How to configure Konvoy cluster nodes to trust custom certificates?

Overview/Background 

If you are using private container registry with custom certificates to pull images in your konvoy cluster you could need to add the custom certificates to the chain of trust. If the certificates are not added to the chain of trust you will observe image pull failure with the "x509: certificate signed by unknown authority" error message. This article walks you through the steps of adding custom certificates to the chain of trust.

 Add custom certs

Konvoy uses containerd as its container-runtime which in turn relies on the OS's chain of trust so the instruction are going to be distro specific. Regardless of the distro, after updating the chain of trust containerd would needed to be restarted to pick up the changes. this is a known issue with containerd.

RHEL 7 / Centos 7

Copy certificate to CA trust path. Replace the ca.crt in the following command with your custom cert file

sudo cp ca.crt /etc/pki/ca-trust/source/anchors/ 

Update chain of trust

sudo update-ca-trust 

Restart containerd for it to pick up changes

sudo systemctl restart containerd 

Ubuntu/Debian

Copy certificate to CA trust path. Replace the ca.crt in the following command with your custom cert file

sudo cp ca.crt /usr/local/share/ca-certificates 

Update chain of trust

sudo update-ca-certificates 

Restart containerd for it to pick up changes

sudo systemctl restart containerd