Dans cet article (Déployer Harbor avec type loadBalancer) j’ai expliqué comment déployer Habor et utiliser le certificat self-signed pour que Docker puisse l’utiliser. Si vous utilisez Kubernetes avec docker, vous pouvez aussi suivre cette procédure sur chaque worker node. Sinon vous risquez d’avoir l’erreur suivante :
Unknown desc = failed to pull and unpack image “harbor.cpod-tkg.az-lab.shwrfr.com/memecached/hello-world:latest”: failed to resolve reference “harbor.cpod-tkg.az-lab.shwrfr.com/memecached/hello-world:latest”: failed to do request: Head https://harbor.cpod-tkg.az-lab.shwrfr.com/v2/memecached/hello-world/manifests/latest: x509: certificate signed by unknown authority
Warning Failed 12s (x2 over 24s) kubelet, tkg-utility-md-0-798c695db5-pjgsk Error: ErrImagePull
Si vous utilisez Kubernetes avec Containerd, la procédure est différente. Mon collègue Rob Hardt (https://gist.github.com/rhardt-pivotal/) a développé un script pour ça : https://gist.githubusercontent.com/rhardt-pivotal/4aa09ced6302194561936717262bb203/raw/623c707748925c969c525ade4bb432f95b61cff0/node-ca-updater-daemonset.yaml
Il faut néanmoins modifier les 3 champs en rouge :
apiVersion: v1
data:
ca.pem: |+
—–BEGIN CERTIFICATE—–
Mettre votre certificat
—–END CERTIFICATE—–
kind: ConfigMap
metadata:
name: trusted-ca-cm
namespace: default
—-
apiVersion: v1
data:
build-ca.sh: “#!/usr/bin/env bash \nset -euxo pipefail\ntdnf update \ntdnf install -y ca-certificates\ntdnf install -y openssl-c_rehash\necho \”$TRUSTED_CERT\” > /etc/ssl/certs/my-trusted-cert.pem\n/usr/bin/rehash_ca_certificates.sh\ncurl -vv https://<Votre URL HARBOR>\n”
kind: ConfigMap
metadata:
name: rehash-script
namespace: default
—
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: trusted-ca-updater
namespace: default
labels:
k8s-app: trusted-ca-updater
spec:
selector:
matchLabels:
name: trusted-ca-updater
template:
metadata:
labels:
name: trusted-ca-updater
spec:
tolerations:
# this toleration is to have the daemonset runnable on master nodes
# remove it if your masters can’t run pods
– key: node-role.kubernetes.io/master
effect: NoSchedule
initContainers:
– name: script-runner
image: photon:3.0
command: [“/bin/sh”, “-c”, “/root/build-ca.sh” ]
volumeMounts:
– name: update-trusted-certs-script
mountPath: /root/
– name: certs-dir
mountPath: /etc/ssl/certs
– name: agg-certs-dir
mountPath: /etc/pki/tls/certs/
env:
– name: TRUSTED_CERT
valueFrom:
configMapKeyRef:
name: trusted-ca-cm
key: ca.pem
resources:
limits:
ephemeral-storage: 30G # mettre une plus petite taille
containers:
– name: sleepy
image: photon:3.0
command: [“/bin/sh”]
args: [“-c”, “while true; do sleep 3600;done”]
volumes:
– name: update-trusted-certs-script
configMap:
name: rehash-script
defaultMode: 0766
– name: certs-dir
hostPath:
path: /etc/ssl/certs
type: Directory
– name: agg-certs-dir
hostPath:
path: /etc/pki/tls/certs/
type: Directory
Il faut ensuite se connecter sur les workernodes pour relancer containerd. Ci-dessous un exemple pour TKG (Une solution Kubernetes as a Service pour tous les Clouds)
# ssh capv@<ip-YourWokerNode>
capv@YourWokerNode$ sudo systemctl restart containerd
Laisser un commentaire