Private Registry Auth

Runtime별 Private Registry SSL인증방법

Tanzu

1. 관리 클러스터 context에서 진행
2. kubectl edit kubeadmconfigtemplate CLUSTER-NAME-md-0

- content: |
          -----BEGIN CERTIFICATE-----
          MIIDKDCCAhCgAwIBAgIQVoYJg+xQpZzDwO6kqyJxHTANBgkqhkiG9w0BAQsFADAU
          MRIwEAYDVQQDEwlIYXJib3IgQ0EwHhcNMjIxMjA1MDcwMzU1WhcNMzIxMjAyMDcw
          MzU1WjAUMRIwEAYDVQQDEwlIYXJib3IgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
          DwAwggEKAoIBAQDDiY2CXC0w9V8jLCohEf8z841sCMc9eLjqVW7VyDZDH/qaSHHW
          zxR4o9ArDIjjhPzLY1qEjpj6RpOFp5D8KZiKJFw4g8N3cM9cLJF5W4rK0Mslj7vG
          r3ZD8FL82EpJ2qDc6KZ3szL4JkttIzI7Qfx66SsQa3+aOg16haVvj+hL7IISJH5j
          5IUetpKBFLYFc4i5btb/7DEFEFEQ8q4FvBk6/6CM1638K6nH7KFkNnH2YhHWZuMy
          wreF2PXbIeBqZ/bP6MekgYYuBU+NeUiC3Thcv9kyTKMKGEb1IAW8fhpRn82fAAVj
          z9Ei++H7SaiZWGnSyjYqfEjFFK3G2zCvD8uNAgMBAAGjdjB0MA4GA1UdDwEB/wQE
          AwICBDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUw
          AwEB/zAdBgNVHQ4EFgQUtrEPkUoRWwbvrsfwRrpUnYDaHzswEwYDVR0RBAwwCoII
          aGFyYm9yY2EwDQYJKoZIhvcNAQELBQADggEBALHPFEhcK8jCq9EGzVrbsZ8cDg3m
          jJ3c02lDjsHboCe+FhkMRo+GGCkCB0HmC+j2ygD+aIkdGCBXNg3GMmvuDliIXkb4
          M8CJwcVvWgfkU5+cPLmwLe7YTRabyTyt0l1d62dchP2kXLNuD3IsZX7ShdrePA2C
          KMzPOd6vgjfioGuvs9oG0KMmPIyBMGB3ZcgjLa1gUpnMMtQJT9nJEaJX2isKyQPz
          WTqn48tq0oO5Lh0XJdElcwsiXKv+YGayCGMo1djwdiolr1dRA5Rui6INg6yzKLZl
          CpsmMJ9pRmtVY2Ra80ELOwSkkw8hP6ZzSoHXGkUfFK9DA3WAX26Eqc2smv0=
          -----END CERTIFICATE-----
        owner: root:root
        path: /etc/ssl/certs/harbor-internal-ca.pem
        permissions: "0644"
      joinConfiguration:
        nodeRegistration:
          kubeletExtraArgs:
            cloud-provider: aws
            tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
          name: '{{ ds.meta_data.local_hostname }}'
      preKubeadmCommands:
      - echo '[plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.aikoo.net".tls]'
        >> /etc/containerd/config.toml
      - echo '  ca_file = "/etc/containerd/harbor.aikoo.net.crt"' >> /etc/containerd/config.toml
      - systemctl restart containerd
      - sed -i 's|".*/pause|"harbor.aikoo.net/tanzu/pause|' /etc/containerd/config.toml
      - systemctl restart containerd
      - '! which rehash_ca_certificates.sh 2>/dev/null || rehash_ca_certificates.sh'
      - '! which update-ca-certificates 2>/dev/null || (mv /etc/ssl/certs/harbor-internal-ca.pem
        /usr/local/share/ca-certificates/harbor-internal-ca.crt && update-ca-certificates)'
      - systemctl restart containerd
      useExperimentalRetryJoin: true

4. kubectl patch machinedeployments.cluster.x-k8s.io CLUSTER-NAME-md-0 --type merge -p "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"date\":\"`date +'%s'`\"}}}}}"
JavaScript
복사

Docker

cat ~/.docker/config.json

{
    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "c3R...zE2"
        }
    }
}
JavaScript
복사

Containerd

•

인증서 등록

[All Kubernetes Node]
SSL 인증서 crt 파일들을 /etc/pki/ca-trust/source/anchors 경로에 복사
$ update-ca-trust

/etc/hosts에 private-registry Domain 등록

$ systemctl restart containerd
$ systemctl restart docker
$ systemctl restart cri-o
Shell
복사

•

계정 등록

$ vi /etc/containerd/config.toml
[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    sandbox_image = "k8s.gcr.io/pause:3.3"
    max_container_log_line_size = -1
    [plugins."io.containerd.grpc.v1.cri".containerd]
      default_runtime_name = "runc"
      snapshotter = "overlayfs"
      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
          runtime_type = "io.containerd.runc.v2"
          runtime_engine = ""
          runtime_root = ""
          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
            systemdCgroup = true
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io"]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."harbor.seoul.paas-ta.co.kr:443"]
          endpoint = ["https://harbor.seoul.paas-ta.co.kr:443"]
      [plugins."io.containerd.grpc.v1.cri".registry.configs]
        [plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.seoul.paas-ta.co.kr:443".auth]
          username = "admin"
          password = "Harbor12345"
        [plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.seoul.paas-ta.co.kr:443".tls]
          ca_file = "/data/registry/cert.d/ca.crt"
          cert_file = "/data/registry/cert.d/harbor.seoul.paas-ta.co.kr.crt"
          key_file = "/data/registry/cert.d/harbor.seoul.paas-ta.co.kr.key"
Shell
복사

•

Registry 가 SSL 등록을 안했을 경

# Engine이 Docker일 경우

kubectl create secret generic regcred \
    --from-file=.dockerconfigjson=/root/.docker/config.json \
    --type=kubernetes.io/dockerconfigjson


# Registry ID/PW 인증방법
kubectl create secret docker-registry regcred \
  --docker-username=admin \
  --docker-password=Harbor12345 \
  --docker-server=harbor.seoul.paas-ta.co.kr:443


$ cat deployment.yml
apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: <your-private-image>
  imagePullSecrets:
  - name: <your-secret>
JavaScript
복사