离线部署K3S,配置了registries.yaml,从harbor获取镜像依然报 x509: certificate signed by unknown authority

因为公司是内网,然后采用了离线的方式部署,K3S部署完后接着要装cert-manager和rancher,但是在安装的时候发现无法从harbor中获取镜像,提示应该是证书的问题。具体的报错:

Apr 21 19:46:59 node1 k3s: E0421 19:46:59.263681    4200 remote_image.go:113] PullImage "192.168.60.117/quay.io/jetstack/cert-manager-controller:v0.12.0" from image service failed: rpc error: code = Unknown desc = failed to pull and unpack image "192.168.60.117/quay.io/jetstack/cert-manager-controller:v0.12.0": failed to resolve reference "192.168.60.117/quay.io/jetstack/cert-manager-controller:v0.12.0": failed to do request: Head "https://192.168.60.117/v2/quay.io/jetstack/cert-manager-controller/manifests/v0.12.0": x509: certificate signed by unknown authority


Apr 21 19:46:59 node1 k3s: E0421 19:46:59.263747    4200 kuberuntime_image.go:51] Pull image "192.168.60.117/quay.io/jetstack/cert-manager-controller:v0.12.0" failed: rpc error: code = Unknown desc = failed to pull and unpack image "192.168.60.117/quay.io/jetstack/cert-manager-controller:v0.12.0": failed to resolve reference "192.168.60.117/quay.io/jetstack/cert-manager-controller:v0.12.0": failed to do request: Head "https://192.168.60.117/v2/quay.io/jetstack/cert-manager-controller/manifests/v0.12.0": x509: certificate signed by unknown authority


Apr 21 19:46:59 node1 k3s: E0421 19:46:59.263950    4200 kuberuntime_manager.go:815] container &Container{Name:cert-manager,Image:192.168.60.117/quay.io/jetstack/cert-manager-controller:v0.12.0,Command:[],Args:[--v=2 --cluster-resource-namespace=$(POD_NAMESPACE) --leader-election-namespace=kube-system --webhook-namespace=$(POD_NAMESPACE) --webhook-ca-secret=cert-manager-webhook-ca --webhook-serving-secret=cert-manager-webhook-tls --webhook-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc],WorkingDir:,Ports:[]ContainerPort{ContainerPort{Name:,HostPort:0,ContainerPort:9402,Protocol:TCP,HostIP:,},},Env:[]EnvVar{EnvVar{Name:POD_NAMESPACE,Value:,ValueFrom:&EnvVarSource{FieldRef:&ObjectFieldSelector{APIVersion:v1,FieldPath:metadata.namespace,},ResourceFieldRef:nil,ConfigMapKeyRef:nil,SecretKeyRef:nil,},},},Resources:ResourceRequirements{Limits:ResourceList{},Requests:ResourceList{},},VolumeMounts:[]VolumeMount{VolumeMount{Name:cert-manager-token-hn4cl,ReadOnly:true,MountPath:/var/run/secrets/kubernetes.io/serviceaccount,SubPath:,MountPropagation:nil,SubPathExpr:,},},LivenessProbe:nil,ReadinessProbe:nil,Lifecycle:nil,TerminationMessagePath:/dev/termination-log,ImagePullPolicy:IfNotPresent,SecurityContext:nil,Stdin:false,StdinOnce:false,TTY:false,EnvFrom:[]EnvFromSource{},TerminationMessagePolicy:File,VolumeDevices:[]VolumeDevice{},StartupProbe:nil,} start failed in pod cert-manager-7dd557457c-h62lp_cert-manager(5f8b973f-451b-4711-8f8d-126b97a51cba): ErrImagePull: rpc error: code = Unknown desc = failed to pull and unpack image "192.168.60.117/quay.io/jetstack/cert-manager-controller:v0.12.0": failed to resolve reference "192.168.60.117/quay.io/jetstack/cert-manager-controller:v0.12.0": failed to do request: Head "https://192.168.60.117/v2/quay.io/jetstack/cert-manager-controller/manifests/v0.12.0": x509: certificate signed by unknown authority


Apr 21 19:46:59 node1 k3s: E0421 19:46:59.264022    4200 pod_workers.go:191] Error syncing pod 5f8b973f-451b-4711-8f8d-126b97a51cba ("cert-manager-7dd557457c-h62lp_cert-manager(5f8b973f-451b-4711-8f8d-126b97a51cba)"), skipping: failed to "StartContainer" for "cert-manager" with ErrImagePull: "rpc error: code = Unknown desc = failed to pull and unpack image \"192.168.60.117/quay.io/jetstack/cert-manager-controller:v0.12.0\": failed to resolve reference \"192.168.60.117/quay.io/jetstack/cert-manager-controller:v0.12.0\": failed to do request: Head \"https://192.168.60.117/v2/quay.io/jetstack/cert-manager-controller/manifests/v0.12.0\": x509: certificate signed by unknown authority"

但是我已经在registries.yaml中已经配置了相关的证书。我的registries.yaml配置如下

mirrors:
  customreg:
    endpoint:
      - "https://192.168.60.117"
configs:
  customreg:
    auth:
      username: admin # 默认用户名
      password: Harbor12345 # 默认仓库密码
    tls:
      cert_file: /apps/rancher/cert/192.168.60.117.cert
      key_file: /apps/rancher/cert/192.168.60.117.key
      ca_file: /apps/rancher/cert/ca.crt

其中harbor使用的是80端口和443端口。我在别的内网机器中,把上面的ca.crt证书放置在/etc/docker/certs.d/192.168.60.117/目录下,使用docker pull这些镜像是能正常获取镜像的。我知道是不是漏了什么别的配置,或者那里配错了,被这个问题已经困扰了一天多了,只能来请求各位大佬了,来自新手的无能狂怒…

已邀请:

netsion - BUG猎手

各位有没有什么社区交流群之类的啊,我加官方助手还没有回应诶。

首先内网环境下非必须不建议用 httpsf访问。

因为你是自签名 ssl 证书,docker 如果没有 CA 做校验是无法访问 harbor。

在 docker 配置 /etc/docker/daemon.json 中添加 "insecure-registries": ["0.0.0.0/0"],

要回复问题请先登录注册