Comments (6)
Hello @pulberg, thank you for submitting the issue. Does your corp environment have access to https://public.ecr.aws
?
from eks-anywhere.
Yes, these pulled correctly -
public.ecr.aws/eks-anywhere/cli-tools:v0.1.0-eks-a-1
public.ecr.aws/eks-anywhere/kubernetes-sigs/kind/node:v1.21.2-eks-d-1-21-4-eks-a-1
I also tested pulling the cert-manager
images manually and that works, so there is something happening in the setup of the cluster that is not happy with the corp CA. Even after pulling the images manually the x509 errors persist.
from eks-anywhere.
The cert manager image, along with a number of others, are pulled inside the bootstrap kind cluster whereas those other two you mentioned are pulled on the host machine. The host must have the trusted certs /ca whereas the kind cluster does not.
Not sure the best way to handle this but we can do some looking around. One option would be to do all pulling on the host and use kind's load image ability to load them into the running bootstrap container.
from eks-anywhere.
The cert manager image, along with a number of others, are pulled inside the bootstrap kind cluster whereas those other two you mentioned are pulled on the host machine. The host must have the trusted certs /ca whereas the kind cluster does not.
kubernetes-sigs/kind#941 documents this error and provides a workaround to add the trusted cert/ca to the kind cluster. Kind does offer also the ability to mount volumes with extraMounts in the config kubernetes-sigs/kind#1010.
Not sure the best way to handle this but we can do some looking around. One option would be to do all pulling on the host and use kind's load image ability to load them into the running bootstrap container.
All images needed by the kind cluster could be pulled from the workstation and archived. Then it would be a simple load of the archive to kind cluster. Ref: https://kind.sigs.k8s.io/docs/user/quick-start/#loading-an-image-into-your-cluster.
from eks-anywhere.
Thanks @antoniordz96!
The more I think about it the more I'm not sure about the pulling images on the host approach. That would def solve this exact problem, but if you were creating a vsphere cluster the kind cluster would be need to be able to make calls to the vcenter api, would those also be being intercepted like this and need the CA? Technically for vcenter we can ignore cert failures by providing the thumbprint or just ignoring tls, but I wonder if in a general sense we would just be kicking the problem down the line in the process. If you were standing up a vsphere cluster, would this custom CA be something you would want to exist in your cluster in case services are making calls to other internal services using this CA?
from eks-anywhere.
There has been no activity on this issue for 60 days. Labeling as stale and closing in 7 days if no further activity.
from eks-anywhere.
Related Issues (20)
- eksctl anywhere upgrade cluster doesn't use the extra hardware from hardware.csv HOT 2
- upgrade kubernetes version of EKSA cluster for bare metal with 2 CP nodes (1 used + 1 idle) doesn't work HOT 1
- After upgrade kubernetes version of EKSA cluster for bare metal, the last workflow stuck at STATE_RUNNING
- Align procedure for OS Image Build with security best-practices
- Introduce Metrics Serving in EKS Anywhere HOT 1
- Add documentation providing step-by-step guidance to create a "management cluster" and a "workload cluster" HOT 3
- Error importing helm charts for airgapped configuration using private registry certificates HOT 1
- EKSA vSphere package controller pod x509 certificate signed by unknown authority
- sequential upgrades is NOT supported HOT 1
- upgrade EKSA cluster with rook/ceph/wordpress installed stuck HOT 1
- Inquiry on Optional Use of vsphere-cloud-controller-manager in Worker Clusters HOT 1
- Unable to deploy EKS-A to vSphere cluster HOT 5
- Deprecate Prepare DHCP IP addresses pool documentation
- image-builder build for ubuntu 22.04 baremetal failing with "qemu: Timeout waiting for SSH" HOT 2
- NVIDIA GPU Operator with vSphere
- eksctl anywhere upgrade cluster fails to feed with the extra machines in hardware.csv
- [Bare Metal] Workload cluster scale out CLI validations fails with generated ssh keys
- [Bare Metal] Auto generated SSH key doesn't work
- [Bare Metal] Scale out of workload cluster worker node group cause control plane to roll HOT 3
- Add preflight validation to check that cluster name length is not more than 36 characters
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from eks-anywhere.