环境说明:
我registry搭建的环境在centos7上,在出现报错之前,已经在将registry的证书放在了/etc/containerd/certs.d/registry.xxxxxxxxx.cn/registry.xxxxxxxxx.cn.crt 目录下,结果在kubernetes集群内部 pull 镜像时,还是出现了下面的报错:
Failed to pull image "registry.xxxxxxxxx.cn/xxxxxxxxx-server:0.0.11": rpc error: code = Unknown desc = failed to pull and unpack image "registry.xxxxxxxxx.cn/xxxxxxxxx-server:0.0.11": failed to resolve reference "registry.xxxxxxxxx.cn/xxxxxxxxx-server:0.0.11": failed to do request: Head "https://registry.xxxxxxxxx.cn/v2/xxxxxxxxx-server/manifests/0.0.11": x509: certificate signed by unknown authority
- 在 kubernetes 集群外部用 nerdctl pull 镜像时没问题的,能读取
/etc/containerd/certs.d/domin/domain.crt证书,并认证成功
这里猜测是kubernetes不会去自动读取镜像私有仓库的证书
解决步骤
cp /etc/containerd/certs.d/registry.xxxxxxxxx.cn/registry.xxxxxxxxx.cn.crt /etc/pki/ca-trust/source/anchors/ ln -s /etc/pki/ca-trust/source/anchors/registry.xxxxxxxxx.cn.crt /etc/ssl/certs/registry.xxxxxxxxx.cn.crt update-ca-trust systemctl restart containerd # 可能只需要这一步就可以了
- 先是按照centos 导入证书的操作,导入 domain.crt
- 再是重启 containerd。(这里我就没有继续细化去验证了,我觉得不导入domain.crt ,直接重启 containerd 也能解决问题。)
OK。
[2022-12-07验证]:确实需要导入 domain.crt,直接重启 containerd 是不行的。ubuntu 证书导入步骤如下:
root@OpenStack:~# cp /etc/containerd/certs.d/registry.xxxxxxxxx.cn/registry.xxxxxxxxx.cn.crt /usr/local/share/ca-certificates/ root@OpenStack:~# update-ca-certificates Updating certificates in /etc/ssl/certs... rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done. root@OpenStack:~# systemctl restart containerd.service
