Rke: Allow user to provide internal-use images for air-gapped setups

Created on 30 Nov 2017 · 6Comments · Source: rancher/rke

We need to allow users to provide their own cert downloader and nginx proxy images to allow running using private registries and air-gapped deployments.

kinbug kinenhancement

Source

moelsayed

👍2

Most helpful comment

Fyi: I can confirm a working rke in an air-gapped on-premise offline environment.

stefanvangastel on 2 Feb 2018

👍2

All 6 comments

all images used and statically hardcoded:

alpine:latest
rancher/rke-nginx-proxy:0.1.0
rancher/rke-cert-deployer:0.1.0
quay.io/calico/kube-controllers:v1.0.0
quay.io/calico/node:v2.6.2
quay.io/calico/cni:v1.11.0
quay.io/coreos/flannel:v0.9.1
quay.io/coreos/flannel-cni:v0.2.0
gcr.io/google_containers/cluster-proportional-autoscaler-amd64:1.0.0
gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.5
gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.5
gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.5

galal-hussein on 30 Nov 2017

Tested with rke version v0.0.9-dev.
Pushed the images above to a quay private repository and used them in the cluster.yml file.
Logged into the host with quay.io login.
./rke up --config cluster.yml was executed
When the images are private in the repository, the pull is not successful and rke up fails.

INFO[0002] [reconcile] Reconciling cluster state        
INFO[0002] [reconcile] This is newly generated cluster  
INFO[0002] [certificates] Deploying kubernetes certificates to Cluster nodes 
INFO[0002] [certificates] Checking image [quay.io/soumyalj/rke-cert-deployer-private:latest] on host [159.89.176.30] 
DEBU[0002] Checking if image [quay.io/soumyalj/rke-cert-deployer-private:latest] exists on host [159.89.176.30] 
DEBU[0002] Image [quay.io/soumyalj/rke-cert-deployer-private:latest] does not exist on host [159.89.176.30]: Error: No such image: quay.io/soumyalj/rke-cert-deployer-private:latest 
INFO[0002] [certificates] Pulling image [quay.io/soumyalj/rke-cert-deployer-private:latest] on host [159.89.176.30] 
{"status":"Pulling repository quay.io/soumyalj/rke-cert-deployer-private"}
{"errorDetail":{"code":403,"message":"Error: Status 403 trying to pull repository soumyalj/rke-cert-deployer-private: \"{\\\"error\\\": \\\"Permission Denied\\\"}\""},"error":"Error: Status 403 trying to pull repository soumyalj/rke-cert-deployer-private: \"{\\\"error\\\": \\\"Permission Denied\\\"}\""}
INFO[0003] [certificates] Successfully pulled image [quay.io/soumyalj/rke-cert-deployer-private:latest] on host [159.89.176.30] 
FATA[0003] Failed to create Certificates deployer container on host [159.89.176.30]: Error: No such image: quay.io/soumyalj/rke-cert-deployer-private:latest

When the images are made public, rke pulls the images on the host and the cluster is created successfully.

soumyalj on 12 Jan 2018

Previously rke would try to pull an image and it failed if it's a private image. #276 fixes this by adding configuration for private registry authentication.

moelsayed on 31 Jan 2018

Fyi: I can confirm a working rke in an air-gapped on-premise offline environment.

stefanvangastel on 2 Feb 2018

👍2

Does it work with insecure registries ? I have an insecure registry and I can pull image from it manually. However,when I define it as a private_registries: in the cluster.yml rke still tries to pull from docker.io and gives an error like
Can't pull Docker image [alpine:latest] for host [192.168.112.146]: Error response from daemon: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

adalga on 7 Feb 2018

RKE Version: master build Feb 9

I was able to verify airgap using private docker registry and the following cluster.yml file:

private_registries:
  - url: rke-registry.rancher:5000
    user: testuser
    password: testpassword
network:
  plugin: canal
nodes:
- address: 10.0.1.142
  user: ubuntu
  role: [controlplane,worker,etcd]
- address: 10.0.1.151
  user: ubuntu
  role: [controlplane,worker,etcd]

system_images:
  etcd: rke-registry.rancher:5000/rancher/etcd:v3.0.17
  kubernetes: rke-registry.rancher:5000/rancher/k8s:v1.8.7-rancher1-1
  alpine: rke-registry.rancher:5000/alpine:latest
  nginx_proxy: rke-registry.rancher:5000/rancher/rke-nginx-proxy:v0.1.1
  cert_downloader: rke-registry.rancher:5000/rancher/rke-cert-deployer:v0.1.1
  kubernetes_services_sidecar: rke-registry.rancher:5000/rancher/rke-service-sidekick:v0.1.0
  kubedns: rke-registry.rancher:5000/rancher/k8s-dns-kube-dns-amd64:1.14.5
  dnsmasq: rke-registry.rancher:5000/rancher/k8s-dns-dnsmasq-nanny-amd64:1.14.5
  kubedns_sidecar: rke-registry.rancher:5000/rancher/k8s-dns-sidecar-amd64:1.14.5
  kubedns_autoscaler: rke-registry.rancher:5000/rancher/cluster-proportional-autoscaler-amd64:1.0.0
  canal_node: rke-registry.rancher:5000/rancher/calico-node:v2.6.2
  canal_cni: rke-registry.rancher:5000/rancher/calico-cni:v1.11.0
  canal_flannel: rke-registry.rancher:5000/rancher/coreos-flannel:v0.9.1

I verified that nodes are airgapped and has no access to the internet, and i was able to pull from this private registry with authentication without docker login on the hosts

galal-hussein on 9 Feb 2018

👍1

Was this page helpful?

0 / 5 - 0 ratings