I have deployed a private registry with Harbor with a self signed certificates. Importing images to harbor works pulling images works. On the worker nodes i have added certificates into OS as trusted and i can pull images successfully in the OS from worker nodes in cli running ctr images pull harbor.mylab.com:9091/mylab/acid1
The problem is when i create a pod and it tries to pull an image from the private registry i am seeing a certificate error: x509: certificate signed by unknown authority
After googling and reading more documentation on Rancher RKE2 i found out that you have to add registries.yml file, well in my case, the file exists but i am not sure how to edit it because once the rke2 agent is restarted on the node the file is overwritten.
I want to have something like this as i understand it from the docs(https://docs.rke2.io/install/containerd_registry_configuration/)
mirrors:
docker.io:
endpoint:
- “harbor.mylab.com:9091:"
configs:
“harbor.mylab.com:9091:":
tls:
cert_file: /opt/harbor/certs/harbor_registry.crt
key_file: /opt/harbor/certs/harbor_registry.key
ca_file: /opt/harbor/certs/harbor_registry.csr
Ok for me personally and this may not work for the others the solution was to add certs in /usr/local/share/ca-certificates and in /etc/ssl/certs/ and then run the update-ca-certificates and restart relevant rancher services. If the service restart does not help try rebooting a node.