K
Q

How to install a CA in Minikube so image pulls are trusted

9/15/2016

I want to use Minikube for local development. It needs to access my companies internal docker registry which is signed w/ a 3rd party certificate.

Locally, I would copy the cert and run update-ca-trust extract or update-ca-certificates depending on the OS.

For the Minikube vm, how do I get the cert installed, registered, and the docker daemon restarted so that docker pull will trust the server?

-- Ben Mathews
docker-registry
kubernetes

Similar Questions

Prometheus + nginx-exporter: collect only from <some_nginx_container_ip>:9113
How to pass etcd credentials to kubernetes api-server?
Kubernetes API using websocket from NodeJS
Changing private registry keys on Google cloud

6 Answers

1/11/2019

Shell into Minikube.

Copy your certificates to:

/etc/docker/certs.d/<docker registry host>:<docker registry port>

Ensure that your permissions are correct on the certificate, they must be at least readable.

Restart Docker (systemctl restart docker)

Don't forget to create a secret if your Docker Registry uses basic authentication:

kubectl create secret docker-registry service-registry --docker-server=<docker registry host>:<docker registry port> --docker-username=<name> --docker-password=<pwd> --docker-email=<email>
-- Gapmeister66
Source: StackOverflow
1/5/2017

By starting up the minikube with the following :

minikube start --insecure-registry=internal-site.dev:5244

It will start the docker daemon with the --insecure-registry option :

/usr/local/bin/docker daemon -D -g /var/lib/docker -H unix:// -H tcp://0.0.0.0:2376 --label provider=virtualbox --insecure-registry internal-site.dev:5244 --tlsverify --tlscacert=/var/lib/boot2docker/ca.pem --tlscert=/var/lib/boot2docker/server.pem --tlskey=/var/lib/boot2docker/server-key.pem -s aufs

but this expects the connection to be HTTP. Unlike in the Docker registry documentation Basic auth does work, but it needs to be placed in a imagePullSecret from the Kubernetes docs.

I would also recommend reading "Adding imagePulSecrets to service account" (link on the page above) to get the secret added to all pods as they are deployed. Note that this will not impact already deployed pods.

-- AlainChiasson
Source: StackOverflow
1/12/2019

Well, the minikube has a feature to copy all the contents of ~/.minikube/files directory to its VM filesystem. So you can place your certificates under

~/.minikube/files/etc/docker/certs.d/<docker registry host>:<docker registry port> path

and these files will be copied into the proper destination on minikube startup automagically.

-- unbeerable
Source: StackOverflow
9/22/2016

Have you checked ImagePullSecrets.

You can create a secret with your cert and let your pod use it.

-- Lantao Liu
Source: StackOverflow
4/17/2017

I had to do something similar recently. You should be able to just hop on the machine with minikube ssh and then follow the directions here

https://docs.docker.com/engine/security/certificates/#understanding-the-configuration

to place the CA in the appropriate directory (/etc/docker/certs.d/[registry hostname]/). You shouldn't need to restart the daemon for it to work.

-- Justin Ansari
Source: StackOverflow
10/19/2016

As best as I can tell, there is no way to do this. The next best option is to use the insecure-registry option at startup.

minikube --insecure-registry=foo.com:5000
-- Ben Mathews
Source: StackOverflow