Convention controller and Podintent cannot pull an image from a private registry

[cmoulliard]

Issue

The Convention controller which is creating the PodIntent CR cannot pull an image from a private registry when the pod runs

k get podintent.conventions.apps.tanzu.vmware.com/spring-tap-petclinic -n tap-demo-1 -o yaml
apiVersion: conventions.apps.tanzu.vmware.com/v1alpha1
kind: PodIntent
metadata:
  creationTimestamp: "2022-06-07T13:36:53Z"
  generation: 1
  labels:
    app.kubernetes.io/component: intent
    app.kubernetes.io/part-of: spring-tap-petclinic
    apps.tanzu.vmware.com/workload-type: web
    carto.run/cluster-template-name: convention-template
    carto.run/resource-name: config-provider
    carto.run/supply-chain-name: source-to-url
    carto.run/template-kind: ClusterConfigTemplate
    carto.run/workload-name: spring-tap-petclinic
    carto.run/workload-namespace: tap-demo-1
  name: spring-tap-petclinic
  namespace: tap-demo-1
  ownerReferences:
  - apiVersion: carto.run/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: Workload
    name: spring-tap-petclinic
    uid: fe3429e4-87eb-4ac9-9a5a-a4bafca0d8b3
  resourceVersion: "19889692"
  uid: 54772144-262d-47d8-843f-956db7d6ca4d
spec:
  serviceAccountName: default
  template:
    metadata:
      annotations:
        autoscaling.knative.dev/minScale: "1"
        autoscaling.knative.dev/scaleDownDelay: 15m
        developer.conventions/target-containers: workload
        serviceclaims.supplychain.apps.x-tanzu.vmware.com/extensions: '{"kind":"ServiceClaimsExtension","apiVersion":"supplychain.apps.x-tanzu.vmware.com/v1alpha1","spec":{"serviceClaims":{"db":{"namespace":"tap-demo-1"}}}}'
      labels:
        app.kubernetes.io/component: run
        app.kubernetes.io/part-of: spring-tap-petclinic
        apps.tanzu.vmware.com/workload-type: web
        carto.run/workload-name: spring-tap-petclinic
    spec:
      containers:
      - env:
        - name: SPRING_PROFILES_ACTIVE
          value: postgres
        image: registry.harbor.10.0.77.176.nip.io:32443/tap/spring-tap-petclinic-tap-demo-1@sha256:449adc9413e0369692f336ab029d75f18be63512e07230f0db8c88b7e6998145
        name: workload
        resources: {}
        securityContext:
          runAsUser: 1000
      serviceAccountName: default
status:
  conditions:
  - lastTransitionTime: "2022-06-07T13:36:57Z"
    message: 'fetching metadata for Images failed: image: "registry.harbor.10.0.77.176.nip.io:32443/tap/spring-tap-petclinic-tap-demo-1@sha256:449adc9413e0369692f336ab029d75f18be63512e07230f0db8c88b7e6998145"
      error: Get "https://registry.harbor.10.0.77.176.nip.io:32443/v2/": x509: certificate
      signed by unknown authority'
    reason: ConventionsApplied
    status: "False"
    type: ConventionsApplied

[cmoulliard]

Workaround is to pass the CA Certificate to the config of the Convention package

tanzu package available get controller.conventions.apps.tanzu.vmware.com/0.6.3 -n tap-install --values-schema

  KEY           DEFAULT  TYPE    DESCRIPTION
  ca_cert_data           string  Optional: PEM Encoded certificate data for image registries with private CA.

or to re-create the secret with the ca certificate file

k create secret generic conventions-ca-certificates -n conventions-system --from-file=conventions-ca-certificates=tmp/harbor/ca.crt

[cmoulliard]

Good to know. According to the documentation 1.1.1, it is possible to define such a ca_cert_data field using a TAP shared key as defined here

During the installation tap will collect it as such

#@ def collect_values():
#@  values = {
#@    "ca_cert_data": ""
#@  }
#@  if hasattr(data.values, "convention_controller"):
#@    values.update(data.values.convention_controller)
#@  end
#@  if data.values.shared.ca_cert_data :
#@    # append shared ca_cert_data to component specific ca_cert_data
#@    values["ca_cert_data"] = values["ca_cert_data"] + data.values.shared.ca_cert_data
#@  end
#@  return values
#@ end