How to configure Konvoy cluster nodes to trust custom certificates?
Overview/Background
If you are using private container registry with custom certificates to pull images in your konvoy cluster you could need to add the custom certificates to the chain of trust. If the certificates are not added to the chain of trust you will observe image pull failure with the "x509: certificate signed by unknown authority" error message. This article walks you through the steps of adding custom certificates to the chain of trust.
Add custom certs
Konvoy uses containerd as its container-runtime which in turn relies on the OS's chain of trust so the instruction are going to be distro specific. Regardless of the distro, after updating the chain of trust containerd would needed to be restarted to pick up the changes. this is a known issue with containerd.
RHEL 7 / Centos 7
Copy certificate to CA trust path. Replace the ca.crt
in the following command with your custom cert file
sudo cp ca.crt /etc/pki/ca-trust/source/anchors/
Update chain of trust
sudo update-ca-trust
Restart containerd for it to pick up changes
sudo systemctl restart containerd
Ubuntu/Debian
Copy certificate to CA trust path. Replace the ca.crt
in the following command with your custom cert file
sudo cp ca.crt /usr/local/share/ca-certificates
Update chain of trust
sudo update-ca-certificates
Restart containerd for it to pick up changes
sudo systemctl restart containerd