-
Notifications
You must be signed in to change notification settings - Fork 64
How to configure riff to run kservices with images from a registry signed by a custom CA #1098
Comments
The cert added according to PKS-Harbor installation guidelines document works for allowing k8s to pull images. It does not seem to be included in |
These are the steps that will show the cert error "x509: certificate signed by unknown authority"
The --image flag references a repository that is hosted in a registry with a self-signed certificate. This certificate has been added to the PKS configuration so Kubernetes nodes can pull images but the Knative serving controller can't access the registry/
|
Summary of where we are at the moment. The CA certificate needs to be available for:
|
Re: 1, for knative digest resolution, we have an open issue to follow the same pattern as docker/minkube, linking here as a breadcrumb: google/go-containerregistry#211 Re: 2, we should already be picking up Re: 3, if buildpacks are using google/go-containerregistry, we can probably address that in the same way. I think we'd want to follow the pattern that docker/containerd do for providing custom certs. |
Thanks for the feedback. Re: 2, it does seem to work but I'm not sure how to add my self-signed cert to the For buildpacks we'll just have to wait for this issue to be addressed in the buildpack project before moving further along here. |
Oh 🤦♂️ I didn't read correctly |
Hi, this is how i managed to inject a custom ca in deployment/controller of knative-serving namespace: create a generic secret under knative-serving ns:kubectl --namespace knative-serving create secret generic customca --from-file=customca.crt=CA_FILE_PATH configure knative-serving:kubectl edit deployment controller --namespace knative-serving add customca secret and mount point:
- env:
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: SSL_CERT_DIR
value: /etc/customca
volumeMounts:
- mountPath: /etc/customca
name: customca
volumes:
- name: customca
secret:
defaultMode: 420
secretName: customca with those configurations knative-serving/controller can successfully pull an image from a private docker repository. p.s. I noticed that installing knative following the guide a controller service account is created and the controller pod mounts /var/run/secrets/kubernetes.io/serviceaccount/ca.crt from the controller's serviceaccount secret. This is why I configured SSL_CERT_DIR env |
According to /knative/serving#2136, it should be possible to configure Knative serving to trust custom CA certificates to work with an on-prem registry like Harbor.
It would be helpful if riff made it simpler for users to perform this additional configuration. This could either take to form of documentation, or extensions to the riff cli.
The PKS-Harbor installation guidelines document how to automate the installation of a certificate from Harbor into the PKS kubernetes environment.
Initial testing appears to confirm that the PKS Harbor cert is sufficient for pulling images to install and run "normal" kubernetes deployments, but does not meet the requirements to run Knative services.
knative/serving#1996 has more details regarding why Knative services are different in how they pull images.
The text was updated successfully, but these errors were encountered: