如何在 Minikube 中安装 CA 以便信任图像拉取
[英]How to install a CA in Minikube so image pulls are trusted
问题描述
I want to use Minikube for local development.
我想使用 Minikube 进行本地开发。 It needs to access my companies internal docker registry which is signed w/ a 3rd party certificate.它需要访问我公司的内部 docker 注册表,该注册表已使用 3rd 方证书签名。
Locally, I would copy the cert and run update-ca-trust extract or update-ca-certificates depending on the OS.在本地,我会复制证书并根据操作系统运行update-ca-trust extract或update-ca-certificates 。
For the Minikube vm, how do I get the cert installed, registered, and the docker daemon restarted so that docker pull will trust the server?对于 Minikube vm,如何安装、注册证书并重新启动 docker 守护进程,以便docker pull信任服务器?
8 个解决方案
解决方案1
5 2017-04-17 21:02:21
I had to do something similar recently.我最近不得不做类似的事情。 You should be able to just hop on the machine with minikube ssh and then follow the directions here您应该可以使用 minikube ssh 跳上机器,然后按照此处的说明进行操作
https://docs.docker.com/engine/security/certificates/#understanding-the-configuration https://docs.docker.com/engine/security/certificates/#understanding-the-configuration
to place the CA in the appropriate directory (/etc/docker/certs.d/[registry hostname]/).将 CA 放在适当的目录 (/etc/docker/certs.d/[registry hostname]/) 中。 You shouldn't need to restart the daemon for it to work.您不需要重新启动守护程序即可使其工作。
解决方案2
4 2019-01-12 19:18:39
Well, the minikube has a feature to copy all the contents of ~/.minikube/files directory to its VM filesystem.好吧,minikube 具有将~/.minikube/files目录中的所有内容复制到其 VM 文件系统的功能。 So you can place your certificates under所以你可以把你的证书放在
~/.minikube/files/etc/docker/certs.d/<docker registry host>:<docker registry port> path
and these files will be copied into the proper destination on minikube startup automagically.这些文件将在 minikube 启动时自动复制到正确的目的地。
解决方案3
1 2019-01-11 12:57:02
Shell into Minikube.壳进入 Minikube。
Copy your certificates to:将您的证书复制到:
/etc/docker/certs.d/<docker registry host>:<docker registry port>
Ensure that your permissions are correct on the certificate, they must be at least readable.确保您对证书的权限正确,它们必须至少是可读的。
Restart Docker (systemctl restart docker)重启 Docker (systemctl restart docker)
Don't forget to create a secret if your Docker Registry uses basic authentication:如果您的 Docker Registry 使用基本身份验证,请不要忘记创建一个秘密:
kubectl create secret docker-registry service-registry --docker-server=<docker registry host>:<docker registry port> --docker-username=<name> --docker-password=<pwd> --docker-email=<email>
解决方案4
0 2016-09-22 00:38:20
Have you checked ImagePullSecrets .您是否检查过ImagePullSecrets 。
You can create a secret with your cert and let your pod use it.您可以使用您的证书创建一个秘密,并让您的 pod 使用它。
解决方案5
0 2017-01-05 15:04:00
By starting up the minikube with the following :通过使用以下内容启动 minikube:
minikube start --insecure-registry=internal-site.dev:5244
It will start the docker daemon with the --insecure-registry option :它将使用--insecure-registry选项启动--insecure-registry守护进程:
/usr/local/bin/docker daemon -D -g /var/lib/docker -H unix:// -H tcp://0.0.0.0:2376 --label provider=virtualbox --insecure-registry internal-site.dev:5244 --tlsverify --tlscacert=/var/lib/boot2docker/ca.pem --tlscert=/var/lib/boot2docker/server.pem --tlskey=/var/lib/boot2docker/server-key.pem -s aufs
but this expects the connection to be HTTP.但这期望连接是 HTTP。 Unlike in the Docker registry documentation Basic auth does work, but it needs to be placed in a imagePullSecret from the Kubernetes docs .不像在泊坞注册表文件基本身份验证的工作,但它需要被放置在一个imagePullSecret从Kubernetes文档。
I would also recommend reading "Adding imagePulSecrets to service account" (link on the page above) to get the secret added to all pods as they are deployed.我还建议阅读“将 imagePulSecrets 添加到服务帐户”(上面页面上的链接),以便在部署时将机密添加到所有 pod。 Note that this will not impact already deployed pods.请注意,这不会影响已部署的 pod。
解决方案6
0 2021-06-11 13:07:37
One option that works for me is to run a k8s job to copy the cert to the minikube host...对我有用的一种选择是运行 k8s 作业以将证书复制到 minikube 主机...
This is what I used to trust the harbor registry I deployed into my minikube这就是我过去信任部署到我的 minikube 中的港口注册表的原因
cat > update-docker-registry-trust.yaml << END
apiVersion: batch/v1
kind: Job
metadata:
name: update-docker-registry-trust
namespace: harbor
spec:
template:
spec:
containers:
- name: update
image: centos:7
command: ["/bin/sh", "-c"]
args: ["find /etc/harbor-certs; find /minikube; mkdir -p /minikube/etc/docker/certs.d/core.harbor-${MINIKUBE_IP//./-}.nip.io; cp /etc/harbor-certs/ca.crt /minikube/etc/docker/certs.d/core.harbor-${MINIKUBE_IP//./-}.nip.io/ca.crt; find /minikube"]
volumeMounts:
- name: harbor-harbor-ingress
mountPath: "/etc/harbor-certs"
readOnly: true
- name: docker-certsd-volume
mountPath: "/minikube/etc/docker/"
readOnly: false
restartPolicy: Never
volumes:
- name: harbor-harbor-ingress
secret:
secretName: harbor-harbor-ingress
- name: docker-certsd-volume
hostPath:
# directory location on host
path: /etc/docker/
# this field is optional
type: Directory
backoffLimit: 4
END
kubectl apply -f update-docker-registry-trust.yaml
解决方案7
0 2022-01-06 14:51:05
You should copy your root certificate to $HOME/.minikube/certs and restart the minikube with --embed-certs flag.您应该将根证书复制到$HOME/.minikube/certs并使用--embed-certs标志重新启动 minikube。
For more details please refer to minikube handbook: https://minikube.sigs.k8s.io/docs/handbook/untrusted_certs/更多详情请参考 minikube 手册: https ://minikube.sigs.k8s.io/docs/handbook/untrusted_certs/
解决方案8
-1 已采纳 2016-10-19 15:24:08
As best as I can tell, there is no way to do this.据我所知,没有办法做到这一点。 The next best option is to use the insecure-registry option at startup.下一个最佳选择是在启动时使用 insecure-registry 选项。
minikube --insecure-registry=foo.com:5000
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.