#生成证书
#/etc/pki/tls/openssl.cnf [ v3_ca ]下添加serviceIP
subjectAltName = 169.169.0.11
#创建证书169.169.0.11为service集群ip
openssl req -newkey rsa:2048 -nodes -keyout domain.key -subj "/CN=169.169.0.11:5000" -x509 -days 365 -out domain.crt
#证书添加到Kubernetes
kubectl --namespace=kube-system create secret generic registry-tls-secret --from-file=domain.crt=domain.crt --from-file=domain.key=domain.key
#所有node都执行,将自建证书添加到信任,操作后重启docker生效
cat domain.crt >> /etc/pki/tls/certs/ca-bundle.crt
service docker restart
#修改./kubernetes/cluster/addons/registry/tls/registry-tls-rc.yaml
#创建pv与pvc用于仓库存储
#创建后修改volumeMounts与volumes
#修改后如下,我这里只修改了volumeMounts.name 与 volumes.name 一致和 volumes.persistentVolumeClaim.claimName 是创建的pvc的名字
#secretName的名字要与上面证书添加的名字一致registry-tls-secret
volumeMounts:
- name: registry-disk-1
mountPath: /var/lib/registry
- name: cert-dir
mountPath: /certs
volumes:
- name: registry-disk-1
persistentVolumeClaim:
claimName: glusterfs-registry-disk-1
- name: cert-dir
secret:
secretName: registry-tls-secret
#修改./kubernetes/cluster/addons/registry/tls/registry-tls-svc.yaml
#指定clusterIP
spec:
selector:
k8s-app: kube-registry
clusterIP: 169.169.0.11
#都修改完后开始搭建
kubectl create ./kubernetes/cluster/addons/registry/tls/
#测试,只能在node上操作因为只有node节点才能访问,控制节点无法访问
#下载镜像
docker pull centos
#修改标签
docker tag centos169.169.0.11:5000/centos
#上传镜像到本地仓库
docker push 169.169.0.11:5000/centos