minikube: GCR connectivity check fails when custom SSL certs are used

Steps to reproduce the issue:

copy company .pem to ~/.minikube/files/etc/ssl/certs/mycacert.pem, chmod 644
minikube delete
minikube start --alsologtostderr -v=7

Full output of failed command:

From

I0724 20:06:48.783373 22631 ssh_runner.go:148] Run: sudo mkdir -p /etc/ssl/certs I0724 20:06:48.791445 22631 ssh_runner.go:148] Run: stat -c “%s %y” /etc/ssl/certs/mycacert.pem I0724 20:06:48.794930 22631 ssh_runner.go:205] existence check for /etc/ssl/certs/mycacert.pem: stat -c “%s %y” /etc/ssl/certs/mycacert.pem: Process exited with status 1

…

Full output of minikube start command used, if not already included:

😄 minikube v1.12.1 on Centos 7.8.2003 ✨ Using the docker driver based on existing profile

❗ ‘docker’ driver reported a issue that could affect the performance. 💡 Suggestion: enable overlayfs kernel module on your Linux

👍 Starting control plane node minikube in cluster minikube 🏃 Updating the running docker “minikube” container … ❗ This container is having trouble accessing https://k8s.gcr.io

💡 To pull new external images, you may need to configure a proxy: https://minikube.sigs.k8s.io/docs/reference/networking/proxy/ 🐳 Preparing Kubernetes v1.18.3 on Docker 19.03.2 … E0724 20:43:31.472886 11654 start.go:97] Unable to get host IP: inspect IP bridge network “b96c74d6bc1b\nb092f4daf24a\nbe45ff17cbde”.: docker network inspect --format “{{(index .IPAM.Config 0).Gateway}}” b96c74d6bc1b b092f4daf24a be45ff17cbde: exit status 1 stdout:

stderr: Error: No such network: b96c74d6bc1b b092f4daf24a be45ff17cbde

💣 failed to start node: startup failed: Failed to setup kubeconfig: inspect IP bridge network “b96c74d6bc1b\nb092f4daf24a\nbe45ff17cbde”.: dockenetwork inspect --format “{{(index .IPAM.Config 0).Gateway}}” b96c74d6bc1b b092f4daf24a be45ff17cbde: exit status 1 stdout:

stderr: Error: No such network: b96c74d6bc1b b092f4daf24a be45ff17cbde

😿 minikube is exiting due to an error. If the above message is not useful, open an issue: 👉 https://github.com/kubernetes/minikube/issues/new/choose

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 22 (9 by maintainers)

Most upvoted comments

No I am not in China. The trouble is that https is proxied with a custom CA certificate. I am trying to let minikube to trust this certificate authority, (https://minikube.sigs.k8s.io/docs/handbook/vpn_and_proxy/)

Even if I change minikube to point to Artifactory, I will still have to trust the same CA certificate as my Artifactory server is also using https with a custom CA certificate.

I do not agree with your recent title change of this ticket. Should still be:

“Minikube fails to copy PEM root CA certificate to /etc/ssl/certs/. So Minikube won’t connect to https://k8s.gcr.io”

The issue is that these certificates I am placing in the correct location are NOT being copied into the container, and thus Minikube scripts are reporting this. The fact that the ca certs are not being imported means Minikube won’t trust the connection.

thanks for waiting on this, we have integration tests that verfies we copy the cert inside minikube. so I would be surprised if it doesn’t do that for you.

I still think your company has a diffrent registory mirror (simmilar to china) that blocked access to gcr.io

I believe you can fix this problem by getting the approved mirror your company/corp/network uses and pass it to

      --image-repository='': Alternative image repository to pull docker images from. This can be used when you have limited access to gcr.io. Set it to "auto" to let minikube decide one for you. For Chinese mainland users, you may use local gcr.io mirrors such as registry.cn-hangzhou.aliyuncs.com/google_containers

do u mind please sharing with me the full output of

docker pull k8s.gcr.io/kube-apiserver:v1.18.3

on your system ?

medyagh on Sep 9, 2020