Can not pull docker image from private repo when using Minikube

I am attempting to use Minikube for local kubernetes development. I have set up my docker environment to use the docker daemon running in the provided Minikube VM (boot2docker) as suggested:

eval $(minikube docker-env)

It sets up these environment variables:

  • How can I link an image created volume with a docker-compose specified named volume?
  • How to join the default bridge network with docker-compose?
  • Decrypt with gpg from inside a docker container
  • Docker worklfow of testing images
  • Using S3FS in a docker container ran by the mesos containerizer
  • How to clear Docker task history
  • export DOCKER_TLS_VERIFY="1"
    export DOCKER_HOST="tcp://"
    export DOCKER_CERT_PATH="/home/jasonwhite/.minikube/certs"

    When I attempt to pull an image from our private docker repository:

    docker pull

    I get this error:

    Error response from daemon: Get x509: certificate signed by unknown authority

    It appears I need to add a trusted ca root certificate somehow, but have been unsuccessful so far in my attempts.

    I can hit the repository fine with curl using our ca root cert:

    curl --cacert /etc/ssl/ca/ca.pem

  • Why docker is launching so many daemon processes?
  • how can I create a data-container only using docker-compose.yml?
  • Docker compose run migrations on django web application + postgres db
  • Bundler fails in Docker mirror service with local gem paths
  • How can I use docker-compose locally after setting up a docker-machine host?
  • docker: Error response from daemon: grpc: the connection is unavailable
  • 5 Solutions collect form web for “Can not pull docker image from private repo when using Minikube”

    I came up with a work-around for the situation with suggestions from these sources:

    I logged into the Minikube VM (minikube ssh), and edited the /usr/local/etc/ssl/certs/ca-certificates.crt file by appending my own ca cert.

    I then restarted the docker daemon while still within the VM: sudo /etc/init.d/docker restart

    This is not very elegant in that if I restart the Minikube VM, I need to repeat these manual steps each time.

    As an alternative, I also attempted to set the --insecure-registry option in the DOCKER_OPTS environment variable (restarted docker), but this didn’t work for me.

    For an http registry this steps works for me:

    1) minikube ssh

    2) edit /var/lib/boot2docker/profile and add to $EXTRA_ARGS --insecure-registry

    3) restart the docker daemon sudo /etc/init.d/docker restart

    The Kubernetes documentation on this is pretty good.

    Depending on where your private docker repository is hosted, the solution will look a bit different. The documentation explains how to handle each type of repository.

    If you want an automated approach to handle this authentication, you will want to use a Kubernetes secret and specify the imagePullSecrets for your Pod.

    Sounds like your question has more to do with Docker than Kubernetes. The Docker CLI supports a number of TLS-related options. Since you already have the CA cert, something like this should work:

    docker --tlsverify --tlscacert=/etc/ssl/ca/ca.pem pull

    I’ve been unable to find anyway to get the cert into the minikube vm. But, minikube has a command line parameter to pass in an insecure-registry.

    minikube start --insecure-registry=<HOST>:5000 

    Then to configure authentication on the registry, create a secret.

    kubectl create secret docker-registry tp-registry --docker-server=<REGISTRY>:5000 --docker-username=<USERNAME> --docker-password=<PASSWORD> --docker-email=<EMAIL> --insecure-skip-tls-verify=true

    Add secret to the default service account as described in the kubernetes docs.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.