How to provide a certificate authority bundle for a private mirror? ​
A private mirror can use a self-signed certificate. In order to support such private mirrors the certificate authority bundle needs to be provided for the mirror host.
Procedure ​
Create an immutable Secret with the certificate authority bundle in the Garden cluster.
bashkubectl create -f - <<EOF apiVersion: v1 kind: Secret metadata: name: private-mirror-ca-bundle-v1 namespace: garden-dev type: Opaque immutable: true data: bundle.crt: <base64-encoded-ca-bundle> EOFAdd the newly created Secret as a reference to the Shoot spec, and then to the registry-mirror extension configuration.
In the registry-mirror configuration, set the
caBundleSecretReferenceNamefield. It should point to a resource reference underspec.resources. The resource reference itself points to the Secret in project namespace.yamlapiVersion: core.gardener.cloud/v1beta1 kind: Shoot # ... spec: extensions: - type: registry-mirror providerConfig: apiVersion: mirror.extensions.gardener.cloud/v1alpha3 kind: MirrorConfig mirrors: - upstream: quay.io hosts: - host: "https://private-mirror.internal" caBundleSecretReferenceName: private-mirror-ca-bundle # ... resources: - name: private-mirror-ca-bundle resourceRef: apiVersion: v1 kind: Secret name: private-mirror-ca-bundle-v1 # ...