How to install a CA in Minikube so image pulls are trusted

I want to use Minikube for local development. It needs to access my companies internal docker registry which is signed w/ a 3rd party certificate.

Locally, I would copy the cert and run update-ca-trust extract or update-ca-certificates depending on the OS.

For the Minikube vm, how do I get the cert installed, registered, and the docker daemon restarted so that docker pull will trust the server?

Answers


I had to do something similar recently. You should be able to just hop on the machine with minikube ssh and then follow the directions here

https://docs.docker.com/engine/security/certificates/#understanding-the-configuration

to place the CA in the appropriate directory (/etc/docker/certs.d/[registry hostname]/). You shouldn't need to restart the daemon for it to work.


Have you checked ImagePullSecrets.

You can create a secret with your cert and let your pod use it.


As best as I can tell, there is no way to do this. The next best option is to use the insecure-registry option at startup.

minikube --insecure-registry=foo.com:5000 

By starting up the minikube with the following :

minikube start --insecure-registry=internal-site.dev:5244

It will start the docker daemon with the --insecure-registry option :

/usr/local/bin/docker daemon -D -g /var/lib/docker -H unix:// -H tcp://0.0.0.0:2376 --label provider=virtualbox --insecure-registry internal-site.dev:5244 --tlsverify --tlscacert=/var/lib/boot2docker/ca.pem --tlscert=/var/lib/boot2docker/server.pem --tlskey=/var/lib/boot2docker/server-key.pem -s aufs

but this expects the connection to be HTTP. Unlike in the Docker registry documentation Basic auth does work, but it needs to be placed in a imagePullSecret from the Kubernetes docs.

I would also recommend reading "Adding imagePulSecrets to service account" (link on the page above) to get the secret added to all pods as they are deployed. Note that this will not impact already deployed pods.


Shell into Minikube.

Copy your certificates to:

/etc/docker/certs.d/<docker registry host>:<docker registry port>

Ensure that your permissions are correct on the certificate, they must be at least readable.

Restart Docker (systemctl restart docker)

Don't forget to create a secret if your Docker Registry uses basic authentication:

kubectl create secret docker-registry service-registry --docker-server=<docker registry host>:<docker registry port> --docker-username=<name> --docker-password=<pwd> --docker-email=<email>

Well, the minikube has a feature to copy all the contents of ~/.minikube/files directory to its VM filesystem. So you can place your certificates under

~/.minikube/files/etc/docker/certs.d/<docker registry host>:<docker registry port> path 

and these files will be copied into the proper destination on minikube startup automagically.


Need Your Help

Is it possible to loop setters and getters?

java loops getter-setter

I'm fairly confident that there's no way this could work, but I wanted to ask anyway just in case I'm wrong:

Qt: data decryption using private/public key

c++ encryption qt5 public-key

I want to decrypt data which has been encrypted using a private key. I can load the public key for decryption as follows: