IssueTracker

This will create a feature request which anybody can view and comment on.

Please describe your requested enhancement. Good feature requests will solve common problems or enable new use cases.

What you would like to accomplish:
Using 3rd party repository (Nexus) for GKE, and able to manage certificate in GKE

How this might work: Allow user to use 3rd party repository for GKE. Right now we got a x509 error saying the certificate is signed by unknown authority, meaning Nexus cannot trust a self signed certificate from GKE. To overcome that, we need to import the root ca certificate to GKE so both party has the same root of trust, but we are stuck because we can't import root ca to GKE master.


Steps to Reproduce the Issue:

1. Install nexus in a ubuntu 20.04 [1]
2. Try to use a debian VM with docker installed to log in to nexus: docker login <nexus's URL>:<port>, but turns out nexus does not accept insecure simple authentication (user/pw), so I need to set up https
3. Got a certificate from zeroSSL (free 3 months) set up https [2] [3]
4. Still not able to login with the error: x509: certificate signed by unknown authority
5. This means the docker VM can't trust the certificate I got from zeroSSL. so I need to install the root ca in the docker VM.
6. I upload the root ca to /usr/local/share/ca-certificates and then running sudo update-ca-certificates.
7. With both docker Vm and Nexus has the same root of trust. Now I can use docker login to nexus and push/pull

8. Then I move on to gke [4]
9. Got the same error and found this [5]
10. The default node pool is running COS which as read only file system, can't import root ca.
11. I tried to create a new node pool with Ubuntu-based image, that would allow me to import root ca cert.
12. I import root ca cert to each node, confirm by running docker login to Nexus and pull image, but still can't pull  image as GKE [4].
13. I suspect it is the master node doesn't have the root ca cert. I can upload root ca to each nodes, but can't do that for master.

Research done:
[1] https://kifarunix.com/install-nexus-repository-manager-on-ubuntu/
[2] https://help.sonatype.com/repomanager3/system-configuration/configuring-ssl#ConfiguringSSL-ServingSSLDirectly
[3] https://docs.oracle.com/cd/E35976_01/server.740/es_admin/src/tadm_ssl_convert_pem_to_jks.html
[4] https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
[5] https://serverfault.com/questions/1020310/how-do-i-add-certificates-to-kubernetes-to-allow-images-to-be-pulled-from-a-cust



If applicable, reasons why alternative solutions are not sufficient: There is no other way since master node is hidden from user.


Other information (workarounds you have tried, documentation consulted, etc):