The CA certificate bundle is automatically mounted into pods using the default service account at the path
/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
Test Commands
> curl -vs --user test:testpw https://registry:5000/v2/_catalog
Code Block |
---|
* Trying 10.100.117.234...
* TCP_NODELAY set
* Connected to registry (10.100.117.234) port 5000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0 |
> curl -vs --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt --user test:testpw https://registry:5000/v2/_catalog
Code Block |
---|
* Trying 10.100.117.234... * TCP_NODELAY set * Connected to registry (10.100.117.234) port 5000 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt CApath: /etc/ssl/certs * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=registry * start date: Apr 11 14:17:00 2019 GMT * expire date: Apr 10 14:17:00 2020 GMT * common name: registry (matched) * issuer: CN=kubernetes * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Server auth using Basic with user 'test' * Using Stream ID: 1 (easy handle 0x55f9ad4398e0) > GET /v2/_catalog HTTP/2 > Host: registry:5000 > Authorization: Basic dGVzdDp0ZXN0cHc= > User-Agent: curl/7.58.0 > Accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS updated)! < HTTP/2 200 < content-type: application/json; charset=utf-8 < docker-distribution-api-version: registry/2.0 < x-content-type-options: nosniff < content-length: 34 < date: Thu, 11 Apr 2019 20:37:58 GMT < {"repositories":["nginx-jmehan"]} * Connection #0 to host registry left intact |
> echo | openssl s_client -connect registry:5000
...