letsencrypt certificate.

2

Hi @mraklbrw,

I’m running Rancher v2.10.1 in a virtual environment; I use it for testing.
I have three Control Plane/etcd nodes and five worker nodes.

I had the same problem using a local harbor repository, and here is how I resolved the issue.

  1. Go to Cluster Management in Rancher; for your target cluster, select the three dots at the end → Edit Config
  2. In Cluster Configuration, select Registries.
  3. Scroll down until you see Registry Authentication, and select Add Registry. If you don’t see this option, select “Enable cluster scoped container registry…” then select Show Advanced. You should be able to see the Registry Authentication option.
  4. Enter your Registry Hostname, Set TLS secret to None, and Select Skip TLS Verification.
  5. Hit Save

Give the cluster a few minutes, and try pulling your image again.

I hope this helps.

Nick