Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Accessing private registries with self-signed certificates

            Modified on Mon, 22 May, 2023 at 11:19 PM

            Direktiv uses Knative to execute functions in flows Knative uses tag resolution for deployment consistency. This works well with public registries like Docker, Azure, AWS etc. but will cause issues if it accesses a private registry. For both, namespace and workflow services, a TLS error occurs.


            Revision "namespace-9082938211990388312-00001" failed with message: Unable to fetch image "direktiv.registry:5443/bash": failed to resolve image to digest: Get "https://direktiv.registry:5443/v2/": x509: certificate signed by unknown authority.

            To allow the Knative controller to trust this self-signed registry it has to be provided as custom certificate. It requires the CA certificate of the registry. Direktiv's Knative helm chart has a dedicated field to set this certificate as Kubernetes secret.

            First the secret needs to be created with a command similar to the following:


            kubectl create secret generic self-signed-registry -n knative-serving --from-file=ca.crt=/tmp/ca.pem

            The second step depends on the installation.


            Enterprise Edition:

            The Enterprise Edition has the installation scripts and settings  for Knative stored in the directory install/05_knative. The name of the secret has to be added the file knative.yaml. After adding the name of the secret, e.g. self-signed-registry, to the value certificate the upgrade script upgrade.sh configures the Knative controller to use the certificate.

            Open Source:

            The Knative helm chart requires the Helm values file knative.yaml with the following content:

            certificate: "self-signed-registry2"

            The upgrade can be execute with a simple kubectl command:

            helm upgrade -n knative-serving -f knative.yaml knative direktiv/knative-instance

            Alternative:

            An alternative to the above solution is skip the registry for tag resolution. The knative.yaml file has to be changed as well. The registry has to be added to the skip entry in this file:


            skip-digest: kind.local,ko.local,dev.local,localhost:5000,localhost:31212,myregistry5443

            After this change an upgrade has to be performed as well.


            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0