This topic tells you how to configure Tanzu Platform to trust a custom certificate authority (CA) for your container image registry.

If the registry you store application images in uses a custom CA, several parties must trust this CA to enable you to build and deploy a secure application:

• tanzu build (pushing to the registry):

  • If you are building your app on Tanzu Platform, you must configure the CACertificateSecretRefs field of the BuildConfiguration. For more information, see Configure builds to run on Tanzu Platform.
  • If you are building your app locally, see Configure trusted CAs for daemon builds later in this topic.

• tanzu deploy:

  • If you are deploying an application from an existing build using tanzu deploy --from-build dir, you do not need to configure any further settings for tanzu deploy to work.
  • If you are using tanzu deploy to both build and deploy the application, you must supply the same configuration as for tanzu build. If you are using daemon build, provide the TANZU_BUILD_CA_CERTS environment variable to link the certificates directory as described in Configure trusted CAs for daemon builds later in this topic.

• The Kubernetes clusters where the application is deployed:

  The clusters where the Tanzu Platform Space is scheduled require you to:

  1. Configure the container runtime of each cluster node to trust the certificate.
  2. Configure the kapp controller for the cluster to trust the certificate. For instructions, see Configure trusted CAs for kapp controller later in this topic.

  If you use Tanzu Kubernetes Grid for cluster management, both steps are handled with a single configuration that you can configure using the Tanzu Platform UI or using a cluster YAML configuration.

  To configure this when creating a new Tanzu Kubernetes Grid cluster in the Tanzu Platform UI, configure the settings under Additional cluster settings. You must base64-encode the value you set in the data field. For the YAML configuration and information about the supported fields, see the vSphere documentation.

Configure trusted CAs for daemon builds

To configure daemon builds to trust custom CA certificates for your registry:

1. Authenticate to the registry using docker login.

2. Ensure that the containerapp-registry configured does not include https:// prefix, for example:

   tanzu build config --containerapp-registry my-registry.io/{contact.businessunit}/app-{name}
   

3. Enable daemon build by running:

   tanzu build config --build-engine daemon
   

4. Create a directory to store certificates, for example:

   mkdir path/to/certs/dir
   

5. Save registry certificate to file in the directory, for example:

   openssl s_client -connect my-registry.io:443 -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM >path/to/certs/dir/registrycert.pem
   

6. Enable experimental features by running:

   tanzu build config --enable-experimental-features
   

7. Build the application with CA certificate by doing one of the following:

   • Run tanzu build with the --ca-certs flag pointing to the directory storing certificates, for example:

     tanzu build --ca-certs path/to/certs/dir
     

   • Alternatively, set the TANZU_BUILD_CA_CERTS environment variable before you run tanzu build, for example:

     export TANZU_BUILD_CA_CERTS=path/to/certs/dir
     

Configure trusted CAs for kapp controller

If you use a provider other than Tanzu Kubernetes Grid for cluster life cycle management, you must configure the kapp controller on the clusters to trust custom CA certificates for your image registries.

You configure this though a dedicated Secret or ConfigMap resource in each cluster called kapp-controller-config in the same namespace as the kapp-controller deployment. For more information about configuring the kapp controller, see the Carvel documentation.

If you use Tanzu Kubernetes Grid for cluster life cycle management, this procedure is not required. Configuring the CAs on the Tanzu Kubernetes clusters automatically configures the kapp controller.

To configure this when creating a new Tanzu Kubernetes Grid cluster in the Tanzu Platform UI, configure the settings under Additional cluster settings. You must base64-encode the value you set in the data field. For the YAML configuration and information about the supported fields, see the vSphere documentation.

Follow the steps in this section if you see an error message for your application similar to the following:

vendir: Error: Syncing directory '0':
        Syncing directory '.' with imgpkgBundle contents:
          Fetching image:
            Error while preparing a transport to talk with the registry:
              Unable to create round tripper:
                Get "https://my-registry.io": tls: failed to verify certificate: x509: certificate signed by unknown authority
      (hint: The CA Certificate from URL is unknown/invalid. Add valid CA certificate to the kapp-controller configuration to reconcile successfully)

To configure the kapp controller to trust custom CA certificates for your the registry:

1. Generate a certificate for your registry, for example:

   openssl s_client -connect my-registry.io:443 -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM >/path/to/registrycert.pem
   

   Where the /path/to/registrycert.pem is the location to save the new certificate.

2. Store the new certificate in a variable, for example:

   NEW_CERTS=$(cat /path/to/registrycert.pem)
   

   Where the /path/to/registrycert.pem contains the new certificate.

3. Retrieve the namespace where the kapp-controller deployment is located by running:

   kubectl get deploy -A | grep kapp-controller
   

4. Find out if the cluster already has a Secret or ConfigMap resource for the kapp controller by running:

   kubectl get secret -n NAMESPACE kapp-controller-config
   

   kubectl get configmap -n NAMESPACE kapp-controller-config
   

   Where NAMESPACE is the namespace of the kapp-controller you retrieved.

5. If a Secret or ConfigMap resource does not exist, create a Secret resource in the namespace for the kapp-controller by running:

   kubectl create secret generic kapp-controller-config -n NAMESPACE
   

   Where NAMESPACE is the namespace of the kapp-controller you retrieved.

6. Add the new certificate. depending on whether you need to update a ConfigMap or Secret resource:

   ConfigMap

   To add the certificate to a ConfigMap resource:

   1. Append the new certificate for your registry to the current contents of the caCerts key of your ConfigMap resource:

      kubectl edit configmap -n NAMESPACE kapp-controller-config
      

      Where NAMESPACE is the namespace of the kapp-controller you retrieved.

   Secret

   To add the certificate to a Secret resource:

   1. If a value already exists in the caCerts key:

      1. Store the value in a variable, for example:

         CURRENT_CERTS=$(kubectl get secret -n NAMESPACE kapp-controller-config -o jsonpath="{.data.caCerts}" | base64 --decode)
         

         Where NAMESPACE is the namespace of the kapp-controller you retrieved.

      2. Add the contents of the caCerts key to the variable you set earlier for the new registry certificate, for example:

         NEW_CERTS=$(echo -n "$CURRENT_CERTS\n$NEW_CERTS")
         

   2. Encode the certificates in base64 and copy the result:

      echo $NEW_CERTS | base64
      

   3. Update the caCerts key of your Secret resource with the copied value:

      kubectl edit secret -n NAMESPACE kapp-controller-config
      

      Where NAMESPACE is the namespace of the kapp-controller you retrieved.

After this, Tanzu Platform will trust the new certificates so that you can deploy applications on this cluster from your registry.