You've successfully subscribed to Nuvotex Blog
Great! Next, complete checkout for full access to Nuvotex Blog
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

Kubernetes Cluster & self-hosted Registry: Trusting the CA

Sebastian Augustin
Sebastian Augustin

You build your OnPremise Kubernetes Cluster and set up your self-hosted private registry. To make it pretty you used your own CA to sign the certificate for the registry. Everything is fine and now you are ready to deploy your own services to your Kubernetes Cluster and develop some awesome apps ... but wait ... I cannot pull the images from my registry because my Kubernetes Cluster does not trust the issued CA of the certificate. That isn't that unexpected but how you can fix this real quick:

Add the CA to the nodes of your Cluster

This step is pretty easy if you are able to access your nodes of your Kubernetes Cluster. Just connect to them via ssh and add the given certificate to the cert store - the only thing: you need to add the Certificate Authority to every node. Otherwise some nodes will be able to pull your images and some not ;)

The procedure would look like the following:
Copy your CA to the target location (e.g. Ubuntu environment):

/usr/local/share/ca-certificates

After that execute the following command with the according rights on the machine:

update-ca-certificates

After adding the CA to the given node you need to restart the docker services or the containerd services. In my example I was using a containerd runtime so just restart the given services via the following command:

systemctl restart containerd

Repeat this given steps for all nodes in the cluster.

Nicely done! But wait I still cannot pull the images...

ImagePullSecrets

For sure I need to add credentials to be able to pull some images from my private registry. This can be easily done by adding 'ImagePullSecrets' to your yaml files in the Kubernetes Cluster.

imagePullSecrets:
  - name: someregistrycreds

In the yaml files you are going to reference the name of the created secrets to access your registry and to be able to pull the images. But how to create them?

Secret for the Registry

It is pretty easy you just need to execute the following command to create the credentials:

kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>

(source: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)

The command above will create a secret for pulling the images. Just some tips according to this: If you are working on a shared linux environment please ensure that you cleaned up the history of your command after executing it and be aware that secrets in Kubernetes are only base64 encoded. Just saying :)

Yeah, now we are done and I can pull as many images as possible from my registry. What a wonderful day isn't it?! :)

KubernetesContainerLinux