解决了

使用内部ca证书链的碳

1年前
2020年7月17日
6个回答
2032的浏览量

Userlevel 1

＋２

Anibal Ulisses
开拓者
24日回复

你好,

我的公司有一个内部的CA证书链，我需要在carbon上安装内部的CA .crt，可以吗?

用例，使用kubectl从内部注册表安装pod是不可能的，因为他们不知道在注册表服务器上安装的根CA权威机构。

Anibal

图标

最佳答案Anibal Ulisses2020年7月23日02:01

Hi @AnishWalia20<\/user-mention>\u00a0<\/p>

\u00a0<\/p>

Problem solved\u2026<\/p>

On my notebook docker installation I already configured the certificate like you described:<\/p>

1)\u00a0On master and worker nodes create\u00a0$URL<\/strong>\u00a0directory at\u00a0\/etc\/docker\/certs.d\/<\/strong>\u00a0where\u00a0$URL<\/strong>is replaced with their registry hostname and port:
\u00a0<\/p>

sudo mkdir \/etc\/docker\/certs.d\/example.com:5000<\/code><\/pre>  
 Copy (scp or download)\u00a0registry.crt<\/strong>\u00a0to\u00a0\/etc\/docker\/certs.d\/example.com:5000\/registry.crt<\/strong><\/p> <\/blockquote>  
\u00a0<\/p>  
But I found two problem that after I understand I have success to configure the certificate chain:<\/p>  
Need to run this command to reload the new settings: \tsystemctl daemon-reload && systemctl restart docker<\/code><\/pre> \t<\/li> \tNeed to install the certificate on all Master and Worker nodes, and run step 1 on each one.<\/li> <\/ol>Another point that I faced, unfortunately I have a proxy between my server and internet. When the karbon are deployed they didn\u2019t get the \u201cwhitelist\u201d configure at Prism Element to include on the NO_PROXY variable, they only get the PROXY_HTTP(S) information. I need to adjust on all nodes.\u00a0<\/p>  
\u00a0<\/p>  
No my certificate chain are running fine :-)<\/p>  
\u00a0<\/p>  
Thank you.<\/p>  
Anibal<\/p>  
\u00a0<\/p>","className":"post__content__best_answer"}">

查看原始

Kubernetes Karbon 证书 Hi,<\/p> My company have a internal CA certificate chain and I need to install the internal ca.crt on Karbon, it\u2019s possible?<\/p> Use case, install a pod using kubectl from a internal registry are not possible due they didn\u2019t know the root CA authority installed at the registry server.<\/p> Anibal<\/p>","quoteUsername":"Anibal Ulisses","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}"> 就像报价分享

6个回答古老的第一最新的第一最好的投票 Userlevel 6 ＋5 AnishWalia20 Nutanix员工 201回复 1年前 2020年7月17日嘿 @Anibal Ulisses您可以尝试按照Kubernetes文档创建一个.dockerconfigjson实现上述目标的秘诀如下: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ 西班牙辛格生活 Hey @Anibal Ulisses<\/user-mention>\u00a0Can you try to follow the Kubernetes documentation for creating a .dockerconfigjson<\/strong> secret as outlined here to achieve the above: https:\/\/kubernetes.io\/docs\/tasks\/configure-pod-container\/pull-image-private-registry\/<\/a><\/p> \u00a0<\/p> \u00a0<\/p>","quoteUsername":"AnishWalia20","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}"> 就像报价 Userlevel 6 ＋5 AnishWalia20 Nutanix员工 201回复 1年前 2020年7月17日嘿, @Anibal Ulisses对上面的事情感到抱歉。我误解了这个问题。上面我发送的文章是针对不同的用例。你需要做以下工作: 1)在主节点和工作节点上创建$ URL目录在/etc/docker/certs.d/在哪里$ URL替换为它们的注册表主机名和端口: sudo mkdir /etc/docker/certs.d/example.com: 5000 复制(scp或下载)registry.crt来/etc/docker/certs.d/example.com: 5000 / registry.crt 西班牙辛格生活 Hey,\u00a0@Anibal Ulisses<\/user-mention>\u00a0Sorry for the above. I misunderstood the question. The above article I sent is for a different use case.<\/p> \u00a0<\/p> You will need to do the below: 1)\u00a0On master and worker nodes create $URL<\/strong> directory at \/etc\/docker\/certs.d\/<\/strong> where $URL<\/strong> is replaced with their registry hostname and port: \u00a0<\/p> sudo mkdir \/etc\/docker\/certs.d\/example.com:5000<\/code><\/pre> Copy (scp or download) registry.crt<\/strong> to \/etc\/docker\/certs.d\/example.com:5000\/registry.crt<\/strong><\/p> \u00a0<\/p> \u00a0<\/p>","quoteUsername":"AnishWalia20","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}"> 就像报价 Userlevel 1 ＋２ Anibal Ulisses 作者开拓者 24日回复 1年前 2020年7月17日嗨 @AnishWalia20 很好，我需要重启集群还是他们识别新的证书并自动重启? Hi @AnishWalia20<\/user-mention>\u00a0<\/p> \u00a0<\/p> Great, I need to restart the cluster or they identify the new certificates and restart automatic?<\/p>","quoteUsername":"Anibal Ulisses","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}"> 就像报价 Userlevel 6 ＋5 AnishWalia20 Nutanix员工 201回复 1年前 2020年7月20 嘿 @Anibal Ulisses．抱歉我没能联系到你。我对重新开始的事不太确定。你试过上面的方法吗?．如果你还有其他需要帮助的地方就告诉我。西班牙辛格生活 Hey @Anibal Ulisses<\/user-mention>\u00a0. Sorry I couldn\u2019t reach out. I am not sure about the restart thing.\u00a0<\/p> \u00a0<\/p> Did you try the above? . Let me know if you need help with anything else.\u00a0<\/p>","quoteUsername":"AnishWalia20","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}"> 就像报价 Userlevel 1 ＋２ Anibal Ulisses 作者开拓者 24日回复 1年前 2020年7月23日回答嗨 @AnishWalia20 问题解决了… 在我的笔记本电脑docker安装，我已经配置了证书，如您所描述的: 1)在主节点和工作节点上创建$ URL目录在/etc/docker/certs.d/在哪里$ URL替换为它们的注册表主机名和端口: sudo mkdir /etc/docker/certs.d/example.com: 5000 复制(scp或下载)registry.crt来/etc/docker/certs.d/example.com: 5000 / registry.crt 但是在我理解成功配置证书链后，我发现了两个问题: 需要运行此命令重新加载新的设置:Systemctl daemon-reload && Systemctl restart docker 需要在所有Master和Worker节点上安装证书，并在每个节点上运行步骤1。我面临的另一个问题是，我的服务器和互联网之间有一个代理。当碳部署时，他们没有在Prism Element得到“白名单”配置，包括NO_PROXY变量，他们只得到PROXY_HTTP(S)信息。我需要调整所有节点。不，我的证书链运行良好:-) 谢谢你！ Anibal Hi @AnishWalia20<\/user-mention>\u00a0<\/p> \u00a0<\/p> Problem solved\u2026<\/p> On my notebook docker installation I already configured the certificate like you described:<\/p> 1)\u00a0On master and worker nodes create\u00a0$URL<\/strong>\u00a0directory at\u00a0\/etc\/docker\/certs.d\/<\/strong>\u00a0where\u00a0$URL<\/strong>is replaced with their registry hostname and port: \u00a0<\/p> sudo mkdir \/etc\/docker\/certs.d\/example.com:5000<\/code><\/pre> Copy (scp or download)\u00a0registry.crt<\/strong>\u00a0to\u00a0\/etc\/docker\/certs.d\/example.com:5000\/registry.crt<\/strong><\/p> <\/blockquote> \u00a0<\/p> But I found two problem that after I understand I have success to configure the certificate chain:<\/p> Need to run this command to reload the new settings: \tsystemctl daemon-reload && systemctl restart docker<\/code><\/pre> \t<\/li> \tNeed to install the certificate on all Master and Worker nodes, and run step 1 on each one.<\/li> <\/ol>Another point that I faced, unfortunately I have a proxy between my server and internet. When the karbon are deployed they didn\u2019t get the \u201cwhitelist\u201d configure at Prism Element to include on the NO_PROXY variable, they only get the PROXY_HTTP(S) information. I need to adjust on all nodes.\u00a0<\/p> \u00a0<\/p> No my certificate chain are running fine :-)<\/p> \u00a0<\/p> Thank you.<\/p> Anibal<\/p> \u00a0<\/p>","quoteUsername":"Anibal Ulisses","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}"> 就像报价 Userlevel 6 ＋5 AnishWalia20 Nutanix员工 201回复 1年前 2020年7月23日啊，太神奇了 @Anibal Ulisses．很高兴成功了。同时也感谢关于在所有主节点和工作节点上重启docker守护进程以使设置持久的边注。西班牙辛格生活 Ahh, that is amazing @Anibal Ulisses<\/user-mention>\u00a0. Glad that it worked out. And also thanks for the side note about restarting docker daemon on all the master and worker nodes to make the settings persistent.<\/p>","quoteUsername":"AnishWalia20","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}"> 就像报价回复


   
    
     
    
   
   
    
     
      
       由内
      
      
     
    
   
   
    
     
     报名
     已经有账户了?登录
     
      
      用你的帐户登入
     
    
    
     
     登录社区
     
     用你的帐户登入
    
    
     输入您的用户名或电子邮件地址。我们会给你发一封电子邮件，告诉你如何重置密码。
     
      
      
       
        用户名或电子邮件
       
       
        
       
      
      
       
       回到概述
      
      
     
    
    
    
     扫描文件病毒。
     抱歉，我们仍在检查这个文件的内容，以确保下载是安全的。请几分钟后再试。
     好吧
    
    
     无法下载此文件
     对不起，我们的病毒扫描程序检测到这个文件下载不安全。
     好吧