Update documentation regarding private registries usage #1023
Description
Instead of passing insecure: true to our own private registries, we might want to do something better, like injecting our own baked CA Bundle into the Pod. Using helm, we might just add something like below to the values (I am using Ansible to invoke Helm btw) :
cert_manager__org__root_ca__bundle in my case would be the secret containing my generated bundle, which is configured by cert-manager's Bundle CRD, which for me looks like this:
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
name: "{{ cert_manager__org__root_ca__bundle }}"
spec:
sources:
- useDefaultCAs: true # include default trusted CAs
# include our own root
- secret:
name: "{{ cert_manager__org__root_ca }}"
key: ca.crt
target:
secret:
key: ca.crt
# make it available to namespaces with said labels
namespaceSelector:
matchLabels:
trust: enabled
as a side note, I require my argocd namespace to look like this for cert-manager to automagically copy the Bundle into its namespace:
api_version: v1
kind: Namespace
metadata:
name: argocd
labels:
# makes the default Org Root CA available within this namespace's Secrets
trust: enabled
My guess is that, looking at few tickets here regarding verification issues of certificates, guildelines along thoses lines would be beneficial to some folks.