I have tried to deploy a Docker-Registry in a Kubernetes Cluster using Traefik as Ingress-Controller. On the way I found out that Traefik blocks non GET Requests by default. So I have added a Middleware to let non GET Requests as well trought.
The Middleware to let the requests trought
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: reg-methods
spec:
headers:
accessControlAllowMethods:
- "GET"
- "PUT"
- "POST"
- "PATCH"
- "HEAD"
- "DELETE"
- "OPTIONS"
The Ingress Controller
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: registry-ingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
traefik.ingress.kubernetes.io/auth-type: basic
traefik.ingress.kubernetes.io/proxy-body-size: "0"
traefik.ingress.kubernetes.io/buffering: "off"
traefik.ingress.kubernetes.io/router.middlewares: default-reg-methods@kubernetescrd
spec:
rules:
- host: registry.my.domain
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: registry-service
port:
name: registry-port
So I have tried to send POST and PATCH Requests to the Registry and it works. So I have gone on a Docker client Tagged an image with the registry name. Made a Docker Login, which worked fine as well. A check in the Browser if i can display the registrys repository worked as well. But when I try to push the tagged image, the reqeusts alsways get answered by traefik, instead of forwarding them to the Container in the Cluster.
Logs when doing a Docker Login
172.16.225.8 - - [19/Mar/2023:15:05:39 +0000] "GET /v2/ HTTP/1.1" - - "-" "-" 2680 "-" "-" 0ms
172.16.225.8 - - [19/Mar/2023:15:05:39 +0000] "GET /v2/ HTTP/1.1" - - "-" "-" 2681 "-" "-" 0ms
172.16.225.8 - - [19/Mar/2023:15:05:40 +0000] "GET /v2/ HTTP/1.1" 401 87 "-" "-" 2682 "default-registry-ingress-registry-my-domain@kubernetes" "http://192.168.138.205:5000" 7ms
172.16.225.8 - - [19/Mar/2023:15:05:40 +0000] "GET /v2/ HTTP/1.1" 200 2 "-" "-" 2683 "default-registry-ingress-registry-my-domain@kubernetes" "http://192.168.138.205:5000" 16ms
Logs when pushing the image
172.16.225.8 - - [19/Mar/2023:15:05:50 +0000] "GET /v2/ HTTP/1.1" - - "-" "-" 2688 "-" "-" 0ms
172.16.225.8 - - [19/Mar/2023:15:05:51 +0000] "HEAD /v2/pg/postgres/blobs/sha256:3e290cb732cdbd2d83459c0e06d4bdf152f5372ab9493c7f52170dce457a5636 HTTP/1.1" - - "-" "-" 2689 "-" "-" 0ms
172.16.225.8 - - [19/Mar/2023:15:05:51 +0000] "HEAD /v2/pg/postgres/blobs/sha256:a6e09efc43e8ce56effd722e9f03250c8269ece949c2736b27d38e0f696bb047 HTTP/1.1" - - "-" "-" 2690 "-" "-" 1ms
I have also tried to use IngressRoute from Traefik, but it has the same result. How can I solve that problem, to forward the requests to the Container?
The Docker registry pushes the image via 443 and that's why the requests get blocked. Also port 443 has to be exposed via the ingress class, in order to be able to push images.