Skip to content
English
  • There are no suggestions because the search field is empty.

Warehouse Image Discovery Failure for Private Registries

Kargo Warehouse can't discover artifacts from a private registry

Error Message

When a Warehouse cannot discover images from a private container registry, you may see an error like:

Unable to discover artifacts: error discovering images: error discovering newest applicable images "registry.example.com/namespace/repo": error listing tags: error listing tags for repo URL registry.example.com/namespace/repo: Get "https://registry.example.com/v2/": dial tcp: lookup registry.example.com on [fd6f:2a45:17ba::a]:53: no such host

Root Cause

The cluster where the self-hosted Kargo agent is deployed does not have DNS resolution or network access to the private container registry. The agent inherits DNS and network configuration from its managed cluster, so if the cluster cannot resolve or reach the registry, the agent cannot either.

Solution

First, verify the Warehouse shard assignment and credentials. Then confirm network connectivity from the managed cluster to the private registry.

1. Verify Warehouse Shard Assignment

Check that the Warehouse is assigned to the correct self-hosted agent shard:

If your self-hosted agent is not the default shard, you must explicitly assign the Warehouse to that agent's shard. Add the spec.shard field to your Warehouse manifest:

apiVersion: kargo.akuity.io/v1alpha1
kind: Warehouse
metadata:
  name: my-warehouse
  spec:
    shard: <agent-shard-name> # Specify the shard name of your self-hosted agent
    subscriptions:
      - image:
      repoURL: registry.example.com/namespace/repo

If the spec.shard field is not specified, the Warehouse will be reconciled by the default shard agent, which may not have network access to your private registry.

2. Verify Registry Credentials

Ensure the Warehouse has valid credentials configured:

# List all credentials in the project
kargo get creds --project=<project-name>

# Get specific image credentials in YAML format
kargo get creds --project=<project-name> <credential-name> -o yaml

3. Verify Network Connectivity from Managed Cluster

Test connectivity from a pod in the managed cluster where the self-hosted agent is deployed:

# Test DNS resolution
kubectl run -it --rm debug --image=nicolaka/netshoot:latest --restart=Never -- \
nslookup registry.example.com

# Test HTTP connectivity
kubectl run -it --rm debug --image=nicolaka/netshoot:latest --restart=Never -- \
curl -v https://registry.example.com/v2/

If these commands fail, the cluster does not have network access to the registry. The agent will have the same limitations because it inherits the cluster's DNS and network configuration.

4. Configure DNS and Network Access

If connectivity tests fail, ensure the managed cluster has DNS resolution and network connectivity to the private registry. The specific configuration depends on your infrastructure setup and may involve DNS configuration, network routing, firewall rules, or other networking components.