Add `insecure` option to ImageContentSourcePolicy

[rtsisyk]

ImageContentSourcePolicy is nice abstraction to manipulate contents of /etc/containers/registries.conf on OpenShift/OKD clusters.

Unfortunately, ImageContentSourcePolicy doesn't support so-called "insecure" HTTP registries. I can only specify mirrors and source, but not insecure. Original registries.conf has a support for HTTP registries. See man 5 containers-registries.conf:

   Per-namespace settings
       insecure
              true  or false.  By default, container runtimes require TLS when retrieving images from a registry.  If
              insecure is set to true, unencrypted HTTP as well as TLS connections with  untrusted  certificates  are
              allowed.

Insecure registries are especially important when you bootstrap OpenShift/OKD cluster on the bare metal. Currently you need to setup you own CA, issue HTTP certificate for your registries, configure installer to use your own CA. Too many operations. All these things can be done later.

My current workaround is to patch bootstrap.ign to overwrite entire /etc/containers/registries.conf. I have a special Python script which patches bootstrap.ign to insert registries.conf into appropriate place. My ignition files look like this:

variant: fcos
version: 1.0.0
storage:
  files:
    - path: /etc/containers/registries.conf
      overwrite: true
      contents:
        inline: |
          unqualified-search-registries = ["registry.local"]

          [[registry]]
          prefix = "registry.local"
          location = "registry.local"
          insecure = true

          [[registry]]
          prefix = "docker.io"
          location = "registry.local"
          insecure = true

          [[registry]]
          prefix = "quay.io"
          location = "registry.local"
          insecure = true

          [[registry]]
          prefix = "registry.connect.redhat.com"
          location = "registry.local"
          insecure = true

          [[registry]]
          prefix = "registry.redhat.io"
          location = "registry.local"
          insecure = true

          [[registry]]
          prefix = "quay.io/openshift/okd"
          location = "registry.local/openshift/okd"
          insecure = true

          [[registry]]
          prefix = "quay.io/openshift/okd-content"
          location = "registry.local/openshift/okd"
          insecure = true

Yes, I understand that HTTP is "not secure" and HTTPS is a preferred way. But let's add an option to use HTTP registries. I don't think that my current approach which Ignition hacking is better than an option in ImageContentSourcePolicy object.

What do you think?

I'm available in #olm-dev Slack to discuss.

[rtsisyk]

Any comments?

[jds2001]

Just another end-user here trolling for an entirely different issue, but my $0.02. This is for a disconnected install at home.

My personal setup for this use case is to put the self signed cert of the registry into additionalTrustBundle in install-config.yaml. Takes almost no effort to do, certainly not setting up a CA, issuing certs, etc - just trust the cert that you already have that's self-signed.

[kikisdeliveryservice]

The MCO doesn't own this - it can be found here: https://github.com/openshift/api/blob/db52bc4ef99f768473a20eba33fca8bf1a4b314d/operator/v1alpha1/types_image_content_source_policy.go#L55

Closing this issue but please open discussion in https://github.com/openshift/api