Spinnaker + private docker registry with self-signed certificates

#1

Hi, I’m using openshift kubernetes and installed Spinnaker on top of it. I’m using a private Docker registry with self-signed certificates. I have installed spinnaker using helm charts since the environment doesn’t allow public internet access.
However, clouddriver when trying to access/fetch image tag from registry giving the following error:

2018-07-12 09:13:26.695 ERROR 1 — [ecutionAction-4] .d.r.p.a.DockerRegistryImageCachingAgent : Could not load tags for pdeep/sample-java-app
retrofit.RetrofitError: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I have tried adding the docker certificate at /etc/ssl/certs/ca-certificates.crt in clouddriver pod but didn’t worked.

Please let me know how to allow clouddriver access private docker registry with self-signed certificate. Is there any specific path where it is looking for certificate? Do I need to add Bearer token ?

Thanks

#2

Got solution for the aforementioned problem. Enable okHttpClient in clouddriver.yaml and add certificate to the keystore and truststore.

#3

okHttpClient client does not seem to work for me even after updating the clouddriver.yaml. Is it working for anyone else?

Tried both clouddriver.yaml & clouddriver-local.yml. This is the config for clouddriver.yml

host: 0.0.0.0
artifactId: docker.com/spinnaker-marketplace/clouddriver:4.0.1-20181024113115
env:
JAVA_OPTS: “-Xms512m -Xmx1g -Dlogging.file=/var/log/clouddriver.log”
okHttpClient:
enabled: true
keyStore: ~/opensource/spinnaker/spinnaker-config/ca-certs/cacert
keyStorePassword: changeit
trustStore: ~/opensource/spinnaker/spinnaker-config/ca-certs/cacert
trustStorePassword: changeit
propagateSpinnakerHeaders: true
connectTimeoutMs: 60000
readTimeoutMs: 60000

Error Details:

2019-05-09 20:11:41.976 ERROR 1 — [ool-15-thread-1] c.n.s.c.core.AlwaysUpHealthIndicator : Unhealthy
retrofit.RetrofitError: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at retrofit.RetrofitError.networkError(RetrofitError.java:27) ~[retrofit-1.9.0.jar:na]