Feedback

Chat Icon

End-to-End Kubernetes with Rancher, RKE2, K3s, Fleet, Longhorn, and NeuVector

The full journey from nothing to production

Deploying and Managing Workloads Using Rancher Manager - Part II
31%

Registries Secrets, Self-Signed Certificates, and Insecure Registries

As a reminder, this is what we did in the previous section:

  • We created a private registry on the workspace machine.
  • The registry is protected by a username and password.
  • We pushed the todo-app image to the private registry using harbor.$WORKSPACE_PUBLIC_IP.sslip.io/todo-app/todo-app:latest, where $WORKSPACE_PUBLIC_IP is the IP address of the workspace machine.

To pull the todo-app image, we need to create a secret in the Kubernetes cluster. This secret will contain the username and password of the private registry. These are the steps to create the secret:

  • Navigate to the Rancher UI and select Cluster Management.
  • Click on the Explore button next to the rke2-cluster cluster.
  • Click on Storage and then Secrets.
  • Click on the Create button to create a new secret.
  • Choose Registry as the type of secret.
  • Select todo-app-namespace as the namespace.
  • Choose a name for the secret, for example, todo-app-registry.
  • Choose Custom since our registry is not one of the predefined ones (DockerHub, Quay, Artifactory, etc.).
  • Fill the Registry Domain Name with harbor.$WORKSPACE_PUBLIC_IP.sslip.io and make sure to replace $WORKSPACE_PUBLIC_IP with the actual IP address of the workspace machine.

Example:

harbor.157.230.120.237.sslip.io
  • Given the fact that the registry is protected by a username and password, we need to provide the credentials. Fill in the Username and Password fields with the username and password of the private registry (admin and p@ssword in our case).

Since our registry is self-signed, we need to add the CA certificate to the cluster nodes.

  • If you plan to run workloads on all nodes (control plane and worker nodes), you should add the CA certificate to all nodes.
  • If you plan to run workloads only on the worker nodes, you can add the CA certificate to these nodes only.

By default, our control plane accepts workloads since we don't have any taints on it (rke2-controlplane-01). Therefore, at this stage, we will add the CA certificate to all nodes.

To do this, we will run the following commands from the RKE2 master node (control plane node):

# SSH into the control plane node
ssh root@$WORKLOAD_CONTROLPLANE_01_PUBLIC_IP

# Define the Harbor host
HARBOR_HOST="harbor.${WORKSPACE_PUBLIC_IP}.sslip.io"

# Define the certificate path
CERT_PATH="/usr/local/share/ca-certificates/$HARBOR_HOST"

Create a function to add the certificate and restart the service on all nodes:

# Function to add certificate and restart service
add_certificate() {
  local node=

End-to-End Kubernetes with Rancher, RKE2, K3s, Fleet, Longhorn, and NeuVector

The full journey from nothing to production

Enroll now to unlock all content and receive all future updates for free.

Unlock now ($35.00) Learn More
Previous Next