3 Replies Latest reply on Mar 10, 2019 7:27 AM by fduranti

    VIO Kubernetes and private docker registry certificate

    fduranti Hot Shot

      I'm having a problem with VIO Kubernetes 4.1 when trying to use a private internal docker registry with a certificate signed by my internal domain CA.

      I've deployed a kubernetes cluster directly in SDDC mode on my vcenter.

      I've changed the kubernetes api server cluster certificate with one signed internally by my ca.

      When I deploy something on the cluster from my internal registry i get an error.


      Failed to pull image "registry.domain:5500/testgroup/testk8/fduranti-master-patch-56029:6a742afb8171134937a59cf40aa34df91c95b8eb": rpc error: code = Unknown desc = Error response from daemon: Get https://registry.domain:5500/v1/_ping: x509: certificate signed by unknown authority


      Error syncing pod



      I suppose that i should copy my ca configuration to all kubernetes nodes but I'm not sure on how to do it and it seems I cannot find any guide to do it.



        • 1. Re: VIO Kubernetes and private docker registry certificate
          daphnissov Guru
          Community WarriorsvExpert

          Does your registry have this root CA cert added to its trust store? If not, you need to do that because the error message presented suggests there is no trust for what your nodes are presenting. Note that I'm not familiar with VIO so I can't help with that angle.

          • 2. Re: VIO Kubernetes and private docker registry certificate
            fduranti Hot Shot

            The problem is that I'm not a kubernetes expert, just trying to get something up to understand how it work. My registry have the correct CA configured, I already use it from other docker machines.

            From the VIO Kubernetes virtual appliance (the one used to deploy kubernetes cluster) I've configured my corporate ca correctly and I can login with docker on my registry  without any problem.

            The problem is when i try to deploy a pod with images on this registry.

            I think that in this case the machine trying to get the image are the "kubernetes nodes" that don't have my corporate ca in the trusted ca or in the /etc/docker/certs.d/registryserver/ directory.


            I'm trying to understand how to push a certificate on the kubernetes nodes/master virtual machine but I don't know how to login on those or if there's any command to do it on the management.

            • 3. Re: VIO Kubernetes and private docker registry certificate
              fduranti Hot Shot

              I've found a site with some instruction on how to connect to the various nodes.

              From the vio for kubernetes management machine:


              vkube  login --insecure

              vkube cluster list --insecure

              Make a note of the Cluster ID of the cluster you want to access

              vkube cluster show <Cluster ID> --insecure

              Make a note of the IP of the Master and Worker Nodes.

              docker exec -it app-api /bin/bash

              cd /var/lib/vrc/terraform/<ClusterID>

              ssh -i private.key -F ssh-bastion.conf ubuntu@Kubernetes_Host_IP_Address