Add CA cert -> unknown authority -> pull image from local registry

[linuxmail]

hi,

I created a four node + master cluster with the build k3OS v0.2.2-rc2 ISO image. I installed via HelmChart cert-manager and created also a local registry. Upload works, but if I create a pod:

Failed to pull image "registry.example.local/myapps/my-service-a-app:1.0.0": rpc error: code = Unknown desc = failed to resolve image "registry.example.local/myapps/my-service-a-app:1.0.0": no available registry endpoint: failed to do request: Head https://registry.example.local/v2/myapps/my-service-a-app/manifests/1.0.0: x509: certificate signed by unknown authority

I thought: if I get the cert-manger working (with Hashicorp Vault PKI backend), than my local CA is trusted too, but it seems not.
So my question is: what I have to do, that my local CA is trusted ?

I found /etc/ssl/certs/ca-certificates.crt and added my local CA, but maybe, its the wrong way to do it.

any suggestions ?

cu denny

[dweomer]

@linuxmail please see this k3s thread: k3s-io/k3s#145 (comment)

[dweomer]

Additionally, please see https://github.com/containerd/cri/blob/master/docs/registry.md#configure-registry-tls-communication. You may be able to get it to work but formal support for insecure registries (aka ones secured with self-signed certificates) as a feature will be tracked at k3s-io/k3s#145

[jslay88]

For anyone else still running this stuff, I resolved this by adding this to my /k3os/system/config.yaml

#  remount /k3os/system as read-write
sudo mount -o remount,rw /k3os/system  
#  edit /k3os/system/config.yaml
sudo vi /k3os/system/config.yaml

- path: /etc/ssl/certs/ca.pem
  content: |
    -----BEGIN CERTIFICATE-----
    <your-cert-here>
    -----END CERTIFICATE-----

Reboot the node for the new config to write the cert and for it to take effect. You should now be able to pull from an HTTPS registry that was issued a certificate by the CA with that CA cert.