operator-sdk: run bundle{-upgrade} support insecure registry server

Supporting insecure registry is useful for testing operator installation
from bundle image stored at local registry.

changelog/fragments/run-bundle-from-insecure-registry.yaml

@@ -0,0 +1,4 @@
+entries:
+  - description: >
+       Add new optional flag `--allow-insecure` to the commands `operator-sdk run bundle` and `operator-sdk run bundle-upgrade`. This option allow to install the operator from a bundle image stored at an insecure docker registry. (e.g. `operator-sdk run bundle localhost:5000/my-operator-bundle:latest --allow-insecure`)
+    kind: "addition"

internal/cmd/operator-sdk/scorecard/cmd.go

@@ -211,5 +211,5 @@ func extractBundleImage(bundleImage string) (string, error) {
 		logger = log.WithFields(log.Fields{"bundle": bundleImage})
 	}
 	// FEAT: enable explicit local image extraction.
-	return registryutil.ExtractBundleImage(context.TODO(), logger, bundleImage, false)
+	return registryutil.ExtractBundleImage(context.TODO(), logger, bundleImage, false, false)
 }

internal/olm/operator/bundle/install.go

@@ -51,6 +51,7 @@ func (i *Install) BindFlags(fs *pflag.FlagSet) {
 
 	// --mode is hidden so only users who know what they're doing can alter add mode.
 	fs.StringVar((*string)(&i.BundleAddMode), "mode", "", "mode to use for adding bundle to index")
+	fs.BoolVar(&i.IndexImageCatalogCreator.AllowInsecure, "allow-insecure", false, "allows pulling bundle image from an insecure registry server")
 	_ = fs.MarkHidden("mode")
 
 	i.IndexImageCatalogCreator.BindFlags(fs)
@@ -72,7 +73,7 @@ func (i *Install) setup(ctx context.Context) error {
 	}
 
 	// Load bundle labels and set label-dependent values.
-	labels, bundle, err := operator.LoadBundle(ctx, i.BundleImage)
+	labels, bundle, err := operator.LoadBundle(ctx, i.BundleImage, i.AllowInsecure)
 	if err != nil {
 		return err
 	}

internal/olm/operator/bundleupgrade/upgrade.go

@@ -48,6 +48,7 @@ func NewUpgrade(cfg *operator.Configuration) Upgrade {
 func (u *Upgrade) BindFlags(fs *pflag.FlagSet) {
 	// --mode is hidden so only users who know what they're doing can alter add mode.
 	fs.StringVar((*string)(&u.BundleAddMode), "mode", "", "mode to use for adding new bundle version to index")
+	fs.BoolVar(&u.IndexImageCatalogCreator.AllowInsecure, "allow-insecure", false, "allows pulling bundle image from an insecure registry server")
 	_ = fs.MarkHidden("mode")
 
 	u.IndexImageCatalogCreator.BindFlags(fs)
@@ -69,7 +70,7 @@ func (u *Upgrade) setup(ctx context.Context) error {
 		}
 	}
 
-	labels, bundle, err := operator.LoadBundle(ctx, u.BundleImage)
+	labels, bundle, err := operator.LoadBundle(ctx, u.BundleImage, u.AllowInsecure)
 	if err != nil {
 		return err
 	}

internal/olm/operator/helpers.go

@@ -34,8 +34,8 @@ func CatalogNameForPackage(pkg string) string {
 }
 
 // LoadBundle returns metadata and manifests from within bundleImage.
-func LoadBundle(ctx context.Context, bundleImage string) (registryutil.Labels, *apimanifests.Bundle, error) {
-	bundlePath, err := registryutil.ExtractBundleImage(ctx, nil, bundleImage, false)
+func LoadBundle(ctx context.Context, bundleImage string, allowInsecure bool) (registryutil.Labels, *apimanifests.Bundle, error) {
+	bundlePath, err := registryutil.ExtractBundleImage(ctx, nil, bundleImage, false, allowInsecure)
 	if err != nil {
 		return nil, nil, fmt.Errorf("pull bundle image: %v", err)
 	}

internal/olm/operator/registry/index/registry_pod.go

@@ -50,6 +50,8 @@ type BundleItem struct {
 	ImageTag string `json:"imageTag"`
 	// AddMode describes how the bundle should be added to an index image.
 	AddMode BundleAddMode `json:"mode"`
+	// AllowInsecure controls wether to ignore SSL errors while pulling bundle image from registry server.
+	AllowInsecure bool `json:"AllowInsecure"`
 }
 
 // RegistryPod holds resources necessary for creation of a registry server
@@ -302,7 +304,7 @@ func newBool(b bool) *bool {
 
 const cmdTemplate = `/bin/mkdir -p {{ dirname .DBPath }} && \
 {{- range $i, $item := .BundleItems }}
-/bin/opm registry add -d {{ $.DBPath }} -b {{ $item.ImageTag }} --mode={{ $item.AddMode }}{{ if $.CASecretName }} --ca-file=/certs/cert.pem{{ end }} && \
+/bin/opm registry add -d {{ $.DBPath }} -b {{ $item.ImageTag }} --mode={{ $item.AddMode }}{{ if $.CASecretName }} --ca-file=/certs/cert.pem{{ end }} --skip-tls={{ $item.AllowInsecure }} && \
 {{- end }}
 /bin/opm registry serve -d {{ .DBPath }} -p {{ .GRPCPort }}
 `

internal/olm/operator/registry/index/registry_pod_test.go

@@ -104,6 +104,15 @@ var _ = Describe("RegistryPod", func() {
 				Expect(output).Should(Equal(containerCommandFor(defaultDBPath, defaultBundleItems, true)))
 			})
 
+			It("should return a container command for image with --skip-tls", func() {
+				bundles := []BundleItem{defaultBundleItems[0]}
+				bundles[0].AllowInsecure = true
+				rp.BundleItems = bundles
+				output, err := rp.getContainerCmd()
+				Expect(err).To(BeNil())
+				Expect(output).Should(Equal(containerCommandFor(defaultDBPath, bundles, false)))
+			})
+
 			It("should return a valid container command for three images", func() {
 				bundleItems := append(defaultBundleItems,
 					BundleItem{
@@ -114,6 +123,11 @@ var _ = Describe("RegistryPod", func() {
 						ImageTag: "quay.io/example/example-operator-bundle:1.0.1",
 						AddMode:  SemverBundleAddMode,
 					},
+					BundleItem{
+						ImageTag:      "localhost/example-operator-bundle:1.0.1",
+						AddMode:       SemverBundleAddMode,
+						AllowInsecure: true,
+					},
 				)
 				rp2 := RegistryPod{
 					DBPath:      defaultDBPath,
@@ -224,7 +238,7 @@ func containerCommandFor(dbPath string, items []BundleItem, hasCA bool) string {
 	}
 	additions := &strings.Builder{}
 	for _, item := range items {
-		additions.WriteString(fmt.Sprintf("/bin/opm registry add -d %s -b %s --mode=%s%s && \\\n", dbPath, item.ImageTag, item.AddMode, caFlag))
+		additions.WriteString(fmt.Sprintf("/bin/opm registry add -d %s -b %s --mode=%s%s --skip-tls=%v && \\\n", dbPath, item.ImageTag, item.AddMode, caFlag, item.AllowInsecure))
 	}
 	return fmt.Sprintf("/bin/mkdir -p /database && \\\n%s/bin/opm registry serve -d /database/index.db -p 50051\n", additions.String())
 }

internal/olm/operator/registry/index_image.go

@@ -62,6 +62,7 @@ type IndexImageCatalogCreator struct {
 	PackageName   string
 	IndexImage    string
 	BundleImage   string
+	AllowInsecure bool
 	BundleAddMode index.BundleAddMode
 	SecretName    string
 	CASecretName  string
@@ -101,7 +102,7 @@ func (c IndexImageCatalogCreator) CreateCatalog(ctx context.Context, name string
 
 	c.setAddMode()
 
-	newItems := []index.BundleItem{{ImageTag: c.BundleImage, AddMode: c.BundleAddMode}}
+	newItems := []index.BundleItem{{ImageTag: c.BundleImage, AddMode: c.BundleAddMode, AllowInsecure: c.AllowInsecure}}
 	if err := c.createAnnotatedRegistry(ctx, cs, newItems); err != nil {
 		return nil, fmt.Errorf("error creating registry pod: %v", err)
 	}
@@ -137,7 +138,7 @@ func (c IndexImageCatalogCreator) UpdateCatalog(ctx context.Context, cs *v1alpha
 
 	c.setAddMode()
 
-	newItem := index.BundleItem{ImageTag: c.BundleImage, AddMode: c.BundleAddMode}
+	newItem := index.BundleItem{ImageTag: c.BundleImage, AddMode: c.BundleAddMode, AllowInsecure: c.AllowInsecure}
 	existingItems = append(existingItems, newItem)
 
 	opts := []func(*v1alpha1.CatalogSource){

internal/registry/image.go

@@ -28,7 +28,7 @@ import (
 
 // ExtractBundleImage returns a bundle directory containing files extracted
 // from image. If local is true, the image will not be pulled.
-func ExtractBundleImage(ctx context.Context, logger *log.Entry, image string, local bool) (string, error) {
+func ExtractBundleImage(ctx context.Context, logger *log.Entry, image string, local bool, skipTLS bool) (string, error) {
 	if logger == nil {
 		logger = DiscardLogger()
 	}
@@ -51,7 +51,7 @@ func ExtractBundleImage(ctx context.Context, logger *log.Entry, image string, lo
 	logger = logger.WithFields(log.Fields{"dir": bundleDir})
 
 	// Use a containerd registry instead of shelling out to a container tool.
-	reg, err := containerdregistry.NewRegistry(containerdregistry.WithLog(logger))
+	reg, err := containerdregistry.NewRegistry(containerdregistry.WithLog(logger), containerdregistry.SkipTLS(skipTLS))
 	if err != nil {
 		return "", err
 	}

website/content/en/docs/cli/operator-sdk_run_bundle-upgrade.md

@@ -24,6 +24,7 @@ operator-sdk run bundle-upgrade <bundle-image> [flags]
       --pull-secret-name string   Name of image pull secret ("type: kubernetes.io/dockerconfigjson") required to pull bundle images. This secret *must* be both in the namespace and an imagePullSecret of the service account that this command is configured to run in
       --service-account string    Service account name to bind registry objects to. If unset, the default service account is used. This value does not override the operator's service account
       --timeout duration          Duration to wait for the command to complete before failing (default 2m0s)
+      --allow-insecure            allows pulling bundle image from an insecure registry server
 ```
 
 ### Options inherited from parent commands

website/content/en/docs/cli/operator-sdk_run_bundle.md

@@ -21,6 +21,7 @@ operator-sdk run bundle <bundle-image> [flags]
   -h, --help                            help for bundle
       --index-image string              index image in which to inject bundle (default "quay.io/operator-framework/upstream-opm-builder:latest")
       --install-mode InstallModeValue   install mode
+      --allow-insecure                  allows pulling bundle image from an insecure registry server
       --kubeconfig string               Path to the kubeconfig file to use for CLI requests.
   -n, --namespace string                If present, namespace scope for this CLI request
       --pull-secret-name string         Name of image pull secret ("type: kubernetes.io/dockerconfigjson") required to pull bundle images. This secret *must* be both in the namespace and an imagePullSecret of the service account that this command is configured to run in