search

snowdrop / k8s-infra

Information to bootstrap vms using dedicated server, local machine and setup using Ansible Playbooks
Apache License 2.0
29 stars 14 forks source link

pull fails using kind + TLS secured registry #218

Closed cmoulliard closed 3 years ago

cmoulliard commented 3 years ago

Issue

The following push fails against a localhost:5000 registry running as container

docker pull gcr.io/google-samples/hello-app:1.0
docker tag gcr.io/google-samples/hello-app:1.0 localhost:5000/hello-app:1.0
docker push localhost:5000/hello-app:1.0
Get "http://localhost:5000/v2/": dial tcp [::1]:5000: connect: connection refused

Bash script used

#!/bin/sh

set -o errexit

reg_name='kind-registry'
reg_port='5000'
reg_image_version='2.6.2'

current_dir=$(pwd)
temp_cert_dir=$(mktemp -d 2>/dev/null || mktemp -d -t 'temp_cert_dir')

read -p "Do you want to delete the kind cluster (y|n) - Default: n ? " cluster_delete
cluster_delete=${cluster_delete:-no}
read -p "Which kubernetes version should we install (1.14 .. 1.22) - Default: 1.21 ? " version
k8s_minor_version=${version:-1.21}
read -p "What logging verbosity do you want (0..9) - A verbosity setting of 0 logs only critical events - Default: 0 ? " logging_verbosity
logging_verbosity=${logging_verbosity:-0}

kindCmd="kind -v ${logging_verbosity} create cluster"

generate_certificate() {
  echo "==== Generate a self-signed certificate and user/pwd to secure the local registry"
  mkdir -p certs/localhost

  cat <<EOF > req.cnf
  [req]
  distinguished_name = req_distinguished_name
  x509_extensions = v3_req
  prompt = no
  [req_distinguished_name]
  C = BE
  ST = Namur
  L = Florennes
  O = Red Hat
  OU = Snowdrop
  CN = localhost
  [v3_req]
  keyUsage = critical, digitalSignature, keyAgreement
  extendedKeyUsage = serverAuth
  subjectAltName = @alt_names
  [alt_names]
  DNS.1 = localhost
  DNS.2 = kind-registry
  DNS.3 = localhost:5000
  DNS.4 = kind-registry:5000
EOF

  openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
      -keyout certs/localhost/localhost.key \
      -out certs/localhost/localhost.crt \
      -config req.cnf \
      -sha256
  echo "==== Copy the localhost.crt and key files to the dir: $current_dir"
  mkdir -p $current_dir/localhost
  cp certs/localhost/localhost.* $current_dir/localhost
}

populate_htpasswd() {
  echo "==== Create the htpasswd file where user: admin and password: snowdrop"
  mkdir auth
  docker run --entrypoint htpasswd registry:2.7.0 -Bbn admin snowdrop > auth/htpasswd
  echo "==== Copy the generated htpasswd to the dir: $current_dir"
  cp auth/htpasswd $current_dir/
}

if [ "$cluster_delete" == "y" ]; then
  echo "==== Deleting kind cluster ..."
  kind delete cluster
  echo "==== Deleting local registry ..."
  docker stop ${reg_name} || true && docker rm ${reg_name} || true
fi

pushd $temp_cert_dir

populate_htpasswd
generate_certificate

# Start a local Docker registry (unless it already exists)
running="$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)"
if [ "${running}" != 'true' ]; then
  echo "==== Launch the container registry ps"
  docker run -d \
    -v `pwd`/auth:/auth \
    -v `pwd`/certs:/certs \
    -e REGISTRY_AUTH=htpasswd \
    -e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \
    -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/localhost.crt \
    -e REGISTRY_HTTP_TLS_KEY=/certs/localhost.key \
    --restart=always \
    -p "${reg_port}:5000" \
    --name "${reg_name}" \
    registry:${reg_image_version}
fi

echo "==== Connect the local Docker registry with the kind network"
docker network connect "kind" "${reg_name}" > /dev/null 2>&1 &

# Create a kind cluster
if [ "$k8s_minor_version" != "default" ]; then
  patch_version=$(wget -q https://registry.hub.docker.com/v1/repositories/kindest/node/tags -O - | \
  jq -r '.[].name' | grep -E "^v${k8s_minor_version}.[0-9]+$" | \
  cut -d. -f3 | sort -rn | head -1)
  k8s_version="v${k8s_minor_version}.${patch_version}"
  kindCmd+=" --image kindest/node:${k8s_version}"
else
  k8s_version=$k8s_minor_version
fi

# Kind cluster config template
kindCfg=$(cat <<EOF
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
containerdConfigPatches:
- |-
  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:${reg_port}"]
    endpoint = ["https://localhost:${reg_port}"]
  [plugins."io.containerd.grpc.v1.cri".registry.configs."localhost:${reg_port}".tls]
    cert_file = "/etc/docker/certs.d/localhost/localhost.crt"
    key_file  = "/etc/docker/certs.d/localhost/localhost.key"
nodes:
- role: control-plane
  extraMounts:
    - containerPath: /etc/docker/certs.d/localhost
      hostPath: ${current_dir}/localhost
  kubeadmConfigPatches:
  - |
    kind: InitConfiguration
    nodeRegistration:
      kubeletExtraArgs:
        node-labels: "ingress-ready=true"
  extraPortMappings:
  - containerPort: 80
    hostPort: 80
    protocol: TCP
  - containerPort: 443
    hostPort: 443
    protocol: TCP
EOF
)

echo "==== Creating a Kind cluster with Kubernetes version : ${k8s_version} and logging verbosity: ${logging_verbosity}"
echo "${kindCfg}" | ${kindCmd} --config=-

# Document the local registry
# https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
  name: local-registry-hosting
  namespace: kube-public
data:
  localRegistryHosting.v1: |
    host: "localhost:${reg_port}"
    help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
EOF

popd
cmoulliard commented 3 years ago

Here is more information abut the problem

How can I fix such an issue which occurs when I try to pull an image (or when a pod tries to pull the image) from a TLS local container registry

root@kind-control-plane:/# crictl pull localhost:5000/hello-app
FATA[0000] pulling image: rpc error: code = Unknown desc = failed to pull and unpack image "localhost:5000/hello-app:latest": failed to resolve reference "localhost:5000/hello-app:latest": failed to do request: Head "http://kind-registry:5000/v2/hello-app/manifests/latest?ns=localhost%3A5000": net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02"

Log of the registry reports such an error

2021/09/28 08:22:05 http: TLS handshake error from 172.19.0.2:52546: tls: first record does not look like a TLS handshake

I can of course curl the docker registry from a container

curl -vk -u admin:snowdrop https://kind-registry:5000/v2/hello-app/manifests/latest?ns=localhost%3A5000
*   Trying fc00:f853:ccd:e793::3:5000...
* Connected to kind-registry (fc00:f853:ccd:e793::3) port 5000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=BE; ST=Namur; L=Florennes; O=Red Hat; OU=Snowdrop; CN=localhost
*  start date: Sep 28 07:01:23 2021 GMT
*  expire date: Sep 28 07:01:23 2022 GMT
*  issuer: C=BE; ST=Namur; L=Florennes; O=Red Hat; OU=Snowdrop; CN=localhost
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Server auth using Basic with user 'admin'
* Using Stream ID: 1 (easy handle 0x55f8e6e0b890)
> GET /v2/hello-app/manifests/latest?ns=localhost%3A5000 HTTP/2
> Host: kind-registry:5000
> authorization: Basic YWRtaW46c25vd2Ryb3A=
> user-agent: curl/7.74.0
> accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 404 
< content-type: application/json; charset=utf-8
< docker-distribution-api-version: registry/2.0
< x-content-type-options: nosniff
< content-length: 96
< date: Tue, 28 Sep 2021 07:27:25 GMT
< 
{"errors":[{"code":"MANIFEST_UNKNOWN","message":"manifest unknown","detail":{"Tag":"latest"}}]}
* Connection #0 to host kind-registry left intact

containerd config is

root@kind-control-plane:/# cat /etc/containerd/config.toml
version = 2

[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    restrict_oom_score_adj = false
    sandbox_image = "k8s.gcr.io/pause:3.5"
    tolerate_missing_hugepages_controller = true
    [plugins."io.containerd.grpc.v1.cri".containerd]
      default_runtime_name = "runc"
      discard_unpacked_layers = true
      snapshotter = "overlayfs"
      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
          runtime_type = "io.containerd.runc.v2"
        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.test-handler]
          runtime_type = "io.containerd.runc.v2"
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.configs]
        [plugins."io.containerd.grpc.v1.cri".registry.configs."localhost:5000"]
          [plugins."io.containerd.grpc.v1.cri".registry.configs."localhost:5000".tls]
            cert_file = "/etc/docker/certs.d/localhost/localhost.crt"
            key_file = "/etc/docker/certs.d/localhost/localhost.key"
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"]
          endpoint = ["http://kind-registry:5000"]

Here is what crictl info reports

    "registry": {
      "configPath": "",
      "mirrors": {
        "localhost:5000": {
          "endpoint": [
            "https://kind-registry:5000"
          ]
        }
      },
      "configs": {
        "localhost:5000": {
          "auth": null,
          "tls": {
            "insecure_skip_verify": true,
            "caFile": "",
            "certFile": "",
            "keyFile": ""
          }
        }
      },
      "auths": null,
      "headers": null
    },
cmoulliard commented 3 years ago

Here is the latest version of the bash script I'm using - https://gist.github.com/cmoulliard/6de2fa393ec45bd181fa7d5d73c6960c

Error that I must fix now is 

FATA[0000] pulling image: rpc error: code = Unknown desc = 
failed to pull and unpack image "kind-registry:5000/hello-app:1.0"
failed to resolve reference "kind-registry:5000/hello-app:1.0"
failed to do request: Head "https://kind-registry:5000/v2/hello-app/manifests/1.0"
x509: certificate signed by unknown authority

@jacobdotcosta @BarDweller

cmoulliard commented 3 years ago

To prove you that curl + self signed CA cert works, see -->

root@kind-control-plane:/# curl -u admin:snowdrop --cacert /etc/docker/certs.d/kind-registry/localhost.cert -v https://kind-registry:5000/v2/_catalog
*   Trying fc00:f853:ccd:e793::3:5000...
* Connected to kind-registry (fc00:f853:ccd:e793::3) port 5000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/docker/certs.d/kind-registry/localhost.cert
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=BE; ST=Namur; L=Florennes; O=Red Hat; OU=Snowdrop; CN=kind-registry
*  start date: Sep 28 12:50:50 2021 GMT
*  expire date: Sep 28 12:50:50 2022 GMT
*  subjectAltName: host "kind-registry" matched cert's "kind-registry"
*  issuer: C=BE; ST=Namur; L=Florennes; O=Red Hat; OU=Snowdrop; CN=kind-registry
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Server auth using Basic with user 'admin'
* Using Stream ID: 1 (easy handle 0x55cfedcdd890)
> GET /v2/_catalog HTTP/2
> Host: kind-registry:5000
> authorization: Basic YWRtaW46c25vd2Ryb3A=
> user-agent: curl/7.74.0
> accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200 
< content-type: application/json; charset=utf-8
< docker-distribution-api-version: registry/2.0
< x-content-type-options: nosniff
< content-length: 31
< date: Tue, 28 Sep 2021 13:20:25 GMT
< 
{"repositories":["hello-app"]}
* Connection #0 to host kind-registry left intact

X509 info

root@kind-control-plane:/# cat /etc/docker/certs.d/kind-registry/localhost.cert
-----BEGIN CERTIFICATE-----
MIIGpjCCBI6gAwIBAgIJAJ5BvpKLF6wMMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNV
BAYTAkJFMQ4wDAYDVQQIDAVOYW11cjESMBAGA1UEBwwJRmxvcmVubmVzMRAwDgYD
VQQKDAdSZWQgSGF0MREwDwYDVQQLDAhTbm93ZHJvcDEWMBQGA1UEAwwNa2luZC1y
ZWdpc3RyeTAeFw0yMTA5MjgxNDAwMTNaFw0yMjA5MjgxNDAwMTNaMG4xCzAJBgNV
BAYTAkJFMQ4wDAYDVQQIDAVOYW11cjESMBAGA1UEBwwJRmxvcmVubmVzMRAwDgYD
VQQKDAdSZWQgSGF0MREwDwYDVQQLDAhTbm93ZHJvcDEWMBQGA1UEAwwNa2luZC1y
ZWdpc3RyeTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJXJw3q4Crb8
mD0D4IrG4wzeqoY7c8MyxpIbF4bwjYnSnwGHdMmwIGW76uHI+m0UMI0wgT6lKeoR
WRHCOTwsWUNvDw0YyL+YdHmF8Q3OrVK5wkE11ZqUz+aVwYHhweOH+lra8j+3kz3T
8eqonmpXJ8HWvKYP2wgx3CULRs1cx+23WjO+ncmW/2d8D4JJLFkZSoAQdOCAHdBi
vGJltuVdA0kmKXC2D4GdAk8If4Z0+38/QslLVVXRNLT9MUP9lPgWfo9ZJuwAUFTP
9H3/aQlD+iUoSpopBeZaViEcuCrbRhOEB3MUBDOjOCWgh+t37SmMbP2+Qwg9gjPO
hZJeMPolBYYZ8mzdGy/VU49ehVF9g57hkLrTkX8JE034lmTvaPLJ54Yh7KZYR4Dx
97BcyHH+dADZwh1rrs5C9dLmfxgd8678RP7ksNCzXDxkb5QEuF+6MD2oKWKMsmnn
m6WFZbts3FOKJr/zhp8NruNKR4llvA5qsTCXYhzX1FviB3WBb5g5thN17evqI6qb
0PuT7/31o3NmMOEhcmO82N8z+3hLkxfqOdkmHsFuROtVK2VAE0KcZ7LLvBhHLDL4
EClSSk3zI9MU8d4gIY7wz3tlIhLPPJo34On2QsrpK++9CTl2Tmn6PfOY3rvrEShS
KUNzRtvzmLKPKK3EiKiG7Bmomk/PnBwXAgMBAAGjggFFMIIBQTAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBSt8LZ5oKf6bmPemKcJcDw4H9CC8TCBoAYDVR0jBIGY
MIGVgBSt8LZ5oKf6bmPemKcJcDw4H9CC8aFypHAwbjELMAkGA1UEBhMCQkUxDjAM
BgNVBAgMBU5hbXVyMRIwEAYDVQQHDAlGbG9yZW5uZXMxEDAOBgNVBAoMB1JlZCBI
YXQxETAPBgNVBAsMCFNub3dkcm9wMRYwFAYDVQQDDA1raW5kLXJlZ2lzdHJ5ggkA
nkG+kosXrAwwDgYDVR0PAQH/BAQDAgGGMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAuBgNVHREEJzAlgg1raW5kLXJlZ2lzdHJ5
gglsb2NhbGhvc3SCCTEyNy4wLjAuMTANBgkqhkiG9w0BAQsFAAOCAgEABlf4fm3/
+p98TsntujwJd3d0B5pR8tpTKHGrQV2M78wqFy1eLuvuXBWqrcvkyjwPewIbKNn9
IYB2QRmAyC/E9VudMC3QuVnJz5jQ8DX1KZjpdGTXwYMpen4olMXsCCOFTNAZeVXk
iRtLyivJR9j7QOyungSJTG8PO7J+4DQJrGfbxBFO+e/M6wFX7bwSR8S7vxth6jo1
fk2/7s54WpGp/qkrbb1n83NeRkAgwp++o2PJjodJcKx4NMaQiAK5Zftvyc8XmZFs
DUaSnpQWKpJmFImeGLQCWcse7HXGujw+20VqfBTvPsZ9LucJGsOPfcs7wNllUGbs
nwYx2bNGR3C/+qFN18D3mCEv8ICjtcqipD27D1kj4GAi4UpkWi30VzC7KZfj6woD
yw4VU9LegqKnplrzo0YL0ZQlL4ZHQ2WALgcb6H6UDAszit5nbMDpPcl34Zz28KrL
3h7wdpfsw+Si+1wjwOc5ZhcdMJk0Z8SXLe0bhgkKSpeNMAHZvBlyjIq9FW7nepKc
GTC+UrVnd+WaQRSwHE0Kw951HpSxirPGK+RiAok2LGfR6QSq2uzckQjy+nYjEEF+
HHq6fEwhUvN1h+UZoS1AzQK8n7dda3EMpG3WJgRfd2cNcBbFYpzHXAEzCjpFEFcF
DW6fsncUe7wbCd2dZkDD/eM5ByV3zS7UwAk=
-----END CERTIFICATE-----
root@kind-control-plane:/# openssl x509 -text -noout -in /etc/docker/certs.d/kind-registry/localhost.cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            9e:41:be:92:8b:17:ac:0c
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = BE, ST = Namur, L = Florennes, O = Red Hat, OU = Snowdrop, CN = kind-registry
        Validity
            Not Before: Sep 28 14:00:13 2021 GMT
            Not After : Sep 28 14:00:13 2022 GMT
        Subject: C = BE, ST = Namur, L = Florennes, O = Red Hat, OU = Snowdrop, CN = kind-registry
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:95:c9:c3:7a:b8:0a:b6:fc:98:3d:03:e0:8a:c6:
                    e3:0c:de:aa:86:3b:73:c3:32:c6:92:1b:17:86:f0:
                    8d:89:d2:9f:01:87:74:c9:b0:20:65:bb:ea:e1:c8:
                    fa:6d:14:30:8d:30:81:3e:a5:29:ea:11:59:11:c2:
                    39:3c:2c:59:43:6f:0f:0d:18:c8:bf:98:74:79:85:
                    f1:0d:ce:ad:52:b9:c2:41:35:d5:9a:94:cf:e6:95:
                    c1:81:e1:c1:e3:87:fa:5a:da:f2:3f:b7:93:3d:d3:
                    f1:ea:a8:9e:6a:57:27:c1:d6:bc:a6:0f:db:08:31:
                    dc:25:0b:46:cd:5c:c7:ed:b7:5a:33:be:9d:c9:96:
                    ff:67:7c:0f:82:49:2c:59:19:4a:80:10:74:e0:80:
                    1d:d0:62:bc:62:65:b6:e5:5d:03:49:26:29:70:b6:
                    0f:81:9d:02:4f:08:7f:86:74:fb:7f:3f:42:c9:4b:
                    55:55:d1:34:b4:fd:31:43:fd:94:f8:16:7e:8f:59:
                    26:ec:00:50:54:cf:f4:7d:ff:69:09:43:fa:25:28:
                    4a:9a:29:05:e6:5a:56:21:1c:b8:2a:db:46:13:84:
                    07:73:14:04:33:a3:38:25:a0:87:eb:77:ed:29:8c:
                    6c:fd:be:43:08:3d:82:33:ce:85:92:5e:30:fa:25:
                    05:86:19:f2:6c:dd:1b:2f:d5:53:8f:5e:85:51:7d:
                    83:9e:e1:90:ba:d3:91:7f:09:13:4d:f8:96:64:ef:
                    68:f2:c9:e7:86:21:ec:a6:58:47:80:f1:f7:b0:5c:
                    c8:71:fe:74:00:d9:c2:1d:6b:ae:ce:42:f5:d2:e6:
                    7f:18:1d:f3:ae:fc:44:fe:e4:b0:d0:b3:5c:3c:64:
                    6f:94:04:b8:5f:ba:30:3d:a8:29:62:8c:b2:69:e7:
                    9b:a5:85:65:bb:6c:dc:53:8a:26:bf:f3:86:9f:0d:
                    ae:e3:4a:47:89:65:bc:0e:6a:b1:30:97:62:1c:d7:
                    d4:5b:e2:07:75:81:6f:98:39:b6:13:75:ed:eb:ea:
                    23:aa:9b:d0:fb:93:ef:fd:f5:a3:73:66:30:e1:21:
                    72:63:bc:d8:df:33:fb:78:4b:93:17:ea:39:d9:26:
                    1e:c1:6e:44:eb:55:2b:65:40:13:42:9c:67:b2:cb:
                    bc:18:47:2c:32:f8:10:29:52:4a:4d:f3:23:d3:14:
                    f1:de:20:21:8e:f0:cf:7b:65:22:12:cf:3c:9a:37:
                    e0:e9:f6:42:ca:e9:2b:ef:bd:09:39:76:4e:69:fa:
                    3d:f3:98:de:bb:eb:11:28:52:29:43:73:46:db:f3:
                    98:b2:8f:28:ad:c4:88:a8:86:ec:19:a8:9a:4f:cf:
                    9c:1c:17
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                AD:F0:B6:79:A0:A7:FA:6E:63:DE:98:A7:09:70:3C:38:1F:D0:82:F1
            X509v3 Authority Key Identifier: 
                keyid:AD:F0:B6:79:A0:A7:FA:6E:63:DE:98:A7:09:70:3C:38:1F:D0:82:F1
                DirName:/C=BE/ST=Namur/L=Florennes/O=Red Hat/OU=Snowdrop/CN=kind-registry
                serial:9E:41:BE:92:8B:17:AC:0C

            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Alternative Name: 
                DNS:kind-registry, DNS:localhost, DNS:127.0.0.1
cmoulliard commented 3 years ago

I was able to fix the issue after uploading the Self signed CA certificate to the kind container using the following instructions https://gist.github.com/superbrothers/9bb1b7e00007395dc312e6e35f40931e

Remark. the extension of the certificate to be uploaded should be .crt and not .cert