I generated a CA certificate, then issued a certificate based on it for a private registry, that located in the same GKE cluster. Put the server certificates to the private registry and the CA certificate to all GKE nodes and run:
update-ca-certificates && systemctl restart docker
Images are building and putting into the private registry without problems. When a pod tries to pull the an image from the repository I get an error:
x509: certificate signed by unknown authority
Also I tried to put the CA certificate to the docker certs.d
directory (10.3.240.100:3000 — the IP address of the private registry) and restart the docker on each node of the GKE cluster, but it doesn't help too:
/etc/docker/certs.d/10.3.240.100:3000/ca.cert
How to solve this problem? Am I understand correctly that the GKE nodes' docker is responsible for pulling images when creating a pod?
Best Answer
Install the Root CA certificates on the server. That's it – now the error should be gone. If you don't know the root CA, open the URL that gives you the error in a browser (i.e. Chrome). Click the lock next to the URL and select Certificate (Valid).
Reference link:
https://docs.docker.com/registry/insecure/
https://writeabout.net/2020/03/25/x509-certificate-signed-by-unknown-authority/