Especially for disconnected clusters, it may be useful to work with custom registries, either directly, or using them as mirrors for "outside" images.

Knative Serving "tag to digest" resolution currently don't work with these.

The custom registry may

• be using TLS with a custom certificate authority
• require authentication
• be used as a mirror

For ordinary OpenShift deployments, the following mechanisms would be used:

• additionalTrustedCA on "cluster" Image.config.openshift.io https://docs.openshift.com/container-platform/4.3/openshift_images/image-configuration.html
• cluster-wide pull secret to set credentials https://docs.openshift.com/container-platform/4.3/openshift_images/managing_images/using-image-pull-secrets.html#images-update-global-pull-secret_using-image-pull-secrets
• ImageContentSourcePolicy to set the registry as a mirror, https://docs.openshift.com/container-platform/4.3/openshift_images/image-configuration.html#images-configuration-registry-mirror_image-configuration

Currently, knative only (partially) supports specifying a custom CA via KnativeServing CR

    controller-custom-certs:
      name: custom-configmap
      type: ConfigMap

(but that would break integration with internal registry)

Ideally, the Serverless operator would consume the existing OpenShift mechanisms (see above) and reconfigure knative serving controller automagically so that digest resolution works whenever an image pull would work for the same image on an OpenShift node.

User story:

As a developer,
having application images on an enterprise registry internal.acme.com , which uses a custom corporate certificate authority (CA), and requires authentication,
I want to deploy a knative service from an image "internal.acme.com/foo/bar:42" .