Skip to content

WIP: Add REGISTRY_INSECURE option for mirror registry w/o certificate validation #1821

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bfournie wants to merge 1 commit into
base: master
Choose a base branch
from
Open

WIP: Add REGISTRY_INSECURE option for mirror registry w/o certificate validation #1821

bfournie wants to merge 1 commit into from
+108 −14

Conversation

@bfournie
Copy link
Contributor

@bfournie bfournie commented Dec 2, 2025

This is a POC for using a insecure local registry.

This commit adds a new REGISTRY_INSECURE environment variable that allows the mirrored registry backend to operate without requiring certificate validation. When enabled, this simplifies testing and development workflows by avoiding certificate management overhead.

Changes:

  • Add REGISTRY_INSECURE variable documentation in config_example.sh
  • Skip adding registry certificate to system trust store when insecure mode is enabled (utils.sh)
  • Skip copying ca-bundle.crt to mirror path when insecure mode is enabled (agent/05_agent_configure.sh)
  • Skip loading certificate files in Ansible when insecure mode is enabled (agent/roles/manifests/tasks/main.yml)
  • Add conditional --tls-verify=false to podman login (02_configure_host.sh)
  • Add conditional --insecure flag to oc adm release extract commands (ocp_install_env.sh, utils.sh)
  • Add conditional --insecure flag to oc adm release info commands (release_info.sh)
  • Add --ignore-release-signature flag to oc-mirror commands (oc_mirror.sh)
  • Implement workaround for oc-mirror v2 TLS verification issue by temporarily adding cert to system trust during oc-mirror operation (oc_mirror.sh)
  • Omit additionalTrustBundle from install-config when insecure mode is enabled (install-config_yaml.j2, install-config_baremetal_yaml.j2, install-config_vsphere_yaml.j2)
  • Add insecure=true to registry mirror configurations in registries.conf (registries_conf.j2, ztp.yml)
  • Add registry_insecure variable to Ansible vars (vars/main.yml)

Implementation details:

  • Registry backend still generates and uses self-signed HTTPS certificates
  • Clients skip certificate verification when REGISTRY_INSECURE=true
  • The certificate is temporarily trusted only during oc-mirror operations (workaround for oc-mirror v2 bug) then immediately removed
  • Installation proceeds with insecure registry configuration in registries.conf

Default: REGISTRY_INSECURE is false (secure mode with certificate validation)

@bfournie
Add REGISTRY_INSECURE option for mirror registry without certificate …
faa38e2 
…validation

This commit adds a new REGISTRY_INSECURE environment variable that allows
the mirrored registry backend to operate without requiring certificate
validation. When enabled, this simplifies testing and development workflows
by avoiding certificate management overhead.

Changes:
- Add REGISTRY_INSECURE variable documentation in config_example.sh
- Skip adding registry certificate to system trust store when insecure mode is enabled (utils.sh)
- Skip copying ca-bundle.crt to mirror path when insecure mode is enabled (agent/05_agent_configure.sh)
- Skip loading certificate files in Ansible when insecure mode is enabled (agent/roles/manifests/tasks/main.yml)
- Add conditional --tls-verify=false to podman login (02_configure_host.sh)
- Add conditional --insecure flag to oc adm release extract commands (ocp_install_env.sh, utils.sh)
- Add conditional --insecure flag to oc adm release info commands (release_info.sh)
- Add --ignore-release-signature flag to oc-mirror commands (oc_mirror.sh)
- Implement workaround for oc-mirror v2 TLS verification issue by temporarily
  adding cert to system trust during oc-mirror operation (oc_mirror.sh)
- Omit additionalTrustBundle from install-config when insecure mode is enabled
  (install-config_yaml.j2, install-config_baremetal_yaml.j2, install-config_vsphere_yaml.j2)
- Add insecure=true to registry mirror configurations in registries.conf
  (registries_conf.j2, ztp.yml)
- Add registry_insecure variable to Ansible vars (vars/main.yml)

Implementation details:
- Registry backend still generates and uses self-signed HTTPS certificates
- Clients skip certificate verification when REGISTRY_INSECURE=true
- The certificate is temporarily trusted only during oc-mirror operations
  (workaround for oc-mirror v2 bug) then immediately removed
- Installation proceeds with insecure registry configuration in registries.conf

Default: REGISTRY_INSECURE is false (secure mode with certificate validation)
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 2, 2025
@openshift-ci openshift-ci bot requested review from lranjbar and sadasu December 2, 2025 18:11
@openshift-ci
Copy link

openshift-ci bot commented Dec 2, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign elfosardo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link

openshift-ci bot commented Dec 2, 2025

@bfournie: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-metal-ipi-serial-ovn-ipv6 faa38e2 link false /test e2e-metal-ipi-serial-ovn-ipv6
ci/prow/e2e-agent-5control-ipv4 faa38e2 link false /test e2e-agent-5control-ipv4
ci/prow/e2e-metal-ipi-serial-ipv4-2of2 faa38e2 link true /test e2e-metal-ipi-serial-ipv4-2of2
ci/prow/e2e-agent-sno-ipv6 faa38e2 link false /test e2e-agent-sno-ipv6
ci/prow/e2e-agent-compact-ipv4 faa38e2 link true /test e2e-agent-compact-ipv4
ci/prow/e2e-metal-ipi-ovn-dualstack faa38e2 link false /test e2e-metal-ipi-ovn-dualstack
ci/prow/e2e-metal-ovn-arbiter faa38e2 link false /test e2e-metal-ovn-arbiter
ci/prow/e2e-agent-bad-dns faa38e2 link false /test e2e-agent-bad-dns
ci/prow/e2e-agent-4control-ipv4 faa38e2 link false /test e2e-agent-4control-ipv4
ci/prow/e2e-agent-ha-dualstack faa38e2 link false /test e2e-agent-ha-dualstack
ci/prow/e2e-metal-ipi-serial-ipv4-1of2 faa38e2 link true /test e2e-metal-ipi-serial-ipv4-1of2
ci/prow/e2e-metal-ipi-virtualmedia faa38e2 link false /test e2e-metal-ipi-virtualmedia
ci/prow/e2e-agent-compact-ipv4-iso-no-registry faa38e2 link false /test e2e-agent-compact-ipv4-iso-no-registry
ci/prow/e2e-metal-ipi-bm faa38e2 link true /test e2e-metal-ipi-bm
ci/prow/e2e-metal-ipi-ovn-ipv6 faa38e2 link true /test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-metal-ipi-bm-bond faa38e2 link false /test e2e-metal-ipi-bm-bond

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lranjbar lranjbar Awaiting requested review from lranjbar

@sadasu sadasu Awaiting requested review from sadasu

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bfournie