You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When I define a custom registry certificate in a ConfigMap and reference the ConfigMap in KnativeServing.spec.controller-custom-certs (decribed here), the contents of the ConfigMap gets overwritten with the certificates of other CAs.
This behavior is not present when using the upstream Knative operator.
If a secret is not included in the KnativeServing CR, this setting defaults to using public key infrastructure (PKI). When using PKI, the cluster-wide certificates are automatically injected into the Knative Serving controller by using the config-service-sa config map.
For the OCP PKI stuff there is more here. Right now the way to manually set certs is done via a secret only. This needs more work to be aligned with the upstream.
Thank you for the link, Stavros. I see that the docs you linked to talk about putting the certificate in a Secret. However, it does not define what happens when you put the certificate in a ConfigMap. Should the docs include a paragraph warning users against using ConfigMaps for the certificate then?
This is especially important since the Knative docs use ConfigMaps as an example.
When I define a custom registry certificate in a
ConfigMap
and reference theConfigMap
inKnativeServing.spec.controller-custom-certs
(decribed here), the contents of theConfigMap
gets overwritten with the certificates of other CAs.This behavior is not present when using the upstream Knative operator.
This looks like it may be due to this line.
However, when the custom registry certificate is defined in a
Secret
, the contents of theSecret
are not overwritten.If the objective is to merge the service CAs and the trusted CAs with the contents of the
ConfigMap
, then shouldn't the original contents of theConfigMap
be copied intocombinedContents
?The text was updated successfully, but these errors were encountered: