AKS + on prem registry + self signed cert

I have no idea if AKS questions can even be asked on here. If not, my apologies.

Scenario:

I have aks setup. 3 nodes. I have a private docker registry running in artifactory on prem. There is a vpn tunnel between azure and on prem.

I created a deployment to pull an image out of our private registry. Here is where the fun comes in. Corp Policy dictates that internal servers use certificates from our enterprise CA. So the cert on the artifactory box is trusted by default by internal machines and any machine i can get the CA chain added as a trust… But the AKS nodes. Is there any way to provide the aks nodes a custom docker daemon config to see this as an insecure registry? or a way to add our CA to the nodes?

So far i am not seeing any way to do anything to the aks nodes short of getting off aks and just doing kubernetes straight on VMs in azure.

Thanks!

I’ve been using this pattern to load the CA into the Azure Host nodes for our on-prem Harbor Registry and it’s been working great :slight_smile:

1 Like

I think i have seen something similar to this before. This basically just creates a pod on every node that copies the cert info from a secret to a file on the server correct?

At this point, I firmly believe i am going to have to try it lol.

Glad to see atleast someone else has run in to this and came up with something that works.

Ill report back!

It seems a little hacky but it was azure support who gave me that recommendation :slight_smile:

Hope it works!

1 Like

oh now that’s just fantastic LOL

if it works. Ill take it!

You can add worked with AKS to the list!!! lol thanks a ton for that!

Hi Guys,

I am creating new AKS cluster and trying to pull images from on-prem artifactory. In the above method where the busybox image is coming from ? Is it from the artifactory or from ACR ?

The busybox container would be pulling from here.