-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce global.containerRegistryCACertSecret
#1967
Conversation
This is not properly tested yet. I have modified
I am getting the following error, which I don't really understand: {"level":"info","ts":"2022-12-06T17:10:28.183923454Z","logger":"http-logger","msg":"request","correlation-id":"99ad93da-b47b-471f-aac4-73fbc6cf3492","url":"/v3/packages/b10204ab-f3eb-46bf-994f-bf357f4b1f4c/upload","method":"POST","remoteAddr":"10.244.0.17:39738","contentLength":921}
{"level":"info","ts":"2022-12-06T17:10:28.265822007Z","logger":"PackageHandler","msg":"Error calling UploadSourceImage","correlation-id":"99ad93da-b47b-471f-aac4-73fbc6cf3492","err":"pushing image ref 'localregistry-docker-registry.default.svc:30050/packages' failed: failed to upload image: HEAD https://localregistry-docker-registry.default.svc:30050/v2/packages/blobs/sha256:6ea850dc4998e09d838430999d44ef93f17a1f15d6db372894b49f01e4e2f487: unexpected status code 401 Unauthorized (HEAD responses have no body, use GET for details)"}
{"level":"info","ts":"2022-12-06T17:10:28.265962198Z","logger":"PackageHandler","msg":"handler returned error","correlation-id":"99ad93da-b47b-471f-aac4-73fbc6cf3492","error":"pushing image ref 'localregistry-docker-registry.default.svc:30050/packages' failed: failed to upload image: HEAD https://localregistry-docker-registry.default.svc:30050/v2/packages/blobs/sha256:6ea850dc4998e09d838430999d44ef93f17a1f15d6db372894b49f01e4e2f487: unexpected status code 401 Unauthorized (HEAD responses have no body, use GET for details)"}
{"level":"info","ts":"2022-12-06T17:10:28.266005943Z","logger":"http-logger","msg":"response","correlation-id":"99ad93da-b47b-471f-aac4-73fbc6cf3492","status":502,"size":131,"durationMillis":82}
|
d6215ca
to
24a0757
Compare
I was able to test this locally all the way to a Kpack |
24a0757
to
7ce5e99
Compare
7ce5e99
to
7259288
Compare
This allows users to specify a CA cert for the container registry. It also gets rid of the `REGISTRY_CA_FILE` environment variable and of the custom transport construction we had in place: instead we just mount the cert unser `/etc/ssl/certs`, which is one of the dirs automatically scanned by Golang when building its system CAs pool. Co-authored-by: Giuseppe Capizzi <gcapizzi@vmware.com>
7259288
to
003ec9e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Is there a related GitHub Issue?
#1920
What is this change about?
This introduces a way to set a custom CA certificate to be used when contacting the container registry. It does so by accepting a
Secret
containing aca.crt
key and mounting that key as a file under/etc/ssl/certs
.Given
/etc/ssl/certs
is one of the default locations used by Golang to build its system certificates pool, there's no more need to accept theREGISTRY_CA_FILE
environment variable and set a dedicatedhttp.Transport
, so this PR removes that code.Does this PR introduce a breaking change?
Yes, as
REGISTRY_CA_FILE
won't have any effect after this gets merged.