VMware Cloud Community
fduranti
Hot Shot
Hot Shot
Jump to solution

VIO Kubernetes and private docker registry certificate

I'm having a problem with VIO Kubernetes 4.1 when trying to use a private internal docker registry with a certificate signed by my internal domain CA.

I've deployed a kubernetes cluster directly in SDDC mode on my vcenter.

I've changed the kubernetes api server cluster certificate with one signed internally by my ca.

When I deploy something on the cluster from my internal registry i get an error.

Failed to pull image "registry.domain:5500/testgroup/testk8/fduranti-master-patch-56029:6a742afb8171134937a59cf40aa34df91c95b8eb": rpc error: code = Unknown desc = Error response from daemon: Get https://registry.domain:5500/v1/_ping: x509: certificate signed by unknown authority

Error syncing pod

I suppose that i should copy my ca configuration to all kubernetes nodes but I'm not sure on how to do it and it seems I cannot find any guide to do it.

Reply
0 Kudos
1 Solution

Accepted Solutions
fduranti
Hot Shot
Hot Shot
Jump to solution

I've found a site with some instruction on how to connect to the various nodes.

From the vio for kubernetes management machine:

vkube  login --insecure

vkube cluster list --insecure

Make a note of the Cluster ID of the cluster you want to access

vkube cluster show <Cluster ID> --insecure

Make a note of the IP of the Master and Worker Nodes.

docker exec -it app-api /bin/bash

cd /var/lib/vrc/terraform/<ClusterID>

ssh -i private.key -F ssh-bastion.conf ubuntu@Kubernetes_Host_IP_Address

View solution in original post

Reply
0 Kudos
3 Replies
daphnissov
Immortal
Immortal
Jump to solution

Does your registry have this root CA cert added to its trust store? If not, you need to do that because the error message presented suggests there is no trust for what your nodes are presenting. Note that I'm not familiar with VIO so I can't help with that angle.

Reply
0 Kudos
fduranti
Hot Shot
Hot Shot
Jump to solution

The problem is that I'm not a kubernetes expert, just trying to get something up to understand how it work. My registry have the correct CA configured, I already use it from other docker machines.

From the VIO Kubernetes virtual appliance (the one used to deploy kubernetes cluster) I've configured my corporate ca correctly and I can login with docker on my registry  without any problem.

The problem is when i try to deploy a pod with images on this registry.

I think that in this case the machine trying to get the image are the "kubernetes nodes" that don't have my corporate ca in the trusted ca or in the /etc/docker/certs.d/registryserver/ directory.

I'm trying to understand how to push a certificate on the kubernetes nodes/master virtual machine but I don't know how to login on those or if there's any command to do it on the management.

Reply
0 Kudos
fduranti
Hot Shot
Hot Shot
Jump to solution

I've found a site with some instruction on how to connect to the various nodes.

From the vio for kubernetes management machine:

vkube  login --insecure

vkube cluster list --insecure

Make a note of the Cluster ID of the cluster you want to access

vkube cluster show <Cluster ID> --insecure

Make a note of the IP of the Master and Worker Nodes.

docker exec -it app-api /bin/bash

cd /var/lib/vrc/terraform/<ClusterID>

ssh -i private.key -F ssh-bastion.conf ubuntu@Kubernetes_Host_IP_Address

Reply
0 Kudos