Skip to content

Instantly share code, notes, and snippets.

@albal

albal/ca-daemonset.yaml

Created January 22, 2025 23:02
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save albal/02d1e31d267b3e04e8bc90c0e71324e8 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save albal/02d1e31d267b3e04e8bc90c0e71324e8 to your computer and use it in GitHub Desktop.
Download ZIP
Gist to create a Daemonset suitable for Centos/RedHat targets
Raw
ca-daemonset.yaml
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: registry-ca
namespace: kube-system
labels:
k8s-app: registry-ca
spec:
selector:
matchLabels:
name: registry-ca
template:
metadata:
labels:
name: registry-ca
spec:
hostPID: true
hostNetwork: true
initContainers:
- name: registry-ca
image: registry.access.redhat.com/ubi8/ubi:latest
securityContext:
privileged: true
command: [ 'sh' ]
args:
- -c
- |
cp /home/core/registry-ca /etc/pki/ca-trust/source/anchors/registry-ca.crt
nsenter --mount=/proc/1/ns/mnt -- sh -c "update-ca-trust && systemctl restart k3s"
volumeMounts:
- name: etc-pki-ca-trust
mountPath: /etc/pki/ca-trust/source/anchors
- name: ca-cert
mountPath: /home/core
terminationGracePeriodSeconds: 30
volumes:
- name: etc-pki-ca-trust
hostPath:
path: /etc/pki/ca-trust/source/anchors
- name: ca-cert
secret:
secretName: registry-ca
containers:
- name: wait
image: registry.access.redhat.com/ubi8/pause:latest
Raw
create-ca-secret.sh
kubectl create secret generic registry-ca --namespace kube-system --from-file=registry-ca=./ca.crt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment