Chapter 14. Setting up additional trusted certificate authorities for builds
Use the following sections to set up additional certificate authorities (CA) to be trusted by builds when pulling images from an image registry.
The procedure requires a cluster administrator to create a ConfigMap and add additional CAs as keys in the ConfigMap.
-
The
ConfigMapmust be created in theopenshift-confignamespace. domainis the key in theConfigMapandvalueis the PEM-encoded certificate.-
Each CA must be associated with a domain. The domain format is
hostname[..port].
-
Each CA must be associated with a domain. The domain format is
-
The
ConfigMapname must be set in theimage.config.openshift.io/clustercluster scoped configuration resource’sspec.additionalTrustedCAfield.
14.1. Adding certificate authorities to the cluster
You can add certificate authorities (CA) to the cluster for use when pushing and pulling images with the following procedure.
Prerequisites
-
You must have access to the public certificates of the registry, usually a
hostname/ca.crtfile located in the/etc/docker/certs.d/directory.
Procedure
Create a
ConfigMapin theopenshift-confignamespace containing the trusted certificates for the registries that use self-signed certificates. For each CA file, ensure the key in theConfigMapis the hostname of the registry in thehostname[..port]format:$ oc create configmap registry-cas -n openshift-config \ --from-file=myregistry.corp.com..5000=/etc/docker/certs.d/myregistry.corp.com:5000/ca.crt \ --from-file=otherregistry.com=/etc/docker/certs.d/otherregistry.com/ca.crt
Update the cluster image configuration:
$ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge
