解决了

在Karbon上使用内部CA证书链

1年前
2020年7月17日
6个答复
2030次观看

Userlevel 1

Anibal Ulisses
开拓者
24个答复

你好，

我公司有一个内部CA证书链，我需要在Karbon上安装内部CA.CRT，这是可能的吗？

用例，由于不知道注册服务器上安装的根CA权限，因此无法使用内部注册表中的Kubectl安装POD。

Anibal

图标

最好的答案Anibal Ulisses2020年7月23日，02：01

Hi @AnishWalia20<\/user-mention>\u00a0<\/p>

\u00a0<\/p>

Problem solved\u2026<\/p>

On my notebook docker installation I already configured the certificate like you described:<\/p>

1)\u00a0On master and worker nodes create\u00a0$URL<\/strong>\u00a0directory at\u00a0\/etc\/docker\/certs.d\/<\/strong>\u00a0where\u00a0$URL<\/strong>is replaced with their registry hostname and port:
\u00a0<\/p>

sudo mkdir \/etc\/docker\/certs.d\/example.com:5000<\/code><\/pre>  
 Copy (scp or download)\u00a0registry.crt<\/strong>\u00a0to\u00a0\/etc\/docker\/certs.d\/example.com:5000\/registry.crt<\/strong><\/p> <\/blockquote>  
\u00a0<\/p>  
But I found two problem that after I understand I have success to configure the certificate chain:<\/p>  
Need to run this command to reload the new settings: \tsystemctl daemon-reload && systemctl restart docker<\/code><\/pre> \t<\/li> \tNeed to install the certificate on all Master and Worker nodes, and run step 1 on each one.<\/li> <\/ol>Another point that I faced, unfortunately I have a proxy between my server and internet. When the karbon are deployed they didn\u2019t get the \u201cwhitelist\u201d configure at Prism Element to include on the NO_PROXY variable, they only get the PROXY_HTTP(S) information. I need to adjust on all nodes.\u00a0<\/p>  
\u00a0<\/p>  
No my certificate chain are running fine :-)<\/p>  
\u00a0<\/p>  
Thank you.<\/p>  
Anibal<\/p>  
\u00a0<\/p>","className":"post__content__best_answer"}">

查看原件

Kubernetes karbon 证书 Hi,<\/p> My company have a internal CA certificate chain and I need to install the internal ca.crt on Karbon, it\u2019s possible?<\/p> Use case, install a pod using kubectl from a internal registry are not possible due they didn\u2019t know the root CA authority installed at the registry server.<\/p> Anibal<\/p>","quoteUsername":"Anibal Ulisses","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}"> 喜欢引用分享

6个答复最古老的第一新的先来最佳投票 UserLevel 6 +5 Anishwalia20 Nutanix员工 201回复 1年前 2020年7月17日嘿 @Anibal Ulisses您可以尝试按照Kubernetes文档来创建一个.dockerconfigjson如这里概述的秘密以实现上述： https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ 阿尼什·辛格·瓦利亚（Anish Singh Walia） Hey @Anibal Ulisses<\/user-mention>\u00a0Can you try to follow the Kubernetes documentation for creating a .dockerconfigjson<\/strong> secret as outlined here to achieve the above: https:\/\/kubernetes.io\/docs\/tasks\/configure-pod-container\/pull-image-private-registry\/<\/a><\/p> \u00a0<\/p> \u00a0<\/p>","quoteUsername":"AnishWalia20","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}"> 喜欢引用 UserLevel 6 +5 Anishwalia20 Nutanix员工 201回复 1年前 2020年7月17日嘿， @Anibal Ulisses对不起，上述。我误解了这个问题。我发送的上面文章是针对不同的用例。您需要做以下操作： 1）在主节点和工人节点上创建$ URL目录在/etc/docker/certs.d/在哪里$ URL被其注册表主机和端口替换： sudo mkdir /etc/docker/certs.d/example.com:5000 复制（SCP或下载）注册表至/etc/docker/certs.d/example.com:5000/registry.crt 阿尼什·辛格·瓦利亚（Anish Singh Walia） Hey,\u00a0@Anibal Ulisses<\/user-mention>\u00a0Sorry for the above. I misunderstood the question. The above article I sent is for a different use case.<\/p> \u00a0<\/p> You will need to do the below: 1)\u00a0On master and worker nodes create $URL<\/strong> directory at \/etc\/docker\/certs.d\/<\/strong> where $URL<\/strong> is replaced with their registry hostname and port: \u00a0<\/p> sudo mkdir \/etc\/docker\/certs.d\/example.com:5000<\/code><\/pre> Copy (scp or download) registry.crt<\/strong> to \/etc\/docker\/certs.d\/example.com:5000\/registry.crt<\/strong><\/p> \u00a0<\/p> \u00a0<\/p>","quoteUsername":"AnishWalia20","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}"> 喜欢引用 Userlevel 1 +2 Anibal Ulisses 作者开拓者 24个答复 1年前 2020年7月17日你好 @anishwalia20 太好了，我需要重新启动集群，或者他们识别新证书并重新启动自动？ Hi @AnishWalia20<\/user-mention>\u00a0<\/p> \u00a0<\/p> Great, I need to restart the cluster or they identify the new certificates and restart automatic?<\/p>","quoteUsername":"Anibal Ulisses","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}"> 喜欢引用 UserLevel 6 +5 Anishwalia20 Nutanix员工 201回复 1年前 2020年7月20日嘿 @Anibal Ulisses。抱歉，我无法伸出手。我不确定重新开始的事情。您尝试过以上吗？。让我知道您是否需要其他任何帮助。阿尼什·辛格·瓦利亚（Anish Singh Walia） Hey @Anibal Ulisses<\/user-mention>\u00a0. Sorry I couldn\u2019t reach out. I am not sure about the restart thing.\u00a0<\/p> \u00a0<\/p> Did you try the above? . Let me know if you need help with anything else.\u00a0<\/p>","quoteUsername":"AnishWalia20","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}"> 喜欢引用 Userlevel 1 +2 Anibal Ulisses 作者开拓者 24个答复 1年前 2020年7月23日回答你好 @anishwalia20 问题解决了… 在我的笔记本码头安装上，我已经像您描述的那样配置了证书： 1）在主节点和工人节点上创建$ URL目录在/etc/docker/certs.d/在哪里$ URL被其注册表主机和端口替换： sudo mkdir /etc/docker/certs.d/example.com:5000 复制（SCP或下载）注册表至/etc/docker/certs.d/example.com:5000/registry.crt 但是我发现了两个问题，在我理解我成功配置证书链之后：需要运行此命令以重新加载新设置：SystemCtl守护程序 - 雷亚德&& systemctl restart docker 需要在所有主节点和工人节点上安装证书，并在每个主节上运行步骤1。我面对的另一点，不幸的是，我在服务器和互联网之间有一个代理。当部署karbon时，他们没有在prism元素上获得“白名单”配置，即在no_proxy变量上包括在内，他们只能获取proxy_http（s）信息。我需要调整所有节点。没有我的证书链运行正常:-) 谢谢你。 Anibal Hi @AnishWalia20<\/user-mention>\u00a0<\/p> \u00a0<\/p> Problem solved\u2026<\/p> On my notebook docker installation I already configured the certificate like you described:<\/p> 1)\u00a0On master and worker nodes create\u00a0$URL<\/strong>\u00a0directory at\u00a0\/etc\/docker\/certs.d\/<\/strong>\u00a0where\u00a0$URL<\/strong>is replaced with their registry hostname and port: \u00a0<\/p> sudo mkdir \/etc\/docker\/certs.d\/example.com:5000<\/code><\/pre> Copy (scp or download)\u00a0registry.crt<\/strong>\u00a0to\u00a0\/etc\/docker\/certs.d\/example.com:5000\/registry.crt<\/strong><\/p> <\/blockquote> \u00a0<\/p> But I found two problem that after I understand I have success to configure the certificate chain:<\/p> Need to run this command to reload the new settings: \tsystemctl daemon-reload && systemctl restart docker<\/code><\/pre> \t<\/li> \tNeed to install the certificate on all Master and Worker nodes, and run step 1 on each one.<\/li> <\/ol>Another point that I faced, unfortunately I have a proxy between my server and internet. When the karbon are deployed they didn\u2019t get the \u201cwhitelist\u201d configure at Prism Element to include on the NO_PROXY variable, they only get the PROXY_HTTP(S) information. I need to adjust on all nodes.\u00a0<\/p> \u00a0<\/p> No my certificate chain are running fine :-)<\/p> \u00a0<\/p> Thank you.<\/p> Anibal<\/p> \u00a0<\/p>","quoteUsername":"Anibal Ulisses","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}"> 喜欢引用 UserLevel 6 +5 Anishwalia20 Nutanix员工 201回复 1年前 2020年7月23日啊，太神奇了 @Anibal Ulisses。很高兴能解决。还要感谢您在所有主节点和工人节点上重新启动Docker守护程序的旁注，以使设置持续。阿尼什·辛格·瓦利亚（Anish Singh Walia） Ahh, that is amazing @Anibal Ulisses<\/user-mention>\u00a0. Glad that it worked out. And also thanks for the side note about restarting docker daemon on all the master and worker nodes to make the settings persistent.<\/p>","quoteUsername":"AnishWalia20","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}"> 喜欢引用回复


   
    
     
    
   
   
    
     
      
       由内部提供动力
      
      
     
    
   
   
    
     
     注册
     已经有一个帐户？登录
     
      
      使用您的帐户登录
     
    
    
     
     登录社区
     
     使用您的帐户登录
    
    
     输入您的用户名或电子邮件地址。我们将向您发送带有指令的电子邮件以重置您的密码。
     
      
      
       
        用户名或电子邮件
       
       
        
       
      
      
       
       返回概述
      
      
     
    
    
    
     扫描病毒文件。
     抱歉，我们仍在检查该文件的内容，以确保它可以安全下载。请在几分钟后再试一次。
     好的
    
    
     该文件无法下载
     抱歉，我们的病毒扫描仪检测到该文件无法安全下载。
     好的