Use internal ca certificate chain on Karbon | Nutanix Community
Skip to main content
Solved

Use internal ca certificate chain on Karbon

Anibal Ulisses
Forum|alt.badge.img+2

Hi,

My company have a internal CA certificate chain and I need to install the internal ca.crt on Karbon, it’s possible?

Use case, install a pod using kubectl from a internal registry are not possible due they didn’t know the root CA authority installed at the registry server.

Anibal

Best answer by Anibal Ulisses

Hi @AnishWalia20 

 

Problem solved…

On my notebook docker installation I already configured the certificate like you described:

1) On master and worker nodes create $URL directory at /etc/docker/certs.d/ where $URLis replaced with their registry hostname and port:
 

sudo mkdir /etc/docker/certs.d/example.com:5000


Copy (scp or download) registry.crt to /etc/docker/certs.d/example.com:5000/registry.crt

 

But I found two problem that after I understand I have success to configure the certificate chain:

  1. Need to run this command to reload the new settings: 
    systemctl daemon-reload && systemctl restart docker
  2. Need to install the certificate on all Master and Worker nodes, and run step 1 on each one.

Another point that I faced, unfortunately I have a proxy between my server and internet. When the karbon are deployed they didn’t get the “whitelist” configure at Prism Element to include on the NO_PROXY variable, they only get the PROXY_HTTP(S) information. I need to adjust on all nodes. 

 

No my certificate chain are running fine :-)

 

Thank you.

Anibal

 

View original
Did this topic help you find an answer to your question?
This topic has been closed for comments

6 replies

AnishWalia20
Nutanix Employee
Forum|alt.badge.img+5
  • AnishWalia20Nutanix Employee
  • Nutanix Employee
  • 201 replies
  • July 17, 2020

Hey @Anibal Ulisses Can you try to follow the Kubernetes documentation for creating a .dockerconfigjson secret as outlined here to achieve the above:

https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

 

 

Anish Singh Walia
AnishWalia20
Nutanix Employee
Forum|alt.badge.img+5
  • AnishWalia20Nutanix Employee
  • Nutanix Employee
  • 201 replies
  • July 17, 2020

Hey, @Anibal Ulisses Sorry for the above. I misunderstood the question. The above article I sent is for a different use case.

 

You will need to do the below:

1) On master and worker nodes create $URL directory at /etc/docker/certs.d/ where $URL is replaced with their registry hostname and port:
 

sudo mkdir /etc/docker/certs.d/example.com:5000


Copy (scp or download) registry.crt to /etc/docker/certs.d/example.com:5000/registry.crt

 

 

Anish Singh Walia
AnishWalia20
1 person likes this
  • AnishWalia20
    AnishWalia20
Anibal Ulisses
Forum|alt.badge.img+2

Hi @AnishWalia20 

 

Great, I need to restart the cluster or they identify the new certificates and restart automatic?

AnishWalia20
1 person likes this
  • AnishWalia20
    AnishWalia20
AnishWalia20
Nutanix Employee
Forum|alt.badge.img+5
  • AnishWalia20Nutanix Employee
  • Nutanix Employee
  • 201 replies
  • July 20, 2020

Hey @Anibal Ulisses . Sorry I couldn’t reach out. I am not sure about the restart thing. 

 

Did you try the above? . Let me know if you need help with anything else. :smile:

Anish Singh Walia
AnishWalia20
1 person likes this
  • AnishWalia20
    AnishWalia20
Anibal Ulisses
Forum|alt.badge.img+2
  • Anibal Ulisses
  • Author
  • Trailblazer
  • 24 replies
  • Answer
  • July 23, 2020

Hi @AnishWalia20 

 

Problem solved…

On my notebook docker installation I already configured the certificate like you described:

1) On master and worker nodes create $URL directory at /etc/docker/certs.d/ where $URLis replaced with their registry hostname and port:
 

sudo mkdir /etc/docker/certs.d/example.com:5000


Copy (scp or download) registry.crt to /etc/docker/certs.d/example.com:5000/registry.crt

 

But I found two problem that after I understand I have success to configure the certificate chain:

  1. Need to run this command to reload the new settings: 
    systemctl daemon-reload && systemctl restart docker
  2. Need to install the certificate on all Master and Worker nodes, and run step 1 on each one.

Another point that I faced, unfortunately I have a proxy between my server and internet. When the karbon are deployed they didn’t get the “whitelist” configure at Prism Element to include on the NO_PROXY variable, they only get the PROXY_HTTP(S) information. I need to adjust on all nodes. 

 

No my certificate chain are running fine :-)

 

Thank you.

Anibal

 

AnishWalia20
E
2 people like this
  • AnishWalia20
    AnishWalia20
  • E
    EthanAB
AnishWalia20
Nutanix Employee
Forum|alt.badge.img+5
  • AnishWalia20Nutanix Employee
  • Nutanix Employee
  • 201 replies
  • July 23, 2020

Ahh, that is amazing @Anibal Ulisses . Glad that it worked out. And also thanks for the side note about restarting docker daemon on all the master and worker nodes to make the settings persistent.:smile:

Anish Singh Walia
AnishWalia20
1 person likes this
  • AnishWalia20
    AnishWalia20
Terms & Conditions