Anchore can be configured to use a custom certificate authority (CA) to allow access to external resources such as private registries. The CA certificate must be added to two places: the trust store provided by the operating system and the Certifi trust store.
The skopeo application uses the operating system trust store located at /etc/pki/ca-trust/source/anchors when accessing image registries to read manifests and pull image layers.
The Python Requests library uses Certifi as its curated list of trusted CAs. The Requests library is used by Anchore for all HTTP interactions, including communication with Anchore Feed service, sending webhooks to a TLS enabled endpoint, and communication between Anchore services (if TLS has been configured). The Certifi trust store is located at /usr/local/lib/python3.8/site-packages/certifi/.
Adding The Custom Certificate Authority
The new CA is added to the Anchore container image by rebuilding the image with a custom Dockerfile which specifies where the CA certificates should be stored.
Note that if you are an Iron Bank customer, you should specify the URL for the Anchore Enterprise image in Iron Bank in your FROM directive.
1. Create the Dockerfile:
2. Build the image:
$ sudo docker build -t anchore/enterprise:v3.3.0custom .
Updating Your Anchore Deployment
After building an Anchore Enterprise image with your custom CA, you will need to update your Anchore deployment to use the new image. Most production Anchore deployments use Kubernetes; in this case you will need to modify your Helm chart so that it refers to the new image.
A simple Helm chart using a custom image might look like this:
helm upgrade \
Adding Custom Certificate Authority (official documentation)