随着containerd应用越来越广泛,我们必须紧跟官网的节奏。
之前配置https私有镜像仓库的方法比较繁琐,并且不易梳理,下边介绍一下目前最新的配置方法。
我假设你现在已经有私有仓库并且是https
再假设你的harbor域名是harbor.example.cn
你只需要在/etc/containerd/config.toml中配置一下证书的路径:
...
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
...
然后创建对应的目录及文件
mkdir -p /etc/containerd/certs.d/harbor.example.cn
cat > hosts.toml << EOF
server = "https://harbor.example.cn"
[host."https://harbor.example.cn"]
capabilities = ["pull", "resolve", "push"]
skip_verify = true
EOF
skip_verify = true 表示跳过TLS的验证,如果想要更安全一些就将它修改为false,上传证书并指定路径
[root@anilis-k8s-03 harbor.example.cn]# ls
ca.crt harbor.example.cn.crt harbor.example.cn.key
修改配置:
cat > hosts.toml << EOF
server = "https://harbor.example.cn"
[host."https://harbor.example.cn"]
capabilities = ["pull", "resolve", "push"]
skip_verify = false
ca = "ca.crt"
EOF
最后重启containerd
systemctl restart containerd.service
再次拉取镜像,都可以正常访问了!
如果你还有其他域名需要加,那就创建对应的目录就可以了!
containerd:
https://github.com/containerd/containerd/blob/main/docs/cri/config.md
https://github.com/containerd/containerd/blob/main/docs/hosts.md
harbor自签证书:
https://goharbor.io/docs/2.11.0/install-config/configure-https/