Rke2 访问nexus 私有docker proxy

changzheng · 2024 年10 月 20 日 04:12

使用nexus搭建了http的私有docker镜像proxy, 对外地址为http://11.0.2.132:5000
我的步骤如下：

mkdir -p /etc/rancher/rke2/
cat >/etc/rancher/rke2/config.yaml <<EOL
token: 123456
system-default-registry: "11.0.2.132:5000"
EOL
cat >/etc/rancher/rke2/registries.yaml<<EOL
mirrors:
  docker.io:
    endpoint:
      - "http://11.0.2.132:5000"
  11.0.2.132:
    endpoint:
      - "http://11.0.2.132:5000"
configs:
  "11.0.2.132:5000":
    tls:
      insecure_skip_verify: true
EOL

systemctl start rke2-server.service

错误信息如下：

Oct 20 11:48:54 k8s-m3 rke2[628575]: time="2024-10-20T11:48:54+08:00" level=info msg="Checking local image archives in /var/lib/rancher/rke2/agent/images for index.docker.io/rancher/rke2-runtime:v1.30.5-rke2r1"
Oct 20 11:48:54 k8s-m3 rke2[628575]: time="2024-10-20T11:48:54+08:00" level=warning msg="Failed to load runtime image index.docker.io/rancher/rke2-runtime:v1.30.5-rke2r1 from tarball: no local image available for index.docker.io/rancher/rke>
Oct 20 11:48:54 k8s-m3 rke2[628575]: time="2024-10-20T11:48:54+08:00" level=info msg="Checking local image archives in /var/lib/rancher/rke2/agent/images for 11.0.2.132:5000/rancher/rke2-runtime:v1.30.5-rke2r1"
Oct 20 11:48:54 k8s-m3 rke2[628575]: time="2024-10-20T11:48:54+08:00" level=warning msg="Failed to load runtime image 11.0.2.132:5000/rancher/rke2-runtime:v1.30.5-rke2r1 from tarball: no local image available for 11.0.2.132:5000/rancher/rke>
Oct 20 11:48:54 k8s-m3 rke2[628575]: time="2024-10-20T11:48:54+08:00" level=info msg="Using private registry config file at /etc/rancher/rke2/registries.yaml"
Oct 20 11:48:54 k8s-m3 rke2[628575]: time="2024-10-20T11:48:54+08:00" level=info msg="Pulling runtime image 11.0.2.132:5000/rancher/rke2-runtime:v1.30.5-rke2r1"
Oct 20 11:48:54 k8s-m3 rke2[628575]: time="2024-10-20T11:48:54+08:00" level=warning msg="Failed to get image from endpoint: Get \"https://11.0.2.132:5000/v2/\": http: server gave HTTP response to HTTPS client"
Oct 20 11:48:54 k8s-m3 rke2[628575]: time="2024-10-20T11:48:54+08:00" level=fatal msg="failed to get runtime image 11.0.2.132:5000/rancher/rke2-runtime:v1.30.5-rke2r1: all endpoints failed: Get \"https://11.0.2.132:5000/v2/\": http: server >
Oct 20 11:48:54 k8s-m3 systemd[1]: rke2-server.service: Main process exited, code=exited, status=1/FAILURE

然后更改/etc/rancher/rke2/config.yaml ，去掉system-default-registry: “11.0.2.132:5000”。

mkdir -p /etc/rancher/rke2/
cat >/etc/rancher/rke2/config.yaml <<EOL
token: 123456
EOL
cat >/etc/rancher/rke2/registries.yaml<<EOL
mirrors:
  docker.io:
    endpoint:
      - "http://11.0.2.132:5000"
  11.0.2.132:
    endpoint:
      - "http://11.0.2.132:5000"
configs:
  "11.0.2.132:5000":
    tls:
      insecure_skip_verify: true
EOL

systemctl start rke2-server.service

可以启动成功，并成功部署rke2集群:

/var/lib/rancher/rke2/bin/kubectl  get pod -A
kube-system   cloud-controller-manager-k8s-m3                        1/1     Running     0          94s
kube-system   etcd-k8s-m3                                            1/1     Running     0          90s
kube-system   helm-install-rke2-canal-5sdx4                          0/1     Completed   0          80s
kube-system   helm-install-rke2-coredns-2hqmz                        0/1     Completed   0          80s
kube-system   helm-install-rke2-ingress-nginx-8twsr                  0/1     Completed   0          80s
kube-system   helm-install-rke2-metrics-server-rn8bp                 0/1     Completed   0          80s
kube-system   helm-install-rke2-snapshot-controller-crd-ngjjf        0/1     Completed   0          80s
kube-system   helm-install-rke2-snapshot-controller-zvrz5            0/1     Completed   0          80s
kube-system   helm-install-rke2-snapshot-validation-webhook-26llw    0/1     Completed   0          80s
kube-system   kube-apiserver-k8s-m3                                  1/1     Running     0          95s
kube-system   kube-controller-manager-k8s-m3                         1/1     Running     0          96s
kube-system   kube-proxy-k8s-m3                                      1/1     Running     0          89s
kube-system   kube-scheduler-k8s-m3                                  1/1     Running     0          96s
kube-system   rke2-canal-ff9xg                                       2/2     Running     0          76s
kube-system   rke2-coredns-rke2-coredns-7d8f866c78-mntp6             1/1     Running     0          77s
kube-system   rke2-coredns-rke2-coredns-autoscaler-75bc99ff8-m8xbp   1/1     Running     0          77s
kube-system   rke2-ingress-nginx-controller-vk2p9                    1/1     Running     0          42s
kube-system   rke2-metrics-server-77fd97b84-2p6p5                    1/1     Running     0          51s
kube-system   rke2-snapshot-controller-7dcf5d5b46-xfwrg              1/1     Running     0          50s
kube-system   rke2-snapshot-validation-webhook-bf7bbd6fc-9692p       1/1     Running     0          53s

但我的问题来了为什么cmd执行crictl的pull,却不使用http访问11.0.2.132:5000，而是使用https,比如

/var/lib/rancher/rke2/bin/crictl pull 11.0.2.132:5000/quay.io/jetstack/cert-manager-cainjector:v1.16.1
E1020 12:03:18.462538  638845 remote_image.go:180] "PullImage from image service failed" err="rpc error: code = Unknown desc = failed to pull and unpack image \"11.0.2.132:5000/quay.io/jetstack/cert-manager-cainjector:v1.16.1\": failed to resolve reference \"11.0.2.132:5000/quay.io/jetstack/cert-manager-cainjector:v1.16.1\": failed to do request: Head \"https://11.0.2.132:5000/v2/quay.io/jetstack/cert-manager-cainjector/manifests/v1.16.1\": http: server gave HTTP response to HTTPS client" image="11.0.2.132:5000/quay.io/jetstack/cert-manager-cainjector:v1.16.1"
FATA[0000] pulling image: failed to pull and unpack image "11.0.2.132:5000/quay.io/jetstack/cert-manager-cainjector:v1.16.1": failed to resolve reference "11.0.2.132:5000/quay.io/jetstack/cert-manager-cainjector:v1.16.1": failed to do request: Head "https://11.0.2.132:5000/v2/quay.io/jetstack/cert-manager-cainjector/manifests/v1.16.1": http: server gave HTTP response to HTTPS client

root@k8s-m3:~# cat /var/lib/rancher/rke2/agent/etc/containerd/config.toml
# File generated by rke2. DO NOT EDIT. Use config.toml.tmpl instead.
version = 2

[plugins."io.containerd.internal.v1.opt"]
  path = "/var/lib/rancher/rke2/agent/containerd"
[plugins."io.containerd.grpc.v1.cri"]
  stream_server_address = "127.0.0.1"
  stream_server_port = "10010"
  enable_selinux = false
  enable_unprivileged_ports = true
  enable_unprivileged_icmp = true
  sandbox_image = "index.docker.io/rancher/mirrored-pause:3.6"

[plugins."io.containerd.grpc.v1.cri".containerd]
  snapshotter = "overlayfs"
  disable_snapshot_annotations = true




[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
  runtime_type = "io.containerd.runc.v2"

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
  SystemdCgroup = true

[plugins."io.containerd.grpc.v1.cri".registry]
  config_path = "/var/lib/rancher/rke2/agent/etc/containerd/certs.d"








root@k8s-m3:~# cat /var/lib/rancher/rke2/agent/etc/containerd/certs.d/docker.io/hosts.toml
# File generated by rke2. DO NOT EDIT.

server = "https://registry-1.docker.io/v2"
capabilities = ["pull", "resolve", "push"]


[host]
[host."http://11.0.2.132:5000/v2"]
  capabilities = ["pull", "resolve"]
  skip_verify = true

skip_verify = true 出来了，但是为什么crictl pull的时候，依然使用https而不是http啊？

containerd的log，

cat /var/lib/rancher/rke2/agent/containerd/containerd.log | grep 11.0.2.132

time="2024-10-20T12:09:54.854016828+08:00" level=info msg="host will try HTTPS first since it is configured for HTTP with a TLS configuration, consider changing host to HTTPS or removing unused TLS configuration" host="11.0.2.132:5000"
time="2024-10-20T12:09:54.860286882+08:00" level=info msg="host will try HTTPS first since it is configured for HTTP with a TLS configuration, consider changing host to HTTPS or removing unused TLS configuration" host="11.0.2.132:5000"
time="2024-10-20T12:23:40.175514512+08:00" level=info msg="PullImage \"11.0.2.132:5000/quay.io/jetstack/cert-manager-cainjector:v1.16.1\""
time="2024-10-20T12:23:40.178225248+08:00" level=info msg="trying next host" error="failed to do request: Head \"https://11.0.2.132:5000/v2/quay.io/jetstack/cert-manager-cainjector/manifests/v1.16.1\": http: server gave HTTP response to HTTPS client" host="11.0.2.132:5000"
time="2024-10-20T12:23:40.179075980+08:00" level=error msg="PullImage \"11.0.2.132:5000/quay.io/jetstack/cert-manager-cainjector:v1.16.1\" failed" error="failed to pull and unpack image \"11.0.2.132:5000/quay.io/jetstack/cert-manager-cainjector:v1.16.1\": failed to resolve reference \"11.0.2.132:5000/quay.io/jetstack/cert-manager-cainjector:v1.16.1\": failed to do request: Head \"https://11.0.2.132:5000/v2/quay.io/jetstack/cert-manager-cainjector/manifests/v1.16.1\": http: server gave HTTP response to HTTPS client"
time="2024-10-20T12:23:40.179173263+08:00" level=info msg="stop pulling image 11.0.2.132:5000/quay.io/jetstack/cert-manager-cainjector:v1.16.1: active requests=0, bytes read=0"

ksd · 2024 年10 月 20 日 11:54

我感觉是你的对应关系搞错了，你可以参考：RKE2/K3S 镜像仓库的对应关系 - Ksd的博客 | KSD Blog

你修改配置，移除 system-default-registry: “11.0.2.132:5000” 之后，默认就从 docker.io 里拉取，你配置中正好有 docker.io 的 endpoint，所以能安装成功。

但你第一次配置的 system-default-registry: "11.0.2.132:5000" rke2 配置中并没有对应的 endpoint 与之对应，你可以改成以下的配置试试：

mkdir -p /etc/rancher/rke2/
cat >/etc/rancher/rke2/config.yaml <<EOL
token: 123456
system-default-registry: "11.0.2.132:5000"
EOL
cat >/etc/rancher/rke2/registries.yaml<<EOL
mirrors:
  docker.io:
    endpoint:
      - "http://11.0.2.132:5000"
  11.0.2.132:5000:
    endpoint:
      - "http://11.0.2.132:5000"
configs:
  "11.0.2.132:5000":
    tls:
      insecure_skip_verify: true
EOL

changzheng · 2024 年10 月 21 日 01:16

非常感谢回复～

新的配置使用以后，第一个问题没有发生，system-default-registry: "10.1.147.13:5000"确实可以了。
但是crictl pull依旧有是前的https 默认访问的问题，能否帮忙再给点建议。

PS：换了一套网络IP。

root@k8s416-51:~/k8sdir# /var/lib/rancher/rke2/bin/crictl images

IMAGE                                                                       TAG                            IMAGE ID            SIZE
10.1.147.13:5000/rancher/hardened-calico                                    v3.28.1-build20240911          ff76eadb17450       204MB
10.1.147.13:5000/rancher/hardened-cluster-autoscaler                        v1.8.11-build20240910          3bf9ae903993c       12.1MB
10.1.147.13:5000/rancher/hardened-coredns                                   v1.11.1-build20240910          1ebdf98f6ac9e       23.7MB
10.1.147.13:5000/rancher/hardened-etcd                                      v3.5.13-k3s1-build20240910     19f8e656ed901       17.4MB
10.1.147.13:5000/rancher/hardened-flannel                                   v0.25.6-build20240910          c5b9d8599cc07       80.7MB
10.1.147.13:5000/rancher/hardened-k8s-metrics-server                        v0.7.1-build20240910           690ef3e34d41b       18.6MB
10.1.147.13:5000/rancher/hardened-kubernetes                                v1.30.5-rke2r1-build20240912   e0d7e579b2a76       172MB
10.1.147.13:5000/rancher/klipper-helm                                       v0.9.2-build20240828           1932cb543c3e4       72.2MB
10.1.147.13:5000/rancher/mirrored-ingress-nginx-kube-webhook-certgen        v1.4.1                         684c5ea3b61b2       23.9MB
10.1.147.13:5000/rancher/mirrored-pause                                     3.6                            6270bb605e12e       301kB
10.1.147.13:5000/rancher/mirrored-sig-storage-snapshot-controller           v6.2.1                         1ef6c138bd5f2       24.2MB
10.1.147.13:5000/rancher/mirrored-sig-storage-snapshot-validation-webhook   v6.2.2                         ff52c2bcf9f88       21.2MB
10.1.147.13:5000/rancher/nginx-ingress-controller                           v1.10.4-hardened3              c5e49f8eeb13e       294MB
10.1.147.13:5000/rancher/rke2-cloud-provider                                v1.30.4-build20240910          30f3b57184265       20.9MB
10.1.147.13:5000/rancher/rke2-runtime                                       v1.30.5-rke2r1                 a3ed8cad327b0       108MB

root@k8s416-51:~/k8sdir# /var/lib/rancher/rke2/bin/crictl pull 10.1.147.13:5000/jetstack/cert-manager-cainjector:v1.16.1

E1021 09:08:43.625596  774576 remote_image.go:180] "PullImage from image service failed" err="rpc error: code = Unknown desc = failed to pull and unpack image \"10.1.147.13:5000/jetstack/cert-manager-cainjector:v1.16.1\": failed to resolve reference \"10.1.147.13:5000/jetstack/cert-manager-cainjector:v1.16.1\": failed to do request: Head \"https://10.1.147.13:5000/v2/jetstack/cert-manager-cainjector/manifests/v1.16.1\": http: server gave HTTP response to HTTPS client" image="10.1.147.13:5000/jetstack/cert-manager-cainjector:v1.16.1"
FATA[0000] pulling image: failed to pull and unpack image "10.1.147.13:5000/jetstack/cert-manager-cainjector:v1.16.1": failed to resolve reference "10.1.147.13:5000/jetstack/cert-manager-cainjector:v1.16.1": failed to do request: Head "https://10.1.147.13:5000/v2/jetstack/cert-manager-cainjector/manifests/v1.16.1": http: server gave HTTP response to HTTPS client

下面这个是不是不正常啊？是不是我的nexus设置有问题。。。

root@k8s416-51:~/k8sdir# /var/lib/rancher/rke2/bin/crictl pull 10.1.147.13:5000/rancher/klipper-helm:v0.9.2-build20240828

Image is up to date for sha256:1932cb543c3e40611e241cfd6af0bd949d3e37fdaf8e6518dc90127412cc7c10

root@k8s416-51:~/k8sdir# /var/lib/rancher/rke2/bin/crictl pull 10.1.147.13:5000/jetstack/cert-manager-cainjector:v1.16.1

E1021 09:17:39.812199  785834 remote_image.go:180] "PullImage from image service failed" err="rpc error: code = Unknown desc = failed to pull and unpack image \"10.1.147.13:5000/jetstack/cert-manager-cainjector:v1.16.1\": failed to resolve reference \"10.1.147.13:5000/jetstack/cert-manager-cainjector:v1.16.1\": failed to do request: Head \"https://10.1.147.13:5000/v2/jetstack/cert-manager-cainjector/manifests/v1.16.1\": http: server gave HTTP response to HTTPS client" image="10.1.147.13:5000/jetstack/cert-manager-cainjector:v1.16.1"
FATA[0000] pulling image: failed to pull and unpack image "10.1.147.13:5000/jetstack/cert-manager-cainjector:v1.16.1": failed to resolve reference "10.1.147.13:5000/jetstack/cert-manager-cainjector:v1.16.1": failed to do request: Head "https://10.1.147.13:5000/v2/jetstack/cert-manager-cainjector/manifests/v1.16.1": http: server gave HTTP response to HTTPS client

虽然这样，但是helm install cert-manager依旧成功了，但是image没有走私有代理。。。。
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true
老感觉，我是不是哪里还缺点什么。。。

cat /var/lib/rancher/rke2/agent/containerd/containerd.log

time="2024-10-21T09:32:29.852304170+08:00" level=info msg="Pulled image \"quay.io/jetstack/cert-manager-startupapicheck:v1.16.1\" with image id \"sha256:c2d4b358f188d26ecff74a0e4a5ca20f391b5c526ecbd42534495e9efd940477\", repo tag \"quay.io/jetstack/cert-manager-startupapicheck:v1.16.1\", repo digest \"quay.io/jetstack/cert-manager-startupapicheck@sha256:b4a5e42f6dbfb0d7dbb9366b4cb437a59a7616f6c5e67c76fa3641cadbe0c958\", size \"14095526\" in 1m39.756468297s"
time="2024-10-21T09:32:29.852344850+08:00" level=info msg="PullImage \"quay.io/jetstack/cert-manager-startupapicheck:v1.16.1\" returns image reference \"sha256:c2d4b358f188d26ecff74a0e4a5ca20f391b5c526ecbd42534495e9efd940477\""
time="2024-10-21T09:32:29.854076382+08:00" level=info msg="CreateContainer within sandbox \"1697a449e817d2686a9b2a0daaadb1b7f289de99552503b32bf84a27f2e86da3\" for container &ContainerMetadata{Name:cert-manager-startupapicheck,Attempt:0,}"
time="2024-10-21T09:32:30.036327605+08:00" level=info msg="StartContainer for \"72b4e2566d1994196dc7574186e5e4492bb89ab0c4708b17d72be81687e39404\" returns successfully"
time="2024-10-21T09:32:30.622617975+08:00" level=info msg="CreateContainer within sandbox \"1697a449e817d2686a9b2a0daaadb1b7f289de99552503b32bf84a27f2e86da3\" for &ContainerMetadata{Name:cert-manager-startupapicheck,Attempt:0,} returns container id \"93404d3edc8977aa04826b2414025b40efd94311d82c0739d5e3ff5f69833766\""
time="2024-10-21T09:32:30.623279405+08:00" level=info msg="StartContainer for \"93404d3edc8977aa04826b2414025b40efd94311d82c0739d5e3ff5f69833766\""
time="2024-10-21T09:32:30.855641014+08:00" level=info msg="StartContainer for \"93404d3edc8977aa04826b2414025b40efd94311d82c0739d5e3ff5f69833766\" returns successfully"
time="2024-10-21T09:32:32.601457319+08:00" level=info msg="ImageCreate event name:\"quay.io/jetstack/cert-manager-webhook:v1.16.1\" labels:{key:\"io.cri-containerd.image\" value:\"managed\"}"
time="2024-10-21T09:32:32.651424538+08:00" level=info msg="stop pulling image quay.io/jetstack/cert-manager-webhook:v1.16.1: active requests=0, bytes read=18221912"
time="2024-10-21T09:32:32.710194899+08:00" level=info msg="ImageCreate event name:\"sha256:c5c110afda0f72825dd43604e5b8e3d7c8b1e32133163fa8116cf9c7b9d7594e\" labels:{key:\"io.cri-containerd.image\" value:\"managed\"}"
time="2024-10-21T09:32:32.777532544+08:00" level=info msg="ImageCreate event name:\"quay.io/jetstack/cert-manager-webhook@sha256:6edf44244b2a711be737c4ab8e54e68d9112cc4e87da2ef97a7f76b768f4fde7\" labels:{key:\"io.cri-containerd.image\" value:\"managed\"}"
time="2024-10-21T09:32:32.779431407+08:00" level=info msg="Pulled image \"quay.io/jetstack/cert-manager-webhook:v1.16.1\" with image id \"sha256:c5c110afda0f72825dd43604e5b8e3d7c8b1e32133163fa8116cf9c7b9d7594e\", repo tag \"quay.io/jetstack/cert-manager-webhook:v1.16.1\", repo digest \"quay.io/jetstack/cert-manager-webhook@sha256:6edf44244b2a711be737c4ab8e54e68d9112cc4e87da2ef97a7f76b768f4fde7\", size \"18192443\" in 1m44.047923761s"

/var/lib/rancher/rke2/bin/crictl images

IMAGE                                                                       TAG                            IMAGE ID            SIZE
10.1.147.13:5000/rancher/hardened-calico                                    v3.28.1-build20240911          ff76eadb17450       204MB
10.1.147.13:5000/rancher/hardened-cluster-autoscaler                        v1.8.11-build20240910          3bf9ae903993c       12.1MB
10.1.147.13:5000/rancher/hardened-coredns                                   v1.11.1-build20240910          1ebdf98f6ac9e       23.7MB
10.1.147.13:5000/rancher/hardened-etcd                                      v3.5.13-k3s1-build20240910     19f8e656ed901       17.4MB
10.1.147.13:5000/rancher/hardened-flannel                                   v0.25.6-build20240910          c5b9d8599cc07       80.7MB
10.1.147.13:5000/rancher/hardened-k8s-metrics-server                        v0.7.1-build20240910           690ef3e34d41b       18.6MB
10.1.147.13:5000/rancher/hardened-kubernetes                                v1.30.5-rke2r1-build20240912   e0d7e579b2a76       172MB
10.1.147.13:5000/rancher/klipper-helm                                       v0.9.2-build20240828           1932cb543c3e4       72.2MB
10.1.147.13:5000/rancher/mirrored-ingress-nginx-kube-webhook-certgen        v1.4.1                         684c5ea3b61b2       23.9MB
10.1.147.13:5000/rancher/mirrored-pause                                     3.6                            6270bb605e12e       301kB
10.1.147.13:5000/rancher/mirrored-sig-storage-snapshot-controller           v6.2.1                         1ef6c138bd5f2       24.2MB
10.1.147.13:5000/rancher/mirrored-sig-storage-snapshot-validation-webhook   v6.2.2                         ff52c2bcf9f88       21.2MB
10.1.147.13:5000/rancher/nginx-ingress-controller                           v1.10.4-hardened3              c5e49f8eeb13e       294MB
10.1.147.13:5000/rancher/rke2-cloud-provider                                v1.30.4-build20240910          30f3b57184265       20.9MB
10.1.147.13:5000/rancher/rke2-runtime                                       v1.30.5-rke2r1                 a3ed8cad327b0       108MB
quay.io/jetstack/cert-manager-cainjector                                    v1.16.1                        94b6cc26be635       15.4MB
quay.io/jetstack/cert-manager-controller                                    v1.16.1                        ef702517cc982       21.2MB
quay.io/jetstack/cert-manager-startupapicheck                               v1.16.1                        c2d4b358f188d       14.1MB
quay.io/jetstack/cert-manager-webhook                                       v1.16.1                        c5c110afda0f7       18.2MB

ksd · 2024 年10 月 21 日 02:50

这个是肯定的，因为 system-default-registry 只是将 rke2 所需要的镜像修改为你设置的值，并不会影响你上面安装的业务或者软件的镜像仓库，也就是说你用这个 helm 命令去安装，和 system-default-registry 的设置没任何关系，所以还是到默认的 quay.io 仓库去拉取的。

changzheng:

oot@k8s416-51:~/k8sdir# /var/lib/rancher/rke2/bin/crictl pull 10.1.147.13:5000/rancher/klipper-helm:v0.9.2-build20240828

Image is up to date for sha256:1932cb543c3e40611e241cfd6af0bd949d3e37fdaf8e6518dc90127412cc7c10

root@k8s416-51:~/k8sdir# /var/lib/rancher/rke2/bin/crictl pull 10.1.147.13:5000/jetstack/cert-manager-cainjector:v1.16.1

E1021 09:17:39.812199  785834 remote_image.go:180] "PullImage from image service failed" err="rpc error: code = Unknown desc = failed to pull and unpack image \"10.1.147.13:5000/jetstack/cert-manager-cainjector:v1.16.1\": failed to resolve reference \"10.1.147.13:5000/jetstack/cert-manager-cainjector:v1.16.1\": failed to do request: Head \"https://10.1.147.13:5000/v2/jetstack/cert-manager-cainjector/manifests/v1.16.1\": http: server gave HTTP response to HTTPS client" image="10.1.147.13:5000/jetstack/cert-manager-cainjector:v1.16.1"
FATA[0000] pulling image: failed to pull and unpack image "10.1.147.13:5000/jetstack/cert-manager-cainjector:v1.16.1": failed to resolve reference "10.1.147.13:5000/jetstack/cert-manager-cainjector:v1.16.1": failed to do request: Head "https://10.1.147.13:5000/v2/jetstack/cert-manager-cainjector/manifests/v1.16.1": http: server gave HTTP response to HTTPS client

至于这个问题，你从 rancher 的仓库中能拉取下来镜像，证明配置是没问题的，但你拉取 jetstack 的镜像没拉下来，应该是你镜像仓库中没有这个镜像，因为从 http 没拉下来之后，默认会拉取 https 的。

changzheng · 2024 年10 月 21 日 06:02

多谢回复～

多谢提醒～才发现，jetstack/cert-manager-cainjector 不在dockerhub中， nexus追加quay.io才解决。
并且修改了一下/etc/rancher/rke2/registries.yaml,追加quay.io：

mkdir -p /etc/rancher/rke2/
cat >/etc/rancher/rke2/config.yaml <<EOL
token: 123456
system-default-registry: "10.1.147.13:5000"
EOL
cat >/etc/rancher/rke2/registries.yaml<<EOL
mirrors:
  docker.io:
    endpoint:
      - "http://10.1.147.13:5000"
  quay.io:
    endpoint:
      - "http://10.1.147.13:5000"
  gcr.io:
    endpoint:
      - "http://10.1.147.13:5000"
  10.1.147.13:5000:
    endpoint:
      - "http://10.1.147.13:5000"
configs:
  "10.1.147.13:5000":
    tls:
      insecure_skip_verify: true
EOL

使用HelmChart 也成功了，非常感谢！！！！

apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: cert-manager
  namespace: kube-system
spec:
  insecureSkipTLSVerify: true
  chart: cert-manager
  targetNamespace: cert-manager
  set:
    installCRDs: "true"  # 启用 CRDs 安装
  repo: http://charts.jetstack.io

总算成功了，很是感谢～
追加一个小问题, 我们rke2原生的私有镜像仓库的前缀，能设置什么地方去掉吗？还是我又弄混什么地方了。

PS，我是看，k8s中部署完了cert-manager以及metallb以后，nexus中多了相关的image,来确定走的nexus docker proxy代理。并且crictl pull Quay 也没有https类似的问题。

/var/lib/rancher/rke2/bin/crictl images

IMAGE                                                                       TAG                            IMAGE ID            SIZE
10.1.147.13:5000/rancher/hardened-calico                                    v3.28.1-build20240911          ff76eadb17450       204MB
10.1.147.13:5000/rancher/hardened-cluster-autoscaler                        v1.8.11-build20240910          3bf9ae903993c       12.1MB
10.1.147.13:5000/rancher/hardened-coredns                                   v1.11.1-build20240910          1ebdf98f6ac9e       23.7MB
10.1.147.13:5000/rancher/hardened-etcd                                      v3.5.13-k3s1-build20240910     19f8e656ed901       17.4MB
10.1.147.13:5000/rancher/hardened-flannel                                   v0.25.6-build20240910          c5b9d8599cc07       80.7MB
10.1.147.13:5000/rancher/hardened-k8s-metrics-server                        v0.7.1-build20240910           690ef3e34d41b       18.6MB
10.1.147.13:5000/rancher/hardened-kubernetes                                v1.30.5-rke2r1-build20240912   e0d7e579b2a76       172MB
10.1.147.13:5000/rancher/klipper-helm                                       v0.9.2-build20240828           1932cb543c3e4       72.2MB
10.1.147.13:5000/rancher/mirrored-ingress-nginx-kube-webhook-certgen        v1.4.1                         684c5ea3b61b2       23.9MB
10.1.147.13:5000/rancher/mirrored-pause                                     3.6                            6270bb605e12e       301kB
10.1.147.13:5000/rancher/mirrored-sig-storage-snapshot-controller           v6.2.1                         1ef6c138bd5f2       24.2MB
10.1.147.13:5000/rancher/mirrored-sig-storage-snapshot-validation-webhook   v6.2.2                         ff52c2bcf9f88       21.2MB
10.1.147.13:5000/rancher/nginx-ingress-controller                           v1.10.4-hardened3              c5e49f8eeb13e       294MB
10.1.147.13:5000/rancher/rke2-cloud-provider                                v1.30.4-build20240910          30f3b57184265       20.9MB
10.1.147.13:5000/rancher/rke2-runtime                                       v1.30.5-rke2r1                 a3ed8cad327b0       108MB
quay.io/frrouting/frr                                                       9.1.0                          e81800e2198ce       80.3MB
quay.io/jetstack/cert-manager-cainjector                                    v1.16.1                        94b6cc26be635       15.4MB
quay.io/jetstack/cert-manager-controller                                    v1.16.1                        ef702517cc982       21.2MB
quay.io/jetstack/cert-manager-startupapicheck                               v1.16.1                        c2d4b358f188d       14.1MB
quay.io/jetstack/cert-manager-webhook                                       v1.16.1                        c5c110afda0f7       18.2MB
quay.io/metallb/controller                                                  v0.14.8                        eabbe97a78eeb       27.5MB
quay.io/metallb/speaker                                                     v0.14.8                        50d3d2d1712d7       53.1MB

ksd · 2024 年10 月 21 日 06:43

再详细描述下，我没看懂，惭愧

changzheng · 2024 年10 月 21 日 06:50

10.1.147.13:5000/rancher/mirrored-sig-storage-snapshot-validation-webhook   v6.2.2                         ff52c2bcf9f88       21.2MB
10.1.147.13:5000/rancher/nginx-ingress-controller                           v1.10.4-hardened3              c5e49f8eeb13e       294MB
10.1.147.13:5000/rancher/rke2-cloud-provider                                v1.30.4-build20240910          30f3b57184265       20.9MB
10.1.147.13:5000/rancher/rke2-runtime                                       v1.30.5-rke2r1                 a3ed8cad327b0       108MB
quay.io/frrouting/frr                                                       9.1.0                          e81800e2198ce       80.3MB
quay.io/jetstack/cert-manager-cainjector                                    v1.16.1                        94b6cc26be635       15.4MB
quay.io/jetstack/cert-manager-controller                                    v1.16.1                        ef702517cc982       21.2MB
quay.io/jetstack/cert-manager-startupapicheck                               v1.16.1                        c2d4b358f188d       14.1MB
quay.io/jetstack/cert-manager-webhook                                       v1.16.1                        c5c110afda0f7       18.2MB
quay.io/metallb/controller

rancher/mirrored-sig-storage-snapshot-validation-webhook前面不是有个 10.1.147.13:5000，但是jetstack/cert-manager-cainjector 前面只是quay.io，
你知道为啥不？想统一下。。。哈哈

ksd · 2024 年10 月 21 日 06:56

这个不能，写的是什么镜像，最后拉下来的就是啥镜像名称。

或者你可以参考下镜像重写，看看是否满足你的要求，参考：深入理解 RKE2 镜像重写：从配置到实际应用 - Ksd的博客 | KSD Blog

changzheng · 2024 年10 月 22 日 00:16

多谢回复～

多请教一个问题，部署rke2之前，swap关闭以及下面这些设置，还是需要的，是吗？

# 开启 IPv4 转发
net.ipv4.ip_forward = 1
# 允许通过 iptables 过滤桥接网络流量
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1

我看rke2官方，好像只提到了hostname,麻烦了～