从 cloud-builders/docker 内部登录私有注册表步骤失败 - 由未知授权机构签名的证书
[英]Login to private registry from inside cloud-builders/docker step fails - certificate signed by unknown authority
问题描述
I need to authenticate to a private registry with a self signed certificate during a Cloud Build step.
我需要在云构建步骤中使用自签名证书向私有注册表进行身份验证。 If I directly execute a docker login , for obvious reasons, this fails with an error: x509: certificate signed by unknown authority - all fine.如果我直接执行docker login ,出于显而易见的原因,这将失败并出现error: x509: certificate signed by unknown authority - 一切正常。
Typically, I'm resolving these kind of issues with the following one-liner:通常,我使用以下单行代码解决此类问题:
openssl s_client -showcerts -connect external-registry.io:5000 < /dev/null | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /usr/local/share/ca-certificates/external-registry.io.crt && \
update-ca-certificates
Sadly, it doesn't work in Cloud Build.遗憾的是,它在 Cloud Build 中不起作用。
name: 'gcr.io/cloud-builders/docker'
env:
entrypoint: 'bash'
args:
- '-c'
- |
openssl s_client -showcerts -connect external-registry.io:5000 < /dev/null | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /usr/local/share/ca-certificates/external-registry.io.crt && \
update-ca-certificates
echo password | docker login external-registry.io:5000 --username administrator --password-stdin
...
The above doesn't work, it fails with error: x509: certificate signed by unknown authority .以上不起作用,它失败并error: x509: certificate signed by unknown authority 。
Interestingly, running the cloud-builders docker container locally everything works flawlessly as expected.有趣的是,在本地运行 cloud-builders docker 容器,一切都按预期完美运行。
git clone https://github.com/GoogleCloudPlatform/cloud-builders.git
cd cloud-builders/docker
docker build -f ./Dockerfile-19.03.8 -t cloudbuilder .
docker run -it --entrypoint /bin/bash cloudbuilder
now inside the container:现在在容器内:
openssl s_client -showcerts -connect external-registry.io:5000 < /dev/null | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /usr/local/share/ca-certificates/external-registry.io.crt && \
update-ca-certificates
echo password | docker login external-registry.io:5000 --username administrator --password-stdin
Login Succeeded
Any explanation and / or workaround would be very appreciated.任何解释和/或解决方法将不胜感激。 How is Google running the cloud-builder containers effectively? Google 如何有效地运行 cloud-builder 容器?
Thank you and cheers!谢谢你,干杯!
1 个解决方案
解决方案1
0 2022-10-04 12:53:45
Have the same problem.有同样的问题。 In my case using Worker Pool to Reach a Private Registry added certs into /etc/docker/certs.d/hostname在我的例子中,使用工作池访问私有注册表将证书添加到/etc/docker/certs.d/hostname
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.