Runtime별 Private Registry SSL인증방법
Tanzu
1. 관리 클러스터 context에서 진행
2. kubectl edit kubeadmconfigtemplate CLUSTER-NAME-md-0
- content: |
-----BEGIN CERTIFICATE-----
MIIDKDCCAhCgAwIBAgIQVoYJg+xQpZzDwO6kqyJxHTANBgkqhkiG9w0BAQsFADAU
MRIwEAYDVQQDEwlIYXJib3IgQ0EwHhcNMjIxMjA1MDcwMzU1WhcNMzIxMjAyMDcw
MzU1WjAUMRIwEAYDVQQDEwlIYXJib3IgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDDiY2CXC0w9V8jLCohEf8z841sCMc9eLjqVW7VyDZDH/qaSHHW
zxR4o9ArDIjjhPzLY1qEjpj6RpOFp5D8KZiKJFw4g8N3cM9cLJF5W4rK0Mslj7vG
r3ZD8FL82EpJ2qDc6KZ3szL4JkttIzI7Qfx66SsQa3+aOg16haVvj+hL7IISJH5j
5IUetpKBFLYFc4i5btb/7DEFEFEQ8q4FvBk6/6CM1638K6nH7KFkNnH2YhHWZuMy
wreF2PXbIeBqZ/bP6MekgYYuBU+NeUiC3Thcv9kyTKMKGEb1IAW8fhpRn82fAAVj
z9Ei++H7SaiZWGnSyjYqfEjFFK3G2zCvD8uNAgMBAAGjdjB0MA4GA1UdDwEB/wQE
AwICBDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUw
AwEB/zAdBgNVHQ4EFgQUtrEPkUoRWwbvrsfwRrpUnYDaHzswEwYDVR0RBAwwCoII
aGFyYm9yY2EwDQYJKoZIhvcNAQELBQADggEBALHPFEhcK8jCq9EGzVrbsZ8cDg3m
jJ3c02lDjsHboCe+FhkMRo+GGCkCB0HmC+j2ygD+aIkdGCBXNg3GMmvuDliIXkb4
M8CJwcVvWgfkU5+cPLmwLe7YTRabyTyt0l1d62dchP2kXLNuD3IsZX7ShdrePA2C
KMzPOd6vgjfioGuvs9oG0KMmPIyBMGB3ZcgjLa1gUpnMMtQJT9nJEaJX2isKyQPz
WTqn48tq0oO5Lh0XJdElcwsiXKv+YGayCGMo1djwdiolr1dRA5Rui6INg6yzKLZl
CpsmMJ9pRmtVY2Ra80ELOwSkkw8hP6ZzSoHXGkUfFK9DA3WAX26Eqc2smv0=
-----END CERTIFICATE-----
owner: root:root
path: /etc/ssl/certs/harbor-internal-ca.pem
permissions: "0644"
joinConfiguration:
nodeRegistration:
kubeletExtraArgs:
cloud-provider: aws
tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
name: '{{ ds.meta_data.local_hostname }}'
preKubeadmCommands:
- echo '[plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.aikoo.net".tls]'
>> /etc/containerd/config.toml
- echo ' ca_file = "/etc/containerd/harbor.aikoo.net.crt"' >> /etc/containerd/config.toml
- systemctl restart containerd
- sed -i 's|".*/pause|"harbor.aikoo.net/tanzu/pause|' /etc/containerd/config.toml
- systemctl restart containerd
- '! which rehash_ca_certificates.sh 2>/dev/null || rehash_ca_certificates.sh'
- '! which update-ca-certificates 2>/dev/null || (mv /etc/ssl/certs/harbor-internal-ca.pem
/usr/local/share/ca-certificates/harbor-internal-ca.crt && update-ca-certificates)'
- systemctl restart containerd
useExperimentalRetryJoin: true
4. kubectl patch machinedeployments.cluster.x-k8s.io CLUSTER-NAME-md-0 --type merge -p "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"date\":\"`date +'%s'`\"}}}}}"
JavaScript
복사
Docker
cat ~/.docker/config.json
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "c3R...zE2"
}
}
}
JavaScript
복사
Containerd
•
인증서 등록
[All Kubernetes Node]
SSL 인증서 crt 파일들을 /etc/pki/ca-trust/source/anchors 경로에 복사
$ update-ca-trust
/etc/hosts에 private-registry Domain 등록
$ systemctl restart containerd
$ systemctl restart docker
$ systemctl restart cri-o
Shell
복사
•
계정 등록
$ vi /etc/containerd/config.toml
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "k8s.gcr.io/pause:3.3"
max_container_log_line_size = -1
[plugins."io.containerd.grpc.v1.cri".containerd]
default_runtime_name = "runc"
snapshotter = "overlayfs"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
runtime_engine = ""
runtime_root = ""
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
systemdCgroup = true
[plugins."io.containerd.grpc.v1.cri".registry]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://registry-1.docker.io"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."harbor.seoul.paas-ta.co.kr:443"]
endpoint = ["https://harbor.seoul.paas-ta.co.kr:443"]
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.seoul.paas-ta.co.kr:443".auth]
username = "admin"
password = "Harbor12345"
[plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.seoul.paas-ta.co.kr:443".tls]
ca_file = "/data/registry/cert.d/ca.crt"
cert_file = "/data/registry/cert.d/harbor.seoul.paas-ta.co.kr.crt"
key_file = "/data/registry/cert.d/harbor.seoul.paas-ta.co.kr.key"
Shell
복사
•
Registry 가 SSL 등록을 안했을 경
# Engine이 Docker일 경우
kubectl create secret generic regcred \
--from-file=.dockerconfigjson=/root/.docker/config.json \
--type=kubernetes.io/dockerconfigjson
# Registry ID/PW 인증방법
kubectl create secret docker-registry regcred \
--docker-username=admin \
--docker-password=Harbor12345 \
--docker-server=harbor.seoul.paas-ta.co.kr:443
$ cat deployment.yml
apiVersion: v1
kind: Pod
metadata:
name: private-reg
spec:
containers:
- name: private-reg-container
image: <your-private-image>
imagePullSecrets:
- name: <your-secret>
JavaScript
복사