k3d authenticate to secure registry 401 UNAUTHORIZED

[the-scott-hand]

./k3d version
k3d version v4.4.6
k3s version v1.21.1-k3s (default)

Hi there, I am trying to configure my k3d cluster to pull images from a secure registry. I am running the command in the following way:

k3d cluster create --servers 1 mycluster -p "8069:80@loadbalancer" --volume $K3D_PATH/registries.yaml:/etc/rancher/k3s/registries.yaml --volume $K3D_PATH/my.pem:/etc/ssl/certs/my.pem

my registries.yaml is as follows

mirrors:
    my.registry.org:
        endpoint:
            - https://my.registry.org
configs:
    my.registry.org:
        tls:
            ca_file: "/etc/ssl/certs/my.pem"
            key_file: "/etc/ssl/certs/my.pem"
            cert_file: "/etc/ssl/certs/my.pem"

there seems to be no combination of ca_file cert_file and key_file that get me past the failed to pull and unpack image failed to resolve reference: "failed to authorize: failed to fetch anonymous token: unexpected status: 401 UNAUTHORIZED.

I am using a secure registry and authenticate using registered server certs rather than a username/password situation. When using docker, copying and pasting my cert into files client.key and client.cert and placing them in /etc/docker/certs.d/my.registry.org/ is enough to get docker to pull from the secure registry. How can I configure my registries.yaml to accomplish this in k3d? I have experimented with using cert_file and key_file in the registries.yaml with this pem (containing cert and key) but I get the same error.

Where am i going wrong? Can anyone help me configure this correctly?

[ChristianCiach]

Does your my.pem contain everything (ca-cert, cert-file and key)? I seems strange that you are using the same file for all three attributes, especially because you also mention client.key and client.cert in your description.

[the-scott-hand]

I've tried multiple different iterations, this just happened to be the one i tried most recently. Someone had recommended that for some situations the ca_file and cert_file needed to be the same, so I was trying that out. My client.key and client.cert are the same pem file that contains both key and cert, and I do have a separate ca_file that seems to get me past the x509 certificate signed by unknown authority when used on its own. I will try separating the pem file into two separate files and per your suggestion in my other post mount all 3 and reference them separately.

[iwilltry42]

Hi @the-scott-hand , thanks for starting this discussion!
Unfortunately, this is the first time I ever hear/read about this way of authenticating against a registry, so I cannot really help you from the top of my head.

Just reading through your thread over in the k3s repo (where I think this fits better, since k3d doesn't have anything todo with containerd, etc. but rather just puts the files in the correct places, while even that you do manually here using the --volume flag)... I doubt that we can help you here from k3d side 😞

I'll see if I can find any help for you, but anyway, let's close this discussion here and follow-up over here