You have a private docker registry that is secured with self-signed cert and
you want to do deis pull https://docker-registry.example.com/myapp. Deis
won't be able to pull this image because it doesn't trust your self-signed
cert.
To get the CoreOS nodes in a Deis cluster to trust a self-signed cert, you
have to customize the deis/contrib/coreos/user-data file before provisioning
the cluster. You need to add the following files, shown here in patch format:
--- a/contrib/coreos/user-data.example
+++ b/contrib/coreos/user-data.example
@@ -95,6 +95,17 @@ coreos:
ExecStart=/bin/bash -c "lsmod | grep overlay || modprobe overlay"
- name: fleet.service
command: start
+ - name: updatecertificates.service
+ command: start
+ content: |
+ [Unit]
+ Description=Update the certificates w/ self-signed root CAs
+ Before=etcd.service
+
+ [Service]
+ ExecStart=/usr/sbin/update-ca-certificates
+ RemainAfterExit=yes
+ Type=oneshot
write_files:
- path: /etc/deis-release
content: |
@@ -193,3 +204,41 @@ write_files:
[Service]
ExecStart=
ExecStart=/opt/bin/fleetd-0.9.2
+ - path: /etc/ssl/certs/counsyl-root-ca.pem
+ owner: root
+ permissions: '0644'
+ content: |
+ -----BEGIN CERTIFICATE-----
+ YOUR CERT HERE
+ -----END CERTIFICATE-----That first addition is under coreos.units, and the latter is just in
write_files.
Turns out this won't work because the cert has to be passed into the
controllercontainer. This only allows the host CoreOS machines to talk to the registry.