All Products
Search
Document Center

Use self-managed image repositories

Last Updated: May 19, 2022

When you use an image in a self-managed image repository to create an elastic container instance, the image may fail to be pulled due to different protocols used by the elastic container instance and the image repository or due to certificate authentication failures. This topic describes how to use an image in a self-managed image repository to create an elastic container instance in scenarios where the self-managed image repository uses the HTTP protocol and a self-signed certificate.

Background information

When you use an image in a self-managed image repository to create an elastic container instance, an alert event named ErrImagePull may be triggered, and the image cannot be pulled.

If the network connectivity between the elastic container instance and the image repository is normal, this issue may occur due to the following causes:

  • The self-managed image repository uses the HTTP protocol.

    However, elastic container instances use the HTTPS protocol to pull images by default. When you create an elastic container instance, you must manually configure the instance to use the HTTP protocol to interact with the image repository.

  • The self-managed image repository uses the HTTPS protocol but uses a self-signed certificate.

    If the image repository uses a self-signed certificate, the certificate authentication fails when you pull images. Therefore, when you create an elastic container instance, you must make configurations to skip the certificate authentication.

Configurations

If a self-managed image repository uses the HTTP protocol or a self-signed certificate when you use an image in the image repository to create an elastic container instance, you must configure annotations to prevent image full failures. The following table describes the annotations:

Annotation

Example

Description

k8s.aliyun.com/plain-http-registry

"harbor***.pre.com,192.168.XX.XX:5000,reg***.test.com:80"

Set the value to the IP address of the self-managed image repository.

When you create an elastic container instance by using an image in an self-managed image repository that uses the HTTP protocol, you must specify this parameter for the instance to use the HTTPS protocol to pull the image. This can prevent the image pull failure caused by different protocols.

k8s.aliyun.com/insecure-registry

"harbor***.pre.com,192.168.XX.XX:5000,reg***.test.com:80"

Set the value to the IP address of the self-managed image repository.

When you create an elastic container instance by using an image in an self-managed image repository that uses a self-signed certificate, you must specify this parameter to skip the certificate authentication. This can prevent the image pull failure due to certificate authentication failures.

Note

  • If you want to pull images of multiple containers from different image repositories, you can specify multiple IP addresses of image repositories. Separate multiple IP addresses with commas (,). Example: harbor***.pre.com,192.168.XX.XX.

  • If the image repository IP address contains a port number, you must specify the IP address with its port number. For example, if the image repository IP address is 192.168.XX.XX:5000/nginx:latest, set the value of the annotation to 192.168.XX.XX:5000.

Add annotations to metadata of the pod. For example, when you configure a deployment, add annotations in the spec.template.metadata section. Sample configurations:

  • A self-managed image repository uses the HTTP protocol.

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: nginx
      labels:
        app: nginx
    spec:
      replicas: 4
      selector:
        matchLabels:
          app: nginx
      template:
        metadata:
          name: nginx-test
          annotations:
            k8s.aliyun.com/plain-http-registry: "192.168.XX.XX:5000"
          labels:
            app: nginx
            alibabacloud.com/eci: "true" 
        spec:
          containers:
          - name: nginx
            image: 192.168.XX.XX:5000/test/nginx:latest
  • A self-managed image repository uses a self-signed certificate.

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: nginx
      labels:
        app: nginx
    spec:
      replicas: 4
      selector:
        matchLabels:
          app: nginx
      template:
        metadata:
          name: nginx-test
          annotations:
            k8s.aliyun.com/insecure-registry: "harbor***.pre.com"
          labels:
            app: nginx
            alibabacloud.com/eci: "true" 
        spec:
          containers:
          - name: nginx
            image: harbor***.pre.com/test/nginx:latest