Microk8s can't pull image from a private registry with ssl self signed certificate

Hi,
My box is Ubuntu 18.04 and last microk8s version from snap. Box setup today.
I have a Docker private image registry with a self-signed certificate.
I prefer to use the basic Kubernetes “imagePullSecrets” info, set in the deployement yaml file.

However, I can’t manage to solve an issue:
The image pull fails on the kubectl create command due to rpc error: code = Unknown desc = failed to resolve image “”: no available registry endpoint: failed to do request: Head “”: x509: certificate signed by unknown authority

According to the microk8s documentation which suggests to do this : https://github.com/containerd/cri/blob/master/docs/registry.md
I tried to apply it on my setup, but without any success.

Here are the questions:

  • I suppose that config.toml cited in the documentation is the containerd.toml of microk8s: Is that correct ?
  • Shall I configure containerd-template.toml or containerd.toml ? What is the difference between these 2 files ?
  • Can the selfsigned ssl certificate of the Registry be considered as a CA cert ?
  • In which directory shall I place the self-signed certificate ?
  • Shall I rename the self signed certificate asd ca.crt ? Is that mandatory ?

Thanks a lot
GB

Hi,
I have found how to do it. May be there is a better way, but this one works on my box.

1/ You have to edit containerd-template.toml. Follow the doc explanation, it is ok, no problem. Just add the registry such as
[plugins.cri.registry.mirrors.""]
endpoint = [“https://”]
[plugins.cri.registry.configs."".tls]
ca_file = “/etc/ssl/certs/domain.crt”
2/ What is the difference between the 2 files, I don’t know. Can somebody explain ?
3/ May be the self-signed certificate acts as a CA cert, anyway it’s taken as-is to validate the ssl connection
4/ This is VERY IMPORTANT : put the self-sign certificate in the /etc/ssl/certs directory. I suppose Kubernetes or the underling libraries check implicitely in this directory. I have not managed to get it working if the certificate is not in this directory.
5/ ca.crt naming is not mandatory, you can name it as you want
Restart microk8s with stop and start
HTH
GB

Here is the config (some text disapeared in the previous post)
[plugins.cri.registry.mirrors.“yourregistryFqdn with port”]
endpoint = [“https:/yourregistryFqdn with port”]
[plugins.cri.registry.configs.“yourregistryFqdn with port”.tls]
ca_file = “/etc/ssl/certs/domain.crt”

With regards to the the difference between containerd-template.toml vs containerd.toml.

Is that microk8s uses the containerd.template.toml to apply templating certain configurations.

2 Likes