diff --git a/02_configure_host.sh b/02_configure_host.sh index 312c06790..6be783bae 100755 --- a/02_configure_host.sh +++ b/02_configure_host.sh @@ -371,7 +371,12 @@ if use_registry "podman"; then # blank authfile with a "assignment to entry in nil map" error rm -f ${REGISTRY_CREDS} # create authfile for local registry + TLS_VERIFY_FLAG="" + if [[ ! -z "${REGISTRY_INSECURE}" && "${REGISTRY_INSECURE,,}" == "true" ]]; then + TLS_VERIFY_FLAG="--tls-verify=false" + fi sudo podman login --authfile ${REGISTRY_CREDS} \ + ${TLS_VERIFY_FLAG} \ -u ${REGISTRY_USER} -p ${REGISTRY_PASS} \ ${LOCAL_REGISTRY_DNS_NAME}:${LOCAL_REGISTRY_PORT} elif ! use_registry "quay"; then diff --git a/agent/05_agent_configure.sh b/agent/05_agent_configure.sh index 50a0a52c7..f00c23d3e 100755 --- a/agent/05_agent_configure.sh +++ b/agent/05_agent_configure.sh @@ -309,11 +309,13 @@ function generate_cluster_manifests() { fi if [[ ! -z "${MIRROR_IMAGES}" && "${MIRROR_IMAGES,,}" != "false" ]]; then - # Store the certs for registry - if [[ "${REGISTRY_BACKEND}" = "podman" ]]; then - cp $REGISTRY_DIR/certs/$REGISTRY_CRT ${MIRROR_PATH}/ca-bundle.crt - else - cp ${WORKING_DIR}/quay-install/quay-rootCA/rootCA.pem ${MIRROR_PATH}/ca-bundle.crt + # Store the certs for registry (skip if using insecure mode) + if [[ -z "${REGISTRY_INSECURE}" || "${REGISTRY_INSECURE,,}" == "false" ]]; then + if [[ "${REGISTRY_BACKEND}" = "podman" ]]; then + cp $REGISTRY_DIR/certs/$REGISTRY_CRT ${MIRROR_PATH}/ca-bundle.crt + else + cp ${WORKING_DIR}/quay-install/quay-rootCA/rootCA.pem ${MIRROR_PATH}/ca-bundle.crt + fi fi get_mirror_info diff --git a/agent/roles/manifests/tasks/main.yml b/agent/roles/manifests/tasks/main.yml index a6e9edc02..6cea63c31 100644 --- a/agent/roles/manifests/tasks/main.yml +++ b/agent/roles/manifests/tasks/main.yml @@ -1,12 +1,12 @@ - name: Get additional trust bundle set_fact: ca_bundle_crt: "{{ lookup('file', mirror_path + '/ca-bundle.crt') | to_json }}" - when: mirror_images - + when: mirror_images and not registry_insecure + - name: Get local registry certificate set_fact: registry_certificate: "{{ lookup('file', registry_dir + '/certs/' + registry_crt) | to_json }}" - when: enable_local_registry + when: enable_local_registry and not registry_insecure - name: Set GoCPUArchitecture set_fact: diff --git a/agent/roles/manifests/tasks/ztp.yml b/agent/roles/manifests/tasks/ztp.yml index 225953a88..aa609c3db 100644 --- a/agent/roles/manifests/tasks/ztp.yml +++ b/agent/roles/manifests/tasks/ztp.yml @@ -51,3 +51,8 @@ src: "registries_conf.j2" dest: "{{ mirror_path }}/registries.conf" when: mirror_images + +- name: Add insecure flag to registry mirrors + shell: | + sed -i '/^\[\[registry\.mirror\]\]/a insecure = true' "{{ mirror_path }}/registries.conf" + when: mirror_images and registry_insecure diff --git a/agent/roles/manifests/templates/install-config_baremetal_yaml.j2 b/agent/roles/manifests/templates/install-config_baremetal_yaml.j2 index e6d4edaf6..947198990 100644 --- a/agent/roles/manifests/templates/install-config_baremetal_yaml.j2 +++ b/agent/roles/manifests/templates/install-config_baremetal_yaml.j2 @@ -146,8 +146,10 @@ imageContentSources: - "{{ local_registry_dns_name }}:{{ local_registry_port }}/redhat" source: "registry.redhat.io/redhat" {% endif %} +{% if not registry_insecure %} additionalTrustBundle: {{ ca_bundle_crt }} {% endif %} +{% endif %} {% if http_proxy or https_proxy or no_proxy %} proxy: {% if http_proxy %} diff --git a/agent/roles/manifests/templates/install-config_vsphere_yaml.j2 b/agent/roles/manifests/templates/install-config_vsphere_yaml.j2 index 3b0a67c26..42db2bf38 100644 --- a/agent/roles/manifests/templates/install-config_vsphere_yaml.j2 +++ b/agent/roles/manifests/templates/install-config_vsphere_yaml.j2 @@ -103,10 +103,14 @@ imageContentSources: - "{{ local_registry_dns_name }}:{{ local_registry_port }}/redhat" source: "registry.redhat.io/redhat" {% endif %} +{% if not registry_insecure %} additionalTrustBundle: {{ ca_bundle_crt }} +{% endif %} {% elif enable_local_registry %} +{% if not registry_insecure %} additionalTrustBundle: {{ registry_certificate }} {% endif %} +{% endif %} {% if http_proxy or https_proxy or no_proxy %} proxy: {% if http_proxy %} diff --git a/agent/roles/manifests/templates/install-config_yaml.j2 b/agent/roles/manifests/templates/install-config_yaml.j2 index a9855802c..7bb82346b 100644 --- a/agent/roles/manifests/templates/install-config_yaml.j2 +++ b/agent/roles/manifests/templates/install-config_yaml.j2 @@ -97,10 +97,14 @@ imageContentSources: - "{{ local_registry_dns_name }}:{{ local_registry_port }}/redhat" source: "registry.redhat.io/redhat" {% endif %} +{% if not registry_insecure %} additionalTrustBundle: {{ ca_bundle_crt }} +{% endif %} {% elif enable_local_registry %} +{% if not registry_insecure %} additionalTrustBundle: {{ registry_certificate }} {% endif %} +{% endif %} {% if http_proxy or https_proxy or no_proxy %} proxy: {% if http_proxy %} diff --git a/agent/roles/manifests/templates/registries_conf.j2 b/agent/roles/manifests/templates/registries_conf.j2 index 0ee2dbefc..a46344ad7 100644 --- a/agent/roles/manifests/templates/registries_conf.j2 +++ b/agent/roles/manifests/templates/registries_conf.j2 @@ -10,6 +10,9 @@ mirror-by-digest-only = false [[registry.mirror]] location = "{{ local_registry_dns_name }}:{{ local_registry_port }}/multicluster-engine" +{% if registry_insecure %} +insecure = true +{% endif %} [[registry]] prefix = "" @@ -18,6 +21,9 @@ mirror-by-digest-only = false [[registry.mirror]] location = "{{ local_registry_dns_name }}:{{ local_registry_port }}/rhel8" +{% if registry_insecure %} +insecure = true +{% endif %} [[registry]] prefix = "" @@ -26,5 +32,8 @@ mirror-by-digest-only = false [[registry.mirror]] location = "{{ local_registry_dns_name }}:{{ local_registry_port }}/redhat" +{% if registry_insecure %} +insecure = true +{% endif %} {% endif %} {% endif %} diff --git a/agent/roles/manifests/vars/main.yml b/agent/roles/manifests/vars/main.yml index 9e5a73c18..49f5c1fad 100644 --- a/agent/roles/manifests/vars/main.yml +++ b/agent/roles/manifests/vars/main.yml @@ -66,6 +66,7 @@ pull_secret: "{{ lookup('env', 'PULL_SECRET_FILE') }}" pull_secret_contents: "{{ lookup('file', pull_secret) | to_json }}" registry_crt: "{{ lookup('env', 'REGISTRY_CRT')}}" registry_dir: "{{ lookup('env', 'REGISTRY_DIR')}}" +registry_insecure: "{{ lookup('env', 'REGISTRY_INSECURE') | bool }}" ssh_pub_key: "{{ lookup('env', 'SSH_PUB_KEY') }}" service_subnet_v4: "{{ lookup('env', 'SERVICE_SUBNET_V4') }}" service_subnet_v6: "{{ lookup('env', 'SERVICE_SUBNET_V6') }}" diff --git a/config_example.sh b/config_example.sh index 6297d8857..00542b637 100755 --- a/config_example.sh +++ b/config_example.sh @@ -705,6 +705,16 @@ set -x # "virthost.ostest.test.metalkube.org:LOCAL_REGISTRY_PORT=": { "auth": "" }, #export DOCKER_CONFIG_FILE=$HOME/.docker/config.json +# REGISTRY_INSECURE - +# When set to true, configures the mirrored registry backend to not require +# certificate validation. This skips adding certificates to the system trust store, +# omits additionalTrustBundle from install-config.yaml, and adds insecure=true +# to all registry mirror configurations. +# Note: The registry backend still uses HTTPS with self-signed certificates, +# but clients will skip certificate verification. +# Default: false +#export REGISTRY_INSECURE=true + # MIRROR_OLM - # Comma-separated list of OLM operators to mirror into the local registry. This # has no effect if MIRROR_IMAGES is false. This will not work for releases that diff --git a/oc_mirror.sh b/oc_mirror.sh index 89b766ca5..fe6efc3d3 100755 --- a/oc_mirror.sh +++ b/oc_mirror.sh @@ -72,7 +72,7 @@ function mirror_to_file() { config=${1} pushd ${WORKING_DIR} - oc-mirror --v2 --config ${config} file://${WORKING_DIR} + oc-mirror --v2 --config ${config} file://${WORKING_DIR} --ignore-release-signature popd } @@ -80,10 +80,43 @@ function publish_image() { config=${1} + # Workaround: oc-mirror v2 doesn't respect registries.conf insecure setting + # Temporarily add cert to system trust store for oc-mirror, then remove it + cert_temporarily_added=false + if [[ ! -z "${REGISTRY_INSECURE}" && "${REGISTRY_INSECURE,,}" == "true" ]]; then + echo "WORKAROUND: Temporarily adding certificate to system trust for oc-mirror v2" + + if [[ "${REGISTRY_BACKEND}" = "podman" ]]; then + if [[ -f "${REGISTRY_DIR}/certs/${REGISTRY_CRT}" ]]; then + sudo cp ${REGISTRY_DIR}/certs/${REGISTRY_CRT} /etc/pki/ca-trust/source/anchors/ + sudo update-ca-trust + cert_temporarily_added=true + fi + else + # quay backend + if [[ -f "${WORKING_DIR}/quay-install/quay-rootCA/rootCA.pem" ]]; then + sudo cp ${WORKING_DIR}/quay-install/quay-rootCA/rootCA.pem /etc/pki/ca-trust/source/anchors/ + sudo update-ca-trust + cert_temporarily_added=true + fi + fi + fi + pushd ${WORKING_DIR} - oc-mirror --v2 --config ${config} --from file://${WORKING_DIR} docker://${LOCAL_REGISTRY_DNS_NAME}:${LOCAL_REGISTRY_PORT} + oc-mirror --v2 --config ${config} --from file://${WORKING_DIR} docker://${LOCAL_REGISTRY_DNS_NAME}:${LOCAL_REGISTRY_PORT} --ignore-release-signature popd + # Remove the temporarily added certificate + if [[ "${cert_temporarily_added}" == "true" ]]; then + echo "WORKAROUND: Removing temporarily added certificate from system trust" + if [[ "${REGISTRY_BACKEND}" = "podman" ]]; then + sudo rm -f /etc/pki/ca-trust/source/anchors/${REGISTRY_CRT} + else + sudo rm -f /etc/pki/ca-trust/source/anchors/rootCA.pem + fi + sudo update-ca-trust + fi + } # Set up a mirror using the 'oc mirror' command diff --git a/ocp_install_env.sh b/ocp_install_env.sh index 521ca000d..0bd06b5b2 100644 --- a/ocp_install_env.sh +++ b/ocp_install_env.sh @@ -30,7 +30,12 @@ function extract_command() { for attempt in $(seq 1 $MAX_RETRIES); do extract_dir=$(mktemp --tmpdir -d "installer--XXXXXXXXXX") - if oc adm release extract --registry-config "${PULL_SECRET_FILE}" --command="$cmd" --to "${extract_dir}" "${release_image}"; then + INSECURE_FLAG="" + if [[ ! -z "${REGISTRY_INSECURE}" && "${REGISTRY_INSECURE,,}" == "true" ]]; then + INSECURE_FLAG="--insecure" + fi + + if oc adm release extract --registry-config "${PULL_SECRET_FILE}" ${INSECURE_FLAG} --command="$cmd" --to "${extract_dir}" "${release_image}"; then echo "Successfully extracted $cmd" break fi diff --git a/release_info.sh b/release_info.sh index c25f20e38..a8f20fc90 100644 --- a/release_info.sh +++ b/release_info.sh @@ -6,7 +6,12 @@ function save_release_info() { release_image="$1" outdir="$2" - oc adm release info --registry-config "$PULL_SECRET_FILE" "$release_image" -o json > ${outdir}/release_info.json + INSECURE_FLAG="" + if [[ ! -z "${REGISTRY_INSECURE}" && "${REGISTRY_INSECURE,,}" == "true" ]]; then + INSECURE_FLAG="--insecure" + fi + + oc adm release info --registry-config "$PULL_SECRET_FILE" ${INSECURE_FLAG} "$release_image" -o json > ${outdir}/release_info.json } # Gives us e.g 4.7 because although OPENSHIFT_VERSION is set by users, diff --git a/utils.sh b/utils.sh index 5e4c4f75c..e5ecc8ba7 100755 --- a/utils.sh +++ b/utils.sh @@ -541,7 +541,13 @@ function setup_legacy_release_mirror { EXTRACT_DIR=$(mktemp --tmpdir -d "mirror-installer--XXXXXXXXXX") _tmpfiles="$_tmpfiles $EXTRACT_DIR" + INSECURE_FLAG="" + if [[ ! -z "${REGISTRY_INSECURE}" && "${REGISTRY_INSECURE,,}" == "true" ]]; then + INSECURE_FLAG="--insecure" + fi + oc adm release extract --registry-config "${PULL_SECRET_FILE}" \ + ${INSECURE_FLAG} \ --command=$installer --to "${EXTRACT_DIR}" \ "${LOCAL_REGISTRY_DNS_NAME}:${LOCAL_REGISTRY_PORT}/${LOCAL_IMAGE_URL_SUFFIX}:${OPENSHIFT_RELEASE_TAG}" @@ -611,8 +617,11 @@ EOF htpasswd -bBc ${REGISTRY_DIR}/auth/htpasswd ${REGISTRY_USER} ${REGISTRY_PASS} - sudo cp ${REGISTRY_DIR}/certs/${REGISTRY_CRT} /etc/pki/ca-trust/source/anchors/ - sudo update-ca-trust + # Add certificate to system trust store (skip if using insecure mode) + if [[ -z "${REGISTRY_INSECURE}" || "${REGISTRY_INSECURE,,}" == "false" ]]; then + sudo cp ${REGISTRY_DIR}/certs/${REGISTRY_CRT} /etc/pki/ca-trust/source/anchors/ + sudo update-ca-trust + fi reg_state=$(sudo podman inspect registry --format "{{.State.Status}}" || echo "error")