RSS
 

This topic describes how to configure VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) Kubernetes clusters that run the Containerd runtime with insecure container registries.

Overview

You can store images in an insecure container registry. You can:

  • Enable your TKGI Kubernetes clusters, which runs the Containerd runtime, to authenticate into an insecure Containerd registry.

  • Configure both new and existing TKGI clusters, which runs the Containerd runtime, to authenticate into an insecure registry.

Note: You can connect multiple hosts to an insecure registry.

To create a new cluster that is configured to access an insecure Containerd registry, complete the following procedures:

  1. Set up Your API Access Token
  2. Create a Containerd Runtime Cluster with an Access to Insecure Registries
  3. Verify the Configuration

To update an existing cluster configured to access insecure Containerd registries, complete the following procedures:

  1. Set up Your API Access Token
  2. Update a Containerd Runtime Cluster with an Access to Insecure Registries
  3. Verify the Configuration

Prerequisites

Before configuring TKGI Kubernetes clusters to have access to an insecure Containerd registry, you must have the following:

  • The FQDN of your TKGI API endpoint. For example, api.tkgi.example.com.
  • Your Tanzu Kubernetes Grid Integrated Edition User ID and Password.
  • The names of the insecure registry servers and the hosts that you want to connect to them.

Warning: The FQDN for the registry cannot contain a hyphen, dash, or semi-colon. If such a character is included in the registry name the TKGI API will reject it as not a valid character.

Set up Your API Access Token

The curl commands in this topic use an access token environment variable to authenticate to the TKGI API endpoints.

  1. To export your access token into an environment variable, run the following command:

    tkgi login -a TKGI-API -u USER-ID -p 'PASSWORD' -k; \
export YOUR-ACCESS-TOKEN=$(bosh int ~/.pks/creds.yml --path /access_token)

    Where:

    • TKGI-API is the FQDN of your TKGI API endpoint. For example, api.tkgi.example.com.
    • USER-ID is your Tanzu Kubernetes Grid Integrated Edition user ID.
    • PASSWORD is your Tanzu Kubernetes Grid Integrated Edition password.
    • YOUR-ACCESS-TOKEN is the name of your access token environment variable.

    For example:

    $ tkgi login -a tkgi.my.lab -u alana -p 'psswrdabc123...!' -k; \
export access_token=$(bosh int ~/.pks/creds.yml --path /access_token)

    Note: If your operator has configured Tanzu Kubernetes Grid Integrated Edition to use a SAML identity provider, you must include an additional SSO flag to use the above command. For information about the SSO flags, see the section for the above command in TKGI CLI. For information about configuring SAML, see Connecting Tanzu Kubernetes Grid Integrated Edition to a SAML Identity Provider

Create a Containerd Runtime Cluster with an Access to Insecure Registries

You can create a new cluster configured to use a insecure registry by using the TKGI API create-cluster endpoint.

  1. Create a cluster.json file as shown in the following example:

    {
   "name": "cluster-1",
   "plan_name": "small",
   "parameters": {
     "kubernetes_master_host": "cluster-1.pks.local",
     "kubernetes_master_port": 8443,
     "kubernetes_worker_instances": 1,
     "k8s_customization_parameters": {
       "insecure_registries":["REGISTRY_SERVER_1", "REGISTRY_SERVER_1_HOST_1,REGISTRY_SERVER_1_HOST_2", "REGISTRY_SERVER_2", "REGISTRY_SERVER_2_HOST_1,REGISTRY_SERVER_2_HOST_2"]
       // Example: "insecure_registries": ["registry.tkgi.local", "http://registry-1.tkgi.local:80,http://registry-2.tkgi.local:80"]
     }
  }
}

    Note: In the "insecure_registries" parameter field, specify one insecure registry server name and one or more registry host names.

  2. On the command line, run the following command to log in:

    tkgi login -a TKGI-API -u USERNAME -k

    Where:

    • TKGI-API is the domain name for the TKGI API that you entered in Ops Manager > Tanzu Kubernetes Grid Integrated Edition > TKGI API > API Hostname (FQDN). For example, api.tkgi.example.com.
    • USERNAME is your user name.

      See Logging in to Tanzu Kubernetes Grid Integrated Edition for more information about the tkgi login command.

      Note: If your operator has configured Tanzu Kubernetes Grid Integrated Edition to use a SAML identity provider, you must include an additional SSO flag to use the above command. For information about the SSO flags, see the section for the above command in TKGI CLI. For information about configuring SAML, see Connecting Tanzu Kubernetes Grid Integrated Edition to a SAML Identity Provider

  3. Run the following command on the API interface:

    curl -k -H "Authorization: Bearer $access_token" -H "Content-Type: application/json" -d @./cluster.json -X POST https://api.pks.local:9021/v1/clusters

Update a Containerd Runtime Cluster with an Access to Insecure Registries

You can update an existing Containerd cluster with an access to insecure registries by using the TKGI API update-cluster endpoint.

  1. Create a cluster.json file as shown in the following example:

    {
   "insecure_registries":["REGISTRY_SERVER_1", "REGISTRY_SERVER_1_HOST_1,REGISTRY_SERVER_1_HOST_2", "REGISTRY_SERVER_2", "REGISTRY_SERVER_2_HOST_1,REGISTRY_SERVER_2_HOST_2"]
   // Example: "insecure_registries": ["registry.tkgi.local", "http://registry-1.tkgi.local:80,http://registry-2.tkgi.local:80"]
}

    Note: In the "insecure_registries" parameter field, specify one insecure registry server name and one or more registry host names.

  2. On the command line, run the following command to log in:

    tkgi login -a TKGI-API -u USERNAME -k

    Where:

    • TKGI-API is the domain name for the TKGI API that you entered in Ops Manager > Tanzu Kubernetes Grid Integrated Edition > TKGI API > API Hostname (FQDN). For example, api.tkgi.example.com.
    • USERNAME is your user name.

      See Logging in to Tanzu Kubernetes Grid Integrated Edition for more information about the tkgi login command.

      Note: If your operator has configured Tanzu Kubernetes Grid Integrated Edition to use a SAML identity provider, you must include an additional SSO flag to use the above command. For information about the SSO flags, see the section for the above command in TKGI CLI. For information about configuring SAML, see Connecting Tanzu Kubernetes Grid Integrated Edition to a SAML Identity Provider

  3. Run the following command on the the API interface:

    curl -k -H "Authorization: Bearer $access_token" -H "Content-Type: application/json" -d @./cluster.json -X PATCH https://api.pks.local:9021/v1/clusters/CLUSTER_NAME

    Where CLUSTER-NAME is the name of the Containerd cluster that you want to update.

Verify the Configuration

  1. To verify that the configuration is successful, run the following command:

    cat /etc/containerd/certs.d/registry.tkgi.local/hosts.toml
server = "REGISTRY"

    Where REGISTRY is the FQDN of the insecure registry, for example, registry.tkgi.local.

    In the output, verify that the names of the hosts, which are configured on the registry are displayed.

    The following is an example:

    cat /etc/containerd/certs.d/registry.tkgi.local/hosts.toml
server = "https://registry.tkgi.local"

[host."http://registry-1.tkgi.local:80"]
  capabilities = ["pull", "resolve"]
  skip_verify = true

[host."http://registry-2.tkgi.local:80"]
  capabilities = ["pull", "resolve"]
  skip_verify = true
check-circle-line exclamation-circle-line close-line
Scroll to top icon