Enabling tag to digest resolution

Knative serving resolves image tags to a digest when you create a revision. This gives knative revisions some very nice properties, e.g. your deployments will be consistent, you don’t have to worry about “immutable tags”, etc. For more info, see Why we resolve tags in Knative.

Unfortunately, this means that the knative serving controller needs to be configured to access your container registry.

Custom Certificates

If you’re using a registry that has a self-signed certificate, you’ll need to convince the serving controller to trust that certificate. We respect the SSL_CERT_FILE and SSL_CERT_DIR environment variables, so you can trust them by mounting the certificates into the controller’s deployment and setting the environment variable appropriately, assuming you have a custom-certs secret containing your CA certs:

  1. apiVersion: apps/v1
  2. kind: Deployment
  3. metadata:
  4.   name: controller
  5.   namespace: knative-serving
  6. spec:
  7.   template:
  8.     spec:
  9.       containers:
  10.         - name: controller
  11.           volumeMounts:
  12.             - name: custom-certs
  13.               mountPath: /path/to/custom/certs
  14.           env:
  15.             - name: SSL_CERT_DIR
  16.               value: /path/to/custom/certs
  17.       volumes:
  18.         - name: custom-certs
  19.           secret:
  20.             secretName: custom-certs

Corporate Proxy

If you’re behind a corporate proxy, you’ll need to proxy the tag resolution requests between the controller and your registry. We respect the HTTP_PROXY and HTTPS_PROXY environment variables, so you can configure the controller’s deployment via:

  1. apiVersion: apps/v1
  2. kind: Deployment
  3. metadata:
  4.   name: controller
  5.   namespace: knative-serving
  6. spec:
  7.   template:
  8.     spec:
  9.       containers:
  10.         - name: controller
  11.           env:
  12.             - name: HTTP_PROXY
  13.               value: http://proxy.example.com
  14.             - name: HTTPS_PROXY
  15.               value: https://proxy.example.com

Skipping tag resolution

If this all seems like too much trouble, you can configure serving to skip tag resolution via the registriesSkippingTagResolving configmap field:

  1. kubectl -n knative-serving edit configmap config-deployment

E.g., to disable tag resolution for registry.example.com (note: This is not a complete configmap, it is a snippet showing registriesSkippingTagResolving):

  1. apiVersion: v1
  2. kind: ConfigMap
  3. metadata:
  4.   name: config-deployment
  5.   namespace: knative-serving
  7. data:
  8.   # List of repositories for which tag to digest resolving should be skipped
  9.   registriesSkippingTagResolving: registry.example.com