I have a nice build machine and would like to push images from it into a registry:2 service running on a docker 1.13 swarm but I’m getting the ‘server gave HTTP response to HTTPS client’ error. Perhaps just TLS setup, but I’m not sure how to go about fixing this. Any help appreciated. I don’t want to run an insecure registry since this will eventually span networks.
Perhaps someone can tell me where this error is coming from? I see an awful lot of posts mentioning this symptom but none seem to have a precise definition of the cause. They often seem to decide to run the registry insecurely… which is probably not a good outcome. A diagram showing which nodes are communicating would be nice. It’s mentioning http, which suggests that communication with the registry service is occurring, but the registry running on that specific worker node cannot setup TLS properly. I’ve seen previous versions of the documentation which setup TLS key/certificate files on a specific node, but i’m not sure that it will work in this case since the node running the service is allocated dynamically by swarm. Any help appreciated!
I did a little more hunting. From what I can gather, the Docker documentation does not cover running registry:2 as an externally-accessible service in swarm mode. It may not be supported. Some blogs do have examples which run it as a service but they push/pull from within the swarm. I can do this too, in a pinch.
I assume that the error message arises because the swarm is routing the docker push request to a task running on a swarm node and the task is requiring https. The old approach was to pass environment variables to a ‘docker run’ or mark the registry as insecure in the daemon settings but neither approach seems clean in a swarm setting. Perhaps someone knows of a better way… it’s not a blocker for me in any case.
I think the docker 1.13 secret support could be leveraged for this, though the TLS files in question aren’t actually secrets. I’m not sure if the registry service would twig to the environment variables pointing to the TLS files, though. I haven’t come across a blog post attempting it yet, though. Has anyone tried?