Trusting self-signed CA certificates for private docker registries
To enable Cloudera AI workloads to pull images from a private docker registry, the cluster container runtime must be configured to trust the registry certificate.
Manually pulling a Docker image from a
private registry is particularly useful when the registry requires authentication
and uses a self-signed certificate. To manually pull a Docker image from a private
registry using the
ctr command, a client for containerd, perform
the following steps:- Obtain the certificate and the credentials.
-
Obtain a copy of the registry self-signed certificate and place it in a designated path on the Cloudera Embedded Container Service nodes. Ensure the certificate file is in
.pemor.crtformat. - Retrieve the username and password for a user with pull access to the private registry.
-
- Manually pull the image on each node within the Cloudera Embedded Container Service cluster.
-
Run the
ctrcommand with the necessary flags to provide the certificate, credentials, and image details. Ensure this command is executed on each node where the image needs to be pulled./opt/cloudera/parcels/ECS/docker/ctr --namespace=k8s.io -a /run/k3s/containerd/containerd.sock image pull --tlscacert <path/to/cert.pem> -u <username>:<password> <registry_url>/<image_name>:<tag>
-
OpenShift handles trusted certificates
for private registries through the cluster-wide image configuration settings.
- Create a ConfigMap in the
openshift-confignamespace to store the trusted certificates. - Update the cluster
image.config.openshift.ioresource to reference this ConfigMap.
