https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# general
a
This message was deleted.
c
you don’t have to configure the private registry as the system registry. In the cluster configuration UI in rancher, leave the “system registry” text box at the top blank, and then add your registry and configure the credentials in the area down below.
It should look something like this - note that the “container registry” field at the top is left empty, but I’ve clicked “Show Advanced” configured registry authentication for 
<http://registry.example.com|registry.example.com>
I wish the advanced section wasn’t hidden by default and only available if you check the box to enable cluster-scoped registry, but that’s how it is at the moment.
a
Ah, ok, that makes sense. Yea it's a bit confusing the way that is laid out. Yea, if that "additional registry" section was visible by default with the system registry being hidden unless the box is checked, it might make it easier to digest. Or even just better labels defining "system registry" and "additional registry" so they are more distinct. Thanks for the help, I couldn't find documentation on that anywhere, and the linked documentation is what I was originally trying, but that's messing around with files on the nodes themselves. https://docs.rke2.io/install/containerd_registry_configuration/ For the CA Cert Bundle, is it possible to point that at a secret or is just copy/paste only?
well. pasting the CA bundle gives me a big long error
c
I think that one just takes inline PEM text? I can’t remember
you definitely don’t want to do a whole giant kitchen sink bundle. Should just be one or two certs for the root/chain
a
yea, even trying just one gives me a big long red 
failed calling webhook
error message. Maybe it doesn't like the new lines or something in the text.
c
that should be OK. What’s the full error? The error from the webhook should tell you what it doesn’t like.
huh, I see it too. that’s fun.
a
lol yea.... sorry I was trying to recreate it here since it's happening in the air-gapped network and I can't just copy/paste.
c
it wants it as a base64 encoded string 🙃
Copy code
brandond@seago:~$ cat cert.pem
-----BEGIN CERTIFICATE-----
MIIDpzCCAo+gAwIBAgIUPp0pGOILt1FKRW3rhtueKmazmZYwDQYJKoZIhvcNAQEL
BQAwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk9SMREwDwYDVQQHDAhQb3J0bGFu
ZDEOMAwGA1UECgwFa2hhdXMxDDAKBgNVBAsMA2szczEdMBsGA1UEAwwUKi5yZWdp
c3RyeS5rM3Mua2hhdXMwHhcNMjEwMjI0MDAwMzAxWhcNMzEwMjIyMDAwMzAxWjBq
MQswCQYDVQQGEwJVUzELMAkGA1UECAwCT1IxETAPBgNVBAcMCFBvcnRsYW5kMQ4w
DAYDVQQKDAVraGF1czEMMAoGA1UECwwDazNzMR0wGwYDVQQDDBQqLnJlZ2lzdHJ5
Lmszcy5raGF1czCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMWbyESQ
GJwYex7i6pOhi8P0auwpTxcYMk9vuJx1qEvm4n57UuVUEEewwcrJzUXEDfJA2uwZ
Ps6ursgL0YeIn4WqgUkNTNKCZM3SGFxljqZ+y9enJ2LRC9D15ib/OClJ/r4jhqKv
6QSVAMDAPsJwvTc87THOWCw0S9YTS8K7dBWyG8BxZ50LyCL46mdA3WGx0c4SIFYf
G0P8lMHq6bqtEj/q4p2ni+OD5RppDFz0Kxl+HgdMh5qkesaWWqRfwOgY57Ml3WTW
oqeu6w/unqf69YzICX0Ald24sWdyJFFU22/kSz2CLXwWK3//osIE/ggNYKyygocZ
idi0vfhHtJ7iglkCAwEAAaNFMEMwCwYDVR0PBAQDAgQwMBMGA1UdJQQMMAoGCCsG
AQUFBwMBMB8GA1UdEQQYMBaCFCoucmVnaXN0cnkuazNzLmtoYXVzMA0GCSqGSIb3
DQEBCwUAA4IBAQCKbBZNuOC+++HB7fYHrdeBLMnQwByqf2JawVeyydI6DhrbkBly
9FPiYFGw5e0s2pvDLlpSPegvH5kfnFGSIYjWVu6+XI4f81sAZdexzt1Evi8uuDZJ
NSvMK5CrPQWCmtA9K3DRR78KB6piOrpqerk46Xx7m/IP80ZLDmfAQ7whYz1BTH10
afAKt51x9gEISl9MAPQxy8sXNShtp6dvOFxeP2UygLLGeMdYVszu+ZZbiXhi9d58
F/CG9XLDs/mIaWQ7mCMfD8IH4F+59zoocWogqFWQax42fUMJjjpGYpPGnbVE0ldi
iPYGvbBaZqFRcA0BlzHBPYBL8A7vSaWGbTGh
-----END CERTIFICATE-----

brandond@seago:~$ base64 cert.pem
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURwekNDQW8rZ0F3SUJBZ0lVUHAwcEdPSUx0
MUZLUlczcmh0dWVLbWF6bVpZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FqRUxNQWtHQTFVRUJoTUNW
Vk14Q3pBSkJnTlZCQWdNQWs5U01SRXdEd1lEVlFRSERBaFFiM0owYkdGdQpaREVPTUF3R0ExVUVD
Z3dGYTJoaGRYTXhEREFLQmdOVkJBc01BMnN6Y3pFZE1Cc0dBMVVFQXd3VUtpNXlaV2RwCmMzUnll
UzVyTTNNdWEyaGhkWE13SGhjTk1qRXdNakkwTURBd016QXhXaGNOTXpFd01qSXlNREF3TXpBeFdq
QnEKTVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRUNBd0NUMUl4RVRBUEJnTlZCQWNNQ0ZCdmNu
UnNZVzVrTVE0dwpEQVlEVlFRS0RBVnJhR0YxY3pFTU1Bb0dBMVVFQ3d3RGF6TnpNUjB3R3dZRFZR
UUREQlFxTG5KbFoybHpkSEo1Ckxtc3pjeTVyYUdGMWN6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJR
QURnZ0VQQURDQ0FRb0NnZ0VCQU1XYnlFU1EKR0p3WWV4N2k2cE9oaThQMGF1d3BUeGNZTWs5dnVK
eDFxRXZtNG41N1V1VlVFRWV3d2NySnpVWEVEZkpBMnV3WgpQczZ1cnNnTDBZZUluNFdxZ1VrTlRO
S0NaTTNTR0Z4bGpxWit5OWVuSjJMUkM5RDE1aWIvT0NsSi9yNGpocUt2CjZRU1ZBTURBUHNKd3ZU
Yzg3VEhPV0N3MFM5WVRTOEs3ZEJXeUc4QnhaNTBMeUNMNDZtZEEzV0d4MGM0U0lGWWYKRzBQOGxN
SHE2YnF0RWovcTRwMm5pK09ENVJwcERGejBLeGwrSGdkTWg1cWtlc2FXV3FSZndPZ1k1N01sM1dU
VwpvcWV1NncvdW5xZjY5WXpJQ1gwQWxkMjRzV2R5SkZGVTIyL2tTejJDTFh3V0szLy9vc0lFL2dn
TllLeXlnb2NaCmlkaTB2ZmhIdEo3aWdsa0NBd0VBQWFORk1FTXdDd1lEVlIwUEJBUURBZ1F3TUJN
R0ExVWRKUVFNTUFvR0NDc0cKQVFVRkJ3TUJNQjhHQTFVZEVRUVlNQmFDRkNvdWNtVm5hWE4wY25r
dWF6TnpMbXRvWVhWek1BMEdDU3FHU0liMwpEUUVCQ3dVQUE0SUJBUUNLYkJaTnVPQysrK0hCN2ZZ
SHJkZUJMTW5Rd0J5cWYySmF3VmV5eWRJNkRocmJrQmx5CjlGUGlZRkd3NWUwczJwdkRMbHBTUGVn
dkg1a2ZuRkdTSVlqV1Z1NitYSTRmODFzQVpkZXh6dDFFdmk4dXVEWkoKTlN2TUs1Q3JQUVdDbXRB
OUszRFJSNzhLQjZwaU9ycHFlcms0Nlh4N20vSVA4MFpMRG1mQVE3d2hZejFCVEgxMAphZkFLdDUx
eDlnRUlTbDlNQVBReHk4c1hOU2h0cDZkdk9GeGVQMlV5Z0xMR2VNZFlWc3p1K1paYmlYaGk5ZDU4
CkYvQ0c5WExEcy9tSWFXUTdtQ01mRDhJSDRGKzU5em9vY1dvZ3FGV1FheDQyZlVNSmpqcEdZcFBH
bmJWRTBsZGkKaVBZR3ZiQmFacUZSY0EwQmx6SEJQWUJMOEE3dlNhV0diVEdoCi0tLS0tRU5EIENF
UlRJRklDQVRFLS0tLS0K
I know it ends up double-encoded but apparently that’s what it wants
if you look at the logs of the wrancher-webhook pod on the management cluster you can see the actual error
Copy code
2024-03-26T20:36:34.038747767Z time="2024-03-26T20:36:34Z" level=error msg="failed to unmarshal request object: illegal base64 data at input byte 0"
👍 1
a
wow, yep. My cluster yaml is ugly, I've go the ca bundle pem in clear text for the helm configmap, then the same thing in base64 for the registry. What is the tlsSecretName? If we have a client cert to use for authenticating with the private registry? The dropdown doesn't give me an option to select one or create one. I don't need it now but might be useful in the future.
c
if you create a TLS Certificate secret (
type: <http://kubernetes.io/tls|kubernetes.io/tls>
) you can use that to pass the cert and key to use for client certificate auth
if your registry supports that
a
Ah, cool, so if I already have that secret in there then it will show up in the dropdown? Our registry does support that, but we've been using an access token for so long we're just reusing it for this and it works. It's probably worth doing, the less credentials we have to worry about the better. Thanks for the help, it all works now. Would it be worth me putting in a ticket to improve the documentation on that whole thing? Just a few more obvious labels (base64 encode the CA, distinguish between system registry and additional registry) would make it pretty simple.
c
6 Views
Open in Slack
PreviousNext
Powered by