This message was deleted.

Update: connecting to a node and checking /etc/rancher/rke2/registries.yaml

{"configs":{"harbor-registry":{"auth":null,"tls":{"ca_file":"","cert_file":"","key_file":"","insecure_skip_verify":true}}},"mirrors":null}

-> insecure_skip_verify is true the regarding image is available, no auth required. pulling from outside the cluster works. curl from a rke2 node with "--insecure" works.

We ran into something similar a few weeks ago when a department that uses a downstream Rancher cluster deployed a private registry within it. The solution was to add the cert to the trust store on the underlying hosts (Ubuntu 22.04 on VMWare ESX, in our case). This was just for short-term use, as the department is moving to a cloud-hosted registry, but needed an interim solution for testing. An example of a scalable approach for adding the certs to the trust store is outlined in step 1 of this blog post (of note, we did not do this, but would look at a similar approach for long-term needs): https://www.linuxtechi.com/setup-private-docker-registry-kubernetes/ And, the underlying reason for having to do this appears to be a current limitation of containerd, which may be resolved in a 2.x release. More details here: https://stackoverflow.com/questions/53545732/how-do-i-access-a-private-docker-registry-with-a-self-signed-certificate-using-k/72216347#72216347

Is your image literally at

harbor-registry/repo/image:tag

?

Hello! Thanks for your replies! docker pull harbor-registry.domain.tld/project/repository:latest -> works deploying the app from this repository via ArgoCD to Openshift works. Our harbor