Microk8s can't pull image from a private registry with ssl self signed certificate

My box is Ubuntu 18.04 and last microk8s version from snap. Box setup today.
I have a Docker private image registry with a self-signed certificate.
I prefer to use the basic Kubernetes “imagePullSecrets” info, set in the deployement yaml file.

However, I can’t manage to solve an issue:
The image pull fails on the kubectl create command due to rpc error: code = Unknown desc = failed to resolve image “”: no available registry endpoint: failed to do request: Head “”: x509: certificate signed by unknown authority

According to the microk8s documentation which suggests to do this : https://github.com/containerd/cri/blob/master/docs/registry.md
I tried to apply it on my setup, but without any success.

Here are the questions:

  • I suppose that config.toml cited in the documentation is the containerd.toml of microk8s: Is that correct ?
  • Shall I configure containerd-template.toml or containerd.toml ? What is the difference between these 2 files ?
  • Can the selfsigned ssl certificate of the Registry be considered as a CA cert ?
  • In which directory shall I place the self-signed certificate ?
  • Shall I rename the self signed certificate asd ca.crt ? Is that mandatory ?

Thanks a lot

I have found how to do it. May be there is a better way, but this one works on my box.

1/ You have to edit containerd-template.toml. Follow the doc explanation, it is ok, no problem. Just add the registry such as
endpoint = [“https://”]
ca_file = “/etc/ssl/certs/domain.crt”
2/ What is the difference between the 2 files, I don’t know. Can somebody explain ?
3/ May be the self-signed certificate acts as a CA cert, anyway it’s taken as-is to validate the ssl connection
4/ This is VERY IMPORTANT : put the self-sign certificate in the /etc/ssl/certs directory. I suppose Kubernetes or the underling libraries check implicitely in this directory. I have not managed to get it working if the certificate is not in this directory.
5/ ca.crt naming is not mandatory, you can name it as you want
Restart microk8s with stop and start

Here is the config (some text disapeared in the previous post)
[plugins.cri.registry.mirrors.“yourregistryFqdn with port”]
endpoint = [“https:/yourregistryFqdn with port”]
[plugins.cri.registry.configs.“yourregistryFqdn with port”.tls]
ca_file = “/etc/ssl/certs/domain.crt”

With regards to the the difference between containerd-template.toml vs containerd.toml.

Is that microk8s uses the containerd.template.toml to apply templating certain configurations.