I have a EKS setup ( kubernetes) with config file :
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://E3D13176159D2CA5C51AF0622AFE252C.yl4.us-east-1.eks.amazonaws.com
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: aws
name: aws
current-context: aws
kind: Config
preferences: {}
users:
- name: aws
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- token
- -i
- terraform-eks-demo-green
command: aws-iam-authenticator
env: nullthe certificate-authority-data here is self signed (comes with EKS AMI) , I am trying to set up a private docker registry for kubernetes (artifactory) which is https and uses internal cert.
so while applying my container I do the following :
kubectl apply --certificate-authority='internal-ca.pem' -f echo-service.yamlwhich fails with :
error: certificate-authority-data and certificate-authority are both specified for kubernetes. certificate-authority-data will override.
How do I setup a container to use the different ca cert other than the one defined in docker config ?
Currently any applying of container fails with :
x509: certificate signed by unknown authority
because its using the former cert..
The kubectl certificate authority option is for the client itself. What you want is set up the ca inside the container. There's a couple of ways I think you can setup (not limited):
Create a ConfigMap (or k8s secret) with the ca content and mount on your pod, and have your application reference it as the ca config (your docker registry)
Bake the config directly into the container in some /etc/registry directory for example and have your application reference it. The more recommended way is 1. due to the fact that it's generally not advisable to hard-cde cred stuff in your container image.