Allow specifying registry certificate authority

[michaelfig]

My internal Docker registry uses https only, and its certificate is signed by an internal CA. When I run fluxd installed with the helm chart, I get:

ts=2019-01-22T20:26:18.820968558Z caller=warming.go:155 component=warmer canonical_name=registry.example.com/
                              image-name auth="{map[registry.example.com:<registry creds for [email protected], 
                               from user:secret/cluster-registry>]}" err="Get https://registry.example.com/v2/: x509: certificate signed 
                               by unknown authority"

and the images are never detected.

This configuration works for Docker because I have installed the appropriate CA in the host OSes credential store.

I expect the same error to happen with self-signed certificates.

I am preparing a PR for this issue, to use an approach similar to the flux helm operator's --tiller-tls-ca-cert-path option, and will post it when I have something workable.

Thanks,
Michael.

[squaremo]

#1526 will be of interest.

[michaelfig]

Thanks @squaremo.

I adapted 096bd47

always to use basic authentication (not just for HTTPS), and I'm pleased to report that it works in my environment.

I've created a pull request, #1685, to summarize the changes I used: not for merging as you already have #1526.

[kennethredler]

@squaremo / @michaelfig What if I want to use a private CA and not consider it insecure. How do I get flux to (only) trust my own private CA(s)?

The above-mentioned idea of:

an approach similar to the flux helm operator's --tiller-tls-ca-cert-path option

seems appealing.