2019-03-20 15:57:47 -04:00
// Module included in the following assemblies:
//
// * builds/setting-up-trusted-ca
2020-06-18 09:53:55 +03:00
// * virt/virtual_machines/importing_vms/virt-importing-vmware-vm.adoc
2019-03-20 15:57:47 -04:00
2019-05-30 16:52:45 -04:00
[id="configmap-adding-ca_{context}"]
2019-11-11 15:48:39 -05:00
= Adding certificate authorities to the cluster
2020-08-06 13:15:31 -04:00
ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
You can add certificate authorities (CAs) to the cluster for use when pushing and pulling images with the following procedure.
2019-03-20 15:57:47 -04:00
2020-08-06 13:15:31 -04:00
.Prerequisites
* You must have cluster administrator privileges.
* You must have access to the registry's public certificates, usually a `hostname/ca.crt` file located in the `/etc/docker/certs.d/` directory.
.Procedure
. Create a ConfigMap in the `openshift-config` namespace containing the trusted certificates for the registries that use self-signed certificates. For each CA file, ensure the key in the ConfigMap is the registry's hostname in the `hostname[..port]` format:
+
[source,terminal]
----
$ oc create configmap registry-cas -n openshift-config \
--from-file=myregistry.corp.com..5000=/etc/docker/certs.d/myregistry.corp.com:5000/ca.crt \
--from-file=otherregistry.com=/etc/docker/certs.d/otherregistry.com/ca.crt
----
. Update the cluster image configuration:
+
[source,terminal]
----
$ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge
----
endif::[]
ifdef::openshift-dedicated[]
You can add certificate authorities (CAs) to the cluster for use when pushing and pulling images with the following procedure.
2019-03-20 15:57:47 -04:00
.Prerequisites
* You must have cluster administrator privileges.
* You must have access to the registry's public certificates, usually a
`hostname/ca.crt` file located in the `/etc/docker/certs.d/` directory.
.Procedure
2020-08-06 13:15:31 -04:00
. Create a ConfigMap in the `openshift-config` namespace containing the trusted certificates for the registries that use self-signed certificates. For each CA file, ensure the key in the ConfigMap is the registry's hostname in the `hostname[..port]` format:
2019-03-20 15:57:47 -04:00
+
2020-08-06 13:15:31 -04:00
[source,terminal]
2019-03-20 15:57:47 -04:00
----
$ oc create configmap registry-cas -n openshift-config \
--from-file=myregistry.corp.com..5000=/etc/docker/certs.d/myregistry.corp.com:5000/ca.crt \
--from-file=otherregistry.com=/etc/docker/certs.d/otherregistry.com/ca.crt
----
2019-11-11 15:48:39 -05:00
. Update the cluster image configuration:
2019-03-20 15:57:47 -04:00
+
2020-08-06 13:15:31 -04:00
[source,terminal]
2019-03-20 15:57:47 -04:00
----
$ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge
----
2020-08-06 13:15:31 -04:00
endif::[]
