WIP: Add REGISTRY_INSECURE option for mirror registry w/o certificate validation

02_configure_host.sh

@@ -371,7 +371,12 @@ if use_registry "podman"; then
     # blank authfile with a "assignment to entry in nil map" error
     rm -f ${REGISTRY_CREDS}
     # create authfile for local registry
+    TLS_VERIFY_FLAG=""
+    if [[ ! -z "${REGISTRY_INSECURE}" && "${REGISTRY_INSECURE,,}" == "true" ]]; then
+        TLS_VERIFY_FLAG="--tls-verify=false"
+    fi
     sudo podman login --authfile ${REGISTRY_CREDS} \
+        ${TLS_VERIFY_FLAG} \
         -u ${REGISTRY_USER} -p ${REGISTRY_PASS} \
         ${LOCAL_REGISTRY_DNS_NAME}:${LOCAL_REGISTRY_PORT}
 elif ! use_registry "quay"; then

agent/05_agent_configure.sh

@@ -309,11 +309,13 @@ function generate_cluster_manifests() {
   fi
 
   if [[ ! -z "${MIRROR_IMAGES}" && "${MIRROR_IMAGES,,}" != "false" ]]; then
-    # Store the certs for registry
-    if [[ "${REGISTRY_BACKEND}" = "podman" ]]; then
-       cp $REGISTRY_DIR/certs/$REGISTRY_CRT ${MIRROR_PATH}/ca-bundle.crt
-    else
-       cp ${WORKING_DIR}/quay-install/quay-rootCA/rootCA.pem ${MIRROR_PATH}/ca-bundle.crt
+    # Store the certs for registry (skip if using insecure mode)
+    if [[ -z "${REGISTRY_INSECURE}" || "${REGISTRY_INSECURE,,}" == "false" ]]; then
+      if [[ "${REGISTRY_BACKEND}" = "podman" ]]; then
+         cp $REGISTRY_DIR/certs/$REGISTRY_CRT ${MIRROR_PATH}/ca-bundle.crt
+      else
+         cp ${WORKING_DIR}/quay-install/quay-rootCA/rootCA.pem ${MIRROR_PATH}/ca-bundle.crt
+      fi
     fi
 
     get_mirror_info

agent/roles/manifests/tasks/main.yml

@@ -1,12 +1,12 @@
 - name: Get additional trust bundle
   set_fact:
     ca_bundle_crt: "{{ lookup('file', mirror_path + '/ca-bundle.crt') | to_json }}"
-  when: mirror_images 
-  
+  when: mirror_images and not registry_insecure
+
 - name: Get local registry certificate
   set_fact:
     registry_certificate: "{{ lookup('file', registry_dir + '/certs/' + registry_crt) | to_json }}"
-  when: enable_local_registry
+  when: enable_local_registry and not registry_insecure
 
 - name: Set GoCPUArchitecture
   set_fact:

agent/roles/manifests/tasks/ztp.yml

@@ -51,3 +51,8 @@
     src: "registries_conf.j2"
     dest: "{{ mirror_path }}/registries.conf"
   when: mirror_images
+
+- name: Add insecure flag to registry mirrors
+  shell: |
+    sed -i '/^\[\[registry\.mirror\]\]/a insecure = true' "{{ mirror_path }}/registries.conf"
+  when: mirror_images and registry_insecure

agent/roles/manifests/templates/install-config_baremetal_yaml.j2

@@ -146,8 +146,10 @@ imageContentSources:
     - "{{ local_registry_dns_name }}:{{ local_registry_port }}/redhat"
   source: "registry.redhat.io/redhat"
 {% endif %}
+{% if not registry_insecure %}
 additionalTrustBundle: {{ ca_bundle_crt }}
 {% endif %}
+{% endif %}
 {% if http_proxy or https_proxy or no_proxy %}
 proxy:
 {% if http_proxy %}

agent/roles/manifests/templates/install-config_vsphere_yaml.j2

@@ -103,10 +103,14 @@ imageContentSources:
     - "{{ local_registry_dns_name }}:{{ local_registry_port }}/redhat"
   source: "registry.redhat.io/redhat"
 {% endif %}
+{% if not registry_insecure %}
 additionalTrustBundle: {{ ca_bundle_crt }}
+{% endif %}
 {% elif enable_local_registry %}
+{% if not registry_insecure %}
 additionalTrustBundle: {{ registry_certificate }}
 {% endif %}
+{% endif %}
 {% if http_proxy or https_proxy or no_proxy %}
 proxy:
 {% if http_proxy %}

agent/roles/manifests/templates/install-config_yaml.j2

@@ -97,10 +97,14 @@ imageContentSources:
     - "{{ local_registry_dns_name }}:{{ local_registry_port }}/redhat"
   source: "registry.redhat.io/redhat"
 {% endif %}
+{% if not registry_insecure %}
 additionalTrustBundle: {{ ca_bundle_crt }}
+{% endif %}
 {% elif enable_local_registry %}
+{% if not registry_insecure %}
 additionalTrustBundle: {{ registry_certificate }}
 {% endif %}
+{% endif %}
 {% if http_proxy or https_proxy or no_proxy %}
 proxy:
 {% if http_proxy %}

agent/roles/manifests/templates/registries_conf.j2

@@ -10,6 +10,9 @@ mirror-by-digest-only = false
 
 [[registry.mirror]]
 location = "{{ local_registry_dns_name }}:{{ local_registry_port }}/multicluster-engine"
+{% if registry_insecure %}
+insecure = true
+{% endif %}
 
 [[registry]]
 prefix = ""
@@ -18,6 +21,9 @@ mirror-by-digest-only = false
 
 [[registry.mirror]]
 location = "{{ local_registry_dns_name }}:{{ local_registry_port }}/rhel8"
+{% if registry_insecure %}
+insecure = true
+{% endif %}
 
 [[registry]]
 prefix = ""
@@ -26,5 +32,8 @@ mirror-by-digest-only = false
 
 [[registry.mirror]]
 location = "{{ local_registry_dns_name }}:{{ local_registry_port }}/redhat"
+{% if registry_insecure %}
+insecure = true
+{% endif %}
 {% endif %}
 {% endif %}

agent/roles/manifests/vars/main.yml

@@ -66,6 +66,7 @@ pull_secret: "{{ lookup('env', 'PULL_SECRET_FILE') }}"
 pull_secret_contents: "{{ lookup('file', pull_secret) | to_json }}"
 registry_crt: "{{ lookup('env', 'REGISTRY_CRT')}}"
 registry_dir: "{{ lookup('env', 'REGISTRY_DIR')}}"
+registry_insecure: "{{ lookup('env', 'REGISTRY_INSECURE') | bool }}"
 ssh_pub_key: "{{ lookup('env', 'SSH_PUB_KEY') }}"
 service_subnet_v4: "{{ lookup('env', 'SERVICE_SUBNET_V4') }}"
 service_subnet_v6: "{{ lookup('env', 'SERVICE_SUBNET_V6') }}"

config_example.sh

@@ -705,6 +705,16 @@ set -x
 # "virthost.ostest.test.metalkube.org:LOCAL_REGISTRY_PORT=": { "auth": "<auth string>" },
 #export DOCKER_CONFIG_FILE=$HOME/.docker/config.json
 
+# REGISTRY_INSECURE -
+# When set to true, configures the mirrored registry backend to not require
+# certificate validation. This skips adding certificates to the system trust store,
+# omits additionalTrustBundle from install-config.yaml, and adds insecure=true
+# to all registry mirror configurations.
+# Note: The registry backend still uses HTTPS with self-signed certificates,
+# but clients will skip certificate verification.
+# Default: false
+#export REGISTRY_INSECURE=true
+
 # MIRROR_OLM -
 # Comma-separated list of OLM operators to mirror into the local registry. This
 # has no effect if MIRROR_IMAGES is false. This will not work for releases that

oc_mirror.sh

@@ -72,18 +72,51 @@ function mirror_to_file() {
    config=${1}
 
    pushd ${WORKING_DIR}
-   oc-mirror --v2 --config ${config} file://${WORKING_DIR}
+   oc-mirror --v2 --config ${config} file://${WORKING_DIR} --ignore-release-signature
    popd
 }
 
 function publish_image() {
 
    config=${1}
 
+   # Workaround: oc-mirror v2 doesn't respect registries.conf insecure setting
+   # Temporarily add cert to system trust store for oc-mirror, then remove it
+   cert_temporarily_added=false
+   if [[ ! -z "${REGISTRY_INSECURE}" && "${REGISTRY_INSECURE,,}" == "true" ]]; then
+      echo "WORKAROUND: Temporarily adding certificate to system trust for oc-mirror v2"
+
+      if [[ "${REGISTRY_BACKEND}" = "podman" ]]; then
+         if [[ -f "${REGISTRY_DIR}/certs/${REGISTRY_CRT}" ]]; then
+            sudo cp ${REGISTRY_DIR}/certs/${REGISTRY_CRT} /etc/pki/ca-trust/source/anchors/
+            sudo update-ca-trust
+            cert_temporarily_added=true
+         fi
+      else
+         # quay backend
+         if [[ -f "${WORKING_DIR}/quay-install/quay-rootCA/rootCA.pem" ]]; then
+            sudo cp ${WORKING_DIR}/quay-install/quay-rootCA/rootCA.pem /etc/pki/ca-trust/source/anchors/
+            sudo update-ca-trust
+            cert_temporarily_added=true
+         fi
+      fi
+   fi
+
    pushd ${WORKING_DIR}
-   oc-mirror --v2 --config ${config} --from file://${WORKING_DIR} docker://${LOCAL_REGISTRY_DNS_NAME}:${LOCAL_REGISTRY_PORT}
+   oc-mirror --v2 --config ${config} --from file://${WORKING_DIR} docker://${LOCAL_REGISTRY_DNS_NAME}:${LOCAL_REGISTRY_PORT} --ignore-release-signature
    popd
 
+   # Remove the temporarily added certificate
+   if [[ "${cert_temporarily_added}" == "true" ]]; then
+      echo "WORKAROUND: Removing temporarily added certificate from system trust"
+      if [[ "${REGISTRY_BACKEND}" = "podman" ]]; then
+         sudo rm -f /etc/pki/ca-trust/source/anchors/${REGISTRY_CRT}
+      else
+         sudo rm -f /etc/pki/ca-trust/source/anchors/rootCA.pem
+      fi
+      sudo update-ca-trust
+   fi
+
 }
 
 # Set up a mirror using the 'oc mirror' command

ocp_install_env.sh

@@ -30,7 +30,12 @@ function extract_command() {
     for attempt in $(seq 1 $MAX_RETRIES); do
         extract_dir=$(mktemp --tmpdir -d "installer--XXXXXXXXXX")
 
-        if oc adm release extract --registry-config "${PULL_SECRET_FILE}" --command="$cmd" --to "${extract_dir}" "${release_image}"; then
+        INSECURE_FLAG=""
+        if [[ ! -z "${REGISTRY_INSECURE}" && "${REGISTRY_INSECURE,,}" == "true" ]]; then
+            INSECURE_FLAG="--insecure"
+        fi
+
+        if oc adm release extract --registry-config "${PULL_SECRET_FILE}" ${INSECURE_FLAG} --command="$cmd" --to "${extract_dir}" "${release_image}"; then
             echo "Successfully extracted $cmd"
             break
         fi

release_info.sh

@@ -6,7 +6,12 @@ function save_release_info() {
     release_image="$1"
     outdir="$2"
 
-    oc adm release info --registry-config "$PULL_SECRET_FILE" "$release_image" -o json > ${outdir}/release_info.json
+    INSECURE_FLAG=""
+    if [[ ! -z "${REGISTRY_INSECURE}" && "${REGISTRY_INSECURE,,}" == "true" ]]; then
+        INSECURE_FLAG="--insecure"
+    fi
+
+    oc adm release info --registry-config "$PULL_SECRET_FILE" ${INSECURE_FLAG} "$release_image" -o json > ${outdir}/release_info.json
 }
 
 # Gives us e.g 4.7 because although OPENSHIFT_VERSION is set by users,

utils.sh

@@ -541,7 +541,13 @@ function setup_legacy_release_mirror {
       EXTRACT_DIR=$(mktemp --tmpdir -d "mirror-installer--XXXXXXXXXX")
       _tmpfiles="$_tmpfiles $EXTRACT_DIR"
 
+      INSECURE_FLAG=""
+      if [[ ! -z "${REGISTRY_INSECURE}" && "${REGISTRY_INSECURE,,}" == "true" ]]; then
+          INSECURE_FLAG="--insecure"
+      fi
+
       oc adm release extract --registry-config "${PULL_SECRET_FILE}" \
+        ${INSECURE_FLAG} \
         --command=$installer --to "${EXTRACT_DIR}" \
         "${LOCAL_REGISTRY_DNS_NAME}:${LOCAL_REGISTRY_PORT}/${LOCAL_IMAGE_URL_SUFFIX}:${OPENSHIFT_RELEASE_TAG}"
 
@@ -611,8 +617,11 @@ EOF
 
     htpasswd -bBc ${REGISTRY_DIR}/auth/htpasswd ${REGISTRY_USER} ${REGISTRY_PASS}
 
-    sudo cp ${REGISTRY_DIR}/certs/${REGISTRY_CRT} /etc/pki/ca-trust/source/anchors/
-    sudo update-ca-trust
+    # Add certificate to system trust store (skip if using insecure mode)
+    if [[ -z "${REGISTRY_INSECURE}" || "${REGISTRY_INSECURE,,}" == "false" ]]; then
+        sudo cp ${REGISTRY_DIR}/certs/${REGISTRY_CRT} /etc/pki/ca-trust/source/anchors/
+        sudo update-ca-trust
+    fi
 
     reg_state=$(sudo podman inspect registry --format  "{{.State.Status}}" || echo "error")