Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Container Registry for K8S Cluster #17

Open
haminhcong opened this issue Jun 5, 2021 · 0 comments
Open

Container Registry for K8S Cluster #17

haminhcong opened this issue Jun 5, 2021 · 0 comments

Comments

@haminhcong
Copy link
Owner

haminhcong commented Jun 5, 2021
edited
Loading

Goals

  • Create a container registry
  • Auto config k8s cluster node to use registry:
    • Set ssl cert config
    • Or set insecure registry
  • Allow external user pull and push to container registry

Environment

  • Kubepsray 2.15
  • containerd 1.4.x
  • Registry Storage: S3 like: Ceph, Minio - Provide outside cluster

Problem 1: Install Container Registry

Tools

Install methods:

  • Install outside cluster: Harbor install on three VMs outside K8S Cluster, then configure containerd config berfore install cluster
  • Install inside cluster: Harbor install on K8S Cluster, then reconfigure containerd configuration of running Cluster. Recheck if need reconfigure container engine after install Harbor or not ?

Problem 2: Configure cluster node registry certificate

To resolve problem x509: certificate signed by unknown authority we have options

Solution 1 - config containerd using registry ca cert before start containerd

[plugins.cri.registry.configs."my.custom.registry".tls]
    ca_file   = "/etc/containerd/my.custom.registry/ca.crt"
    cert_file = "/etc/containerd/my.custom.registry/cert.pem"
    key_file  = "/etc/containerd/my.custom.registry/key.pem"

Solution 2 - insecure registry

[plugins.cri.registry.configs."my.custom.registry".tls]
  insecure_skip_verify = true

Solution 3 - using registry ca cert in system cert

Follow issue containerd/containerd#3071 we need put ca cert to folder /usr/local/share/ca-certificates before start containerd service, or after put ca cert we need restart containerd service.

https://github.com/containerd/cri/blob/release/1.4/docs/registry.md#configure-registry-tls-communication

References
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@haminhcong