Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
s
stale-painting-80203
03/31/2023, 6:59 PMAnyone know how I can resolve a x509 error when pulling an image into a RKE2 cluster from a private container registry? I tried adding additionalCA to rancher as per https://ranchermanager.docs.rancher.com/v2.6/getting-started/installation-and-upgrade/installation-references/helm-chart-options#addition[…]sted-cas
Warning Failed 20m (x3 over 20m) kubelet Failed to pull image "harbor10165.senode.dev/sgs/webapp:2.0": rpc error: code = Unknown desc = failed to pull and unpack image "harbor10165.senode.dev/sgs/webapp:2.0": failed to resolve reference "harbor10165.senode.dev/sgs/webapp:2.0": failed to do request: Head "<https://harbor10165.senode.dev/v2/sgs/webapp/manifests/2.0>": x509: certificate signed by unknown authorityc
creamy-pencil-82913
03/31/2023, 7:01 PMThose docs are for Rancher, you should be looking at the RKE2 docs.
https://docs.rke2.io/install/containerd_registry_configuration#configs
s
stale-painting-80203
03/31/2023, 7:27 PMThanks @creamy-pencil-82913!
Do you know if I can apply this to already running cluster? Do I just restart the rke2-server?
I am running a downstream cluster with 3 etcd nodes and 2 ctrl nodes and 3 worker nodes. It recommends doing this on each node, but which type of node?
c
creamy-pencil-82913
03/31/2023, 7:47 PMyes you can change that on a running cluster. You need to configure the registries.yaml on all of the nodes in the cluster.
This is just passed through directly to containerd running on that node, so you need to configure it on any node you want to trust that registry. So probably all of them?
If you provisioned the cluster via Rancher there’s actually a spot in the Cluster management UI for configuring registries, and it will push it out to all the nodes for you.
s
stale-painting-80203
03/31/2023, 8:18 PMI just found that I can configure this directly from rancher UI for the cluster config. It seems to write the registries.yaml file to all nodes.
c
creamy-pencil-82913
03/31/2023, 8:20 PMyep thats what I was just referring to
s
stale-painting-80203
03/31/2023, 8:24 PMit still issues, but maybe I am not using the registries.yml correctly.
{
"configs":{
"harbor10165":{
"auth":{
"username":"my-username",
"password":"my-assword",
"auth":"",
"identity_token":""
},
"tls":{
"ca_file":"",
"cert_file":"",
"key_file":"",
"insecure_skip_verify":true
}
}
},
"mirrors":{
"harbor10165":{
"endpoint":[
"<https://harbor10165.senode.dev>"
]
}
}
}
kubectl run webapp --image=harbor10165.senode.dev/sgs/webapp:2.0 --port=8080 --expose=true --labels="app=webapp"The pod fails with x509
corrected the hostname and now the x509 is resolved.
Thanks again!