appliance icon indicating copy to clipboard operation
appliance copied to clipboard
verified publisher icon openshift

[WIP] AGENT-1375: Configure local registry to run without TLS certificates

Open rwsu opened this issue 3 months ago • 3 comments

Removed TLS certificate generation and configuration from the local registry setup.

Changes:

  • Remove certificate generation from setup-local-registry.sh and setup-local-registry-upgrade.sh scripts
  • Remove TLS certificate environment variables and volume mounts from start-local-registry.service and [email protected]
  • Configure registry containers to listen on HTTP (port 5000)
  • Mark registry mirrors as insecure in registries.conf to allow HTTP connections from container runtimes
  • Preserve DNS configuration for registry.appliance.openshift.com

This change requires clients to use HTTP instead of HTTPS when connecting to the appliance's local registry. The registries.conf file now includes 'insecure = true' for all registry mirrors to ensure podman/skopeo/CRI-O accept HTTP connections.

🤖 Generated with Claude Code

Assisted-by: Claude [email protected]

rwsu avatar Nov 20 '25 04:11 rwsu

@rwsu: This pull request references AGENT-1375 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.21.0" version, but no target version was set.

In response to this:

Removed TLS certificate generation and configuration from the local registry setup.

Changes:

  • Remove certificate generation from setup-local-registry.sh and setup-local-registry-upgrade.sh scripts
  • Remove TLS certificate environment variables and volume mounts from start-local-registry.service and [email protected]
  • Configure registry containers to listen on HTTP (port 5000)
  • Mark registry mirrors as insecure in registries.conf to allow HTTP connections from container runtimes
  • Preserve DNS configuration for registry.appliance.openshift.com

This change requires clients to use HTTP instead of HTTPS when connecting to the appliance's local registry. The registries.conf file now includes 'insecure = true' for all registry mirrors to ensure podman/skopeo/CRI-O accept HTTP connections.

🤖 Generated with Claude Code

Assisted-by: Claude [email protected]

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Nov 20 '25 04:11 openshift-ci-robot

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rwsu Once this PR has been reviewed and has the lgtm label, please assign danielerez for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci[bot] avatar Nov 20 '25 04:11 openshift-ci[bot]

@rwsu: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci[bot] avatar Dec 02 '25 23:12 openshift-ci[bot]

/hold

just to avoid getting merged until the approach will be verified via https://github.com/openshift/assisted-service/pull/8455

andfasano avatar Dec 03 '25 08:12 andfasano

Closing. The updated plan is to use TLS certificates.

rwsu avatar Dec 04 '25 19:12 rwsu