Solved

Use internal ca certificate chain on Karbon

  • 17 July 2020
  • 6 replies
  • 1886 views
Anibal Ulisses
Userlevel 1
Badge +2

Hi,

My company have a internal CA certificate chain and I need to install the internal ca.crt on Karbon, it’s possible?

Use case, install a pod using kubectl from a internal registry are not possible due they didn’t know the root CA authority installed at the registry server.

Anibal

icon

Best answer by Anibal Ulisses 23 July 2020, 02:01

Hi @AnishWalia20 

 

Problem solved…

On my notebook docker installation I already configured the certificate like you described:

1) On master and worker nodes create $URL directory at /etc/docker/certs.d/ where $URLis replaced with their registry hostname and port:
 

sudo mkdir /etc/docker/certs.d/example.com:5000


Copy (scp or download) registry.crt to /etc/docker/certs.d/example.com:5000/registry.crt

 

But I found two problem that after I understand I have success to configure the certificate chain:

  1. Need to run this command to reload the new settings: 
    systemctl daemon-reload && systemctl restart docker
  2. Need to install the certificate on all Master and Worker nodes, and run step 1 on each one.

Another point that I faced, unfortunately I have a proxy between my server and internet. When the karbon are deployed they didn’t get the “whitelist” configure at Prism Element to include on the NO_PROXY variable, they only get the PROXY_HTTP(S) information. I need to adjust on all nodes. 

 

No my certificate chain are running fine :-)

 

Thank you.

Anibal

 

View original

6 replies

AnishWalia20
Rank
Userlevel 5
Badge +4

Hey @Anibal Ulisses Can you try to follow the Kubernetes documentation for creating a .dockerconfigjson secret as outlined here to achieve the above:

https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

 

 

Anish Singh Walia
AnishWalia20
Rank
Userlevel 5
Badge +4

Hey, @Anibal Ulisses Sorry for the above. I misunderstood the question. The above article I sent is for a different use case.

 

You will need to do the below:

1) On master and worker nodes create $URL directory at /etc/docker/certs.d/ where $URL is replaced with their registry hostname and port:
 

sudo mkdir /etc/docker/certs.d/example.com:5000


Copy (scp or download) registry.crt to /etc/docker/certs.d/example.com:5000/registry.crt

 

 

Anish Singh Walia
Anibal Ulisses
Userlevel 1
Badge +2

Hi @AnishWalia20 

 

Great, I need to restart the cluster or they identify the new certificates and restart automatic?

AnishWalia20
Rank
Userlevel 5
Badge +4

Hey @Anibal Ulisses . Sorry I couldn’t reach out. I am not sure about the restart thing. 

 

Did you try the above? . Let me know if you need help with anything else. :smile:

Anish Singh Walia
Anibal Ulisses
Userlevel 1
Badge +2

Hi @AnishWalia20 

 

Problem solved…

On my notebook docker installation I already configured the certificate like you described:

1) On master and worker nodes create $URL directory at /etc/docker/certs.d/ where $URLis replaced with their registry hostname and port:
 

sudo mkdir /etc/docker/certs.d/example.com:5000


Copy (scp or download) registry.crt to /etc/docker/certs.d/example.com:5000/registry.crt

 

But I found two problem that after I understand I have success to configure the certificate chain:

  1. Need to run this command to reload the new settings: 
    systemctl daemon-reload && systemctl restart docker
  2. Need to install the certificate on all Master and Worker nodes, and run step 1 on each one.

Another point that I faced, unfortunately I have a proxy between my server and internet. When the karbon are deployed they didn’t get the “whitelist” configure at Prism Element to include on the NO_PROXY variable, they only get the PROXY_HTTP(S) information. I need to adjust on all nodes. 

 

No my certificate chain are running fine :-)

 

Thank you.

Anibal

 

AnishWalia20
Rank
Userlevel 5
Badge +4

Ahh, that is amazing @Anibal Ulisses . Glad that it worked out. And also thanks for the side note about restarting docker daemon on all the master and worker nodes to make the settings persistent.:smile:

Anish Singh Walia

Reply