Knative - Private docker registry certificates 설정

1. 테스트 환경

- knative v0.14.3, istio 1.3, Kubernetes 1.16.15, Harbor 2.1.3

- Kubeflow 1.2에 포함된 knative, istios를 사용함

 

 

2. Problem

- Knative serving service 배포 시 에러("certificate signed by unknown authority")가 발생된다.

   배포할 이미지는 "repo.acp.kt.co.kr/agp/helloworld-python:1.0"이다.

   해당 이미지는 Self-signed certificate를 사용하는 Private docker registry(Harbor)에서 제공한다. 

$ vi knative-svc.yaml
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: helloworld-python
  namespace: yoosung-jeon
spec:
  template:
    metadata:
      annotations:
        autoscaling.knative.dev/minSacle: "1"
        autoscaling.knative.dev/target: "3"
    spec:
      containers:
      - image: repo.acp.kt.co.kr/agp/helloworld-python:1.0
        env:
        - name: TARGET
          value: "Python Sample v1"
$ k apply -f knative-svc.yaml
service.serving.knative.dev/helloworld-python created
$ k get ksvc helloworld-python -n yoosung-jeon
NAME                URL                                                          LATESTCREATED             LATESTREADY   READY   REASON
helloworld-python   http://helloworld-python.yoosung-jeon.kf-serv.acp.kt.co.kr   helloworld-python-tgm8h                 False   RevisionMissing
$ k describe rev helloworld-python-tgm8h -n yoosung-jeon | grep Events -A10
Events:
  Type     Reason         Age                         From                 Message
  ----     ------         ----                        ----                 -------
  Warning  InternalError  <invalid> (x17 over 2m45s)  revision-controller  failed to resolve image to digest: failed to fetch image information: Get https://repo.acp.kt.co.kr/v2/: x509: certificate signed by unknown authority
$

 

 

3. Solution

- If you are using a registry that has a self-signed certificate, you must configure the Knative Serving controller to trust that certificate.

   https://knative.dev/docs/developer/serving/tag-resolution/#custom-certificates

- controller deployments 수정

   환경 변수(SSL_CERT_DIR)를 추가하고, custorm CA Certificate(repo.acp.kt.co.kr)를 참조하도록 volumnMounts를 설정한다.

   cotroller가 배포될 노드들에는 '/etc/docker/certs.d/repo.acp.kt.co.kr/ca.crt' 파일이 이미 배포되어 있어 hostPath를 사용하였다.

$ k edit deployments.apps controller -n knative-serving
...
    spec:
      containers:
      - name: controller
        env:
        - name: SSL_CERT_DIR
          value: /etc/docker/certs
        volumeMounts:
        - mountPath: /etc/docker/certs
          name: custom-certs
...
      volumes:
      - name: custom-certs
        hostPath
          path: /etc/docker/certs.d/repo.acp.kt.co.kr
          type: ""       
...
$

[iap@iap01 ~]$ k get nodes
NAME    STATUS   ROLES    AGE    VERSION
iap01   Ready    master   434d   v1.16.15
iap02   Ready    master   20d    v1.16.15
iap03   Ready    master   434d   v1.16.15
iap10   Ready    <none>   152d   v1.16.15
iap11   Ready    <none>   156d   v1.16.15
iap12   Ready    <none>   19d    v1.16.15
iap13   Ready    <none>   19d    v1.16.15
[iap@iap01 ~]$ iap10
Last login: Wed Oct 13 16:36:23 2021 from iap01
[root@iap10 ~]# ls /etc/docker/certs.d/repo.acp.kt.co.kr/
ca.crt
[root@iap10 ~]#