https://rancher.com/ logo
Title
s

stale-painting-80203

03/31/2023, 6:59 PM
Anyone know how I can resolve a x509 error when pulling an image into a RKE2 cluster from a private container registry? I tried adding additionalCA to rancher as per https://ranchermanager.docs.rancher.com/v2.6/getting-started/installation-and-upgrade/installation-references/helm-chart-options#addition[…]sted-cas
Warning  Failed     20m (x3 over 20m)  kubelet            Failed to pull image "harbor10165.senode.dev/sgs/webapp:2.0": rpc error: code = Unknown desc = failed to pull and unpack image "harbor10165.senode.dev/sgs/webapp:2.0": failed to resolve reference "harbor10165.senode.dev/sgs/webapp:2.0": failed to do request: Head "<https://harbor10165.senode.dev/v2/sgs/webapp/manifests/2.0>": x509: certificate signed by unknown authority
c

creamy-pencil-82913

03/31/2023, 7:01 PM
Those docs are for Rancher, you should be looking at the RKE2 docs. https://docs.rke2.io/install/containerd_registry_configuration#configs
s

stale-painting-80203

03/31/2023, 7:27 PM
Thanks @creamy-pencil-82913! Do you know if I can apply this to already running cluster? Do I just restart the rke2-server?
I am running a downstream cluster with 3 etcd nodes and 2 ctrl nodes and 3 worker nodes. It recommends doing this on each node, but which type of node?
c

creamy-pencil-82913

03/31/2023, 7:47 PM
yes you can change that on a running cluster. You need to configure the registries.yaml on all of the nodes in the cluster.
This is just passed through directly to containerd running on that node, so you need to configure it on any node you want to trust that registry. So probably all of them?
If you provisioned the cluster via Rancher there’s actually a spot in the Cluster management UI for configuring registries, and it will push it out to all the nodes for you.
s

stale-painting-80203

03/31/2023, 8:18 PM
I just found that I can configure this directly from rancher UI for the cluster config. It seems to write the registries.yaml file to all nodes.
c

creamy-pencil-82913

03/31/2023, 8:20 PM
yep thats what I was just referring to
s

stale-painting-80203

03/31/2023, 8:24 PM
it still issues, but maybe I am not using the registries.yml correctly.
{
   "configs":{
      "harbor10165":{
         "auth":{
            "username":"my-username",
            "password":"my-assword",
            "auth":"",
            "identity_token":""
         },
         "tls":{
            "ca_file":"",
            "cert_file":"",
            "key_file":"",
            "insecure_skip_verify":true
         }
      }
   },
   "mirrors":{
      "harbor10165":{
         "endpoint":[
            "<https://harbor10165.senode.dev>"
         ]
      }
   }
}

kubectl run webapp --image=harbor10165.senode.dev/sgs/webapp:2.0 --port=8080 --expose=true --labels="app=webapp"
The pod fails with x509
corrected the hostname and now the x509 is resolved.
Thanks again!