[BZ1810461] ShiftStack - Add procedure to allow Image Registry Operator to trust Swift

[maxwelldb]

Re: self-signed certs

Context: https://bugzilla.redhat.com/show_bug.cgi?id=1810461

Preview: https://deploy-preview-39641--osdocs.netlify.app/openshift-enterprise/latest/registry/configuring_registry_storage/configuring-registry-storage-openstack-user-infrastructure.html

[netlify]

✔️ Deploy Preview for osdocs ready!

🔨 Explore the source changes: fbc46fe

🔍 Inspect the deploy log: https://app.netlify.com/sites/osdocs/deploys/622250d04799be00087ca33b

😎 Browse the preview: https://deploy-preview-39641--osdocs.netlify.app

[dmage]

Is it a necessary step?

[dmage]

disableRedirect is in config.imageregistry, not image.config.

[mandre]

According to https://bugzilla.redhat.com/show_bug.cgi?id=1810461#c13, the following should be all that is needed:

$ oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"disableRedirect":"true"}}'

[maxwelldb]

@mandre As in that command should be almost the entirety of this PR? Easy enough, if so.

Any thoughts on the second part of this comment? https://bugzilla.redhat.com/show_bug.cgi?id=1810461#c14

[mandre]

@mandre As in that command should be almost the entirety of this PR? Easy enough, if so.

Any thoughts on the second part of this comment? https://bugzilla.redhat.com/show_bug.cgi?id=1810461#c14

If I understand comment 14 correctly what we're doing here (disable redirect) is what the customer has confirmed fixes the issue. I do not think we want to document the other suggested solution as it's a lot more complex and forces the nodes to trust the CA ultimately (while we trust it only when initiating connections to OpenStack otherwise).

[maxwelldb]

Made a few suggestions for syntax

[maxwelldb]

@mandre Could you confirm this command given this comment? https://github.com/openshift/openshift-docs/pull/39641/files#r765059344

[mandre]

This is redundant with what you're doing on line 23.

[maxwelldb]

TY!

[maxwelldb]

@mandre So, just this? 3c855ce

[mandre]

Yup, perfect 👍

[mandre]

LGTM

[xiuwang]

LGTM

[kalexand-rh]

This is looking good!

[kalexand-rh]

Does this procedure have prereqs? It looks like there's nothing to change in the command itself, so I suspect there might be. You might want to add them at some point.

[maxwelldb]

/cherry-pick enterprise-4.10

[openshift-cherrypick-robot]

@maxwelldb: new pull request created: #42840

Details

In response to this:

/cherry-pick enterprise-4.10

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[maxwelldb]

@xiuwang Can you confirm that this procedure is valid for 4.6-4.10? This PR has a 4.10 label on it, though I'm not sure if I made a mistake at some point.

[maxwelldb]

/cherry-pick enterprise-4.10

[openshift-cherrypick-robot]

@maxwelldb: new pull request could not be created: failed to create pull request against openshift/openshift-docs#enterprise-4.10 from head openshift-cherrypick-robot:cherry-pick-39641-to-enterprise-4.10: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for openshift-cherrypick-robot:cherry-pick-39641-to-enterprise-4.10."}],"documentation_url":"https://docs.github.com/rest/reference/pulls#create-a-pull-request"}

Details

In response to this:

/cherry-pick enterprise-4.10

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.