1
2
3
4
5
作者:李晓辉

微信:Lxh_Chat

邮箱:xiaohui_li@foxmail.com
OpenShift 版本机器名QUAY版本QUAY自签名QUAY地址
4.12master013.8.14registry.ocp4.example.com:8443

我今天在OpenShift v4.12中部署应用的时候,发现oc new-app无法成功部署应用,查询日志发现是因为我的容器镜像仓库用的是自签名证书,openshift去拉取的时候压根不受信任,导致无法拉取镜像,也就无法部署应用了,所以我写了这篇文章,本文主要解决在OpenShift 4版本中,无法从第三方外部自签名容器镜像仓库中拉取镜像的问题,根据前面得知,无法拉取镜像的原因是QUAY是自签名证书,所以在OpenShift中不信任是正常情况,我的证书签署方法是:

  1. 生成CA根证书颁发机构
  2. 生成服务证书请求文件
  3. 用我自己的CA给服务颁发证书

以上这么做的好处是,只要让他们信任我的CA,所有通过我的CA颁发的证书,自然就会自动受到信任,如果你也想知道怎么做,可以看我这篇文章:如何生成和使用自签名证书

回归正题,我的CA不受OpenShift信任,没办法完成服务部署啊,以下是解决思路和步骤:

  1. 让操作系统信任自签名CA证书

我的自签名CA证书名称是:xiaohuiroot.crt

先将自签名CA证书放入到openshift节点,我的证书位于当前客户端主机的/etc/pki/ca-trust/source/anchors/目录,原因是客户端也需要信任自签名CA证书

1
scp /etc/pki/ca-trust/source/anchors/xiaohuiroot.crt core@master01:/tmp/

登录openshift节点,处理CA证书信任,然后退出openshift节点,回到客户端

1
2
3
4
5
ssh core@master01
sudo -i
mv /tmp/xiaohuiroot.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust
exit
  1. 登录OpenShift

在客户端上用管理员admin登录openshift

1
oc login -u admin -p redhatocp https://api.ocp4.example.com:6443
  1. 创建一个configmap

这个configmap用于稍后让openshift来引用ca内容,根据第一个步骤的信息,我的CA证书位于: /etc/pki/ca-trust/source/anchors/xiaohuiroot.crt

如果你的镜像仓库是默认的https标准端口443,就用以下命令

1
oc create configmap registry-config --from-file=registry.ocp4.example.com=/etc/pki/ca-trust/source/anchors/xiaohuiroot.crt -n openshift-config

如果你的镜像仓库是不是默认的https标准端口443,就用以下命令,本次我的镜像仓库端口是8443

注意,这里的端口形式必须写成..8443

1
oc create configmap registry-config --from-file=registry.ocp4.example.com..8443=/etc/pki/ca-trust/source/anchors/xiaohuiroot.crt -n openshift-config
  1. 确认configmap符合预期
1
oc describe configmaps -n openshift-config registry-config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Name:         registry-config
Namespace:    openshift-config
Labels:       <none>
Annotations:  <none>

Data
====
registry.ocp4.example.com..8443:
----
-----BEGIN CERTIFICATE-----
MIIFrzCCA5egAwIBAgIUdvbmpaLMXoTKklC9iIJTn8uQf0swDQYJKoZIhvcNAQEN
BQAwZzELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMREwDwYDVQQHDAhT
aGFuZ2hhaTEQMA4GA1UECgwHQ29tcGFueTELMAkGA1UECwwCU0gxEzARBgNVBAMM
CnhpYW9odWkuY24wHhcNMjQwMjI4MDgzNzIyWhcNMzQwMjI1MDgzNzIyWjBnMQsw
CQYDVQQGEwJDTjERMA8GA1UECAwIU2hhbmdoYWkxETAPBgNVBAcMCFNoYW5naGFp
MRAwDgYDVQQKDAdDb21wYW55MQswCQYDVQQLDAJTSDETMBEGA1UEAwwKeGlhb2h1
aS5jbjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALauxPD3q4JoehR6
/B5jxN2kVdpNC7XcKQZu4BoQnQHcCMQLRgEsMIwk2FzbMmgfMpZmIrBwAAl67auB
G9lKAvWW1vxJTghyRMY8B2yEgTNu35Spa/XEKqyW776jYWaEmiOMzyX0zqcNa0jN
O3Dy5R+JaUAOOEtkPXsfSphDDX98/N6XqGh+OnCa2ZoPiVnp0FxbVJk2u24Kc5Bk
D50OdjYFFndTrFrAIGsBl3lyR8GBB9Qw9d0SL8girG0aifLP2dpyeqlNvuesbAQe
xU6tOt+cPB3vVx8GRffDDG8wLaFkCaFeVCyU6ytHPvk2iltchPMmOGPQCdQX7sAa
5Lny9wSCWnl9QSC3uxbGaE5uE2u/oHAbpW7tNvF7gGk34gDKMydoPbatyxMocKJQ
2XHytt1K7yZx6EsREwpVTV5WG1l56RTxyAHeXzItt1znom0kiOOL4tJmaUpOETqM
IQH034GQK1LjboH71Q9WwdHJilRqnnU8LWgHKtuib0a+zjSQUwuE3y26XmslWS35
isO+7htn7n1bgTLwC7om6EsocAPfhOlbILH2QXjsoWC+g0YYFNAUN4KDjPsHdCT1
gUjod60WBU6zuiQvOEBBnpIaEDdKmbk2GZSF2yVkGUhnyezKxPmVZo7q8jHlT9F/
TVnaqhiS7FeQ20IqiVkons4v4rZnAgMBAAGjUzBRMB0GA1UdDgQWBBSVeiXlJH36
1GBbrsWC8J/Iel5wqzAfBgNVHSMEGDAWgBSVeiXlJH361GBbrsWC8J/Iel5wqzAP
BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAq3mzc84ptBvdik9GT
+LS7At99Kaeox4jMJxvArwWddbwZPedqISMC0UcgHQ8kCZZW7BbJ95pC15SPP6E0
GULimBFFSFMnM4MQGzze4bPTBdcLCGTGWJ2vMrihZ1SV1nhb/S79MryL6VEWS39G
mi71CepNT/Oa2qIbUE6sXL760YhrIHq/3Qk3rfIQkqzRObGuchE/atRU66tDwKJs
TllUYOMgJExgajy3U/2BiL7wfsPTGun9K1JziNy7Q3iYru1Z/H2+eDH4mI+QxJDB
bL+iGygevlA85i/6gJMVXQNBY/Yxnfqj+kT14/UXzuW+BAroWO7CExW4tm3XFvi7
73JRFFaz6M3/80CVEc2yxM0M8KR8EO2NZ9nAhqXMT1JmM7QI4J7G30JqVuZ80S5Q
F9Q2QrEW55VpGaJ/5Ikxh5ZPLpuMYXSTONA5+Giam+opt3xS+jeAFcIuOAa5UhLW
0HbxIlntm7jdbfl2pdPTvpsLwXxS4bu7DVJkgtjsp4KCTON4mTvq79D+Ra7QLOlV
SWyLrKRODNwKu/tiIz4d/qQANha2jHD3D1ipjdfVJIuqsNwt9FxBiaCHXkSSuskf
aDzEzp+ZjJLUwaFflB+AuTlRUFSKbTg480F1Ftgb2lVTsZBerGnoAtyYV/XrgQFD
35YDAHb/q0tk5ghFo5paAGvwFg==
-----END CERTIFICATE-----


BinaryData
====

Events:  <none>
  1. 信任额外的CA根证书颁发机构
1
oc edit image.config.openshift.io cluster

只在spec下添加了两行

1
2
3
4
5
6
7
8
9
10
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: config.openshift.io/v1
kind: Image
...
spec:
  additionalTrustedCA:
    name: registry-config
  1. 验证信任结果

这个需要稍微等待几分钟,在此期间可以执行以下命令来查看变化

1
oc get co

测试从我们自签名的镜像仓库中部署应用

1
oc new-app --name hello --image registry.ocp4.example.com:8443/redhattraining/hello-world-nginx:v1.0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
 --image registry.ocp4.example.com:8443/redhattraining/hello-world-nginx:v1.0
--> Found container image 44eaa13 (4 years old) from registry.ocp4.example.com:8443 for "registry.ocp4.example.com:8443/redhattraining/hello-world-nginx:v1.0"

    Red Hat Universal Base Image 8
    ------------------------------
    The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.

    Tags: base rhel8

    * An image stream tag will be created as "hello:v1.0" that will track this image

--> Creating resources ...
    imagestream.image.openshift.io "hello" created
    deployment.apps "hello" created
    service "hello" created
--> Success
    WARNING: No container image registry has been configured with the server. Automatic builds and deployments may not function.
    Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:
     'oc expose service/hello'
    Run 'oc status' to view your app.

结果发现已经成功构建我们的应用,到此,OpenShift已经成功信任了我们的CA根证书颁发机构,我们的容器镜像仓库的证书也已经是可信的啦~