Bug 1502028

Summary: Updating Docker registry reverts HTTPS/TLS to HTTP
Product: OpenShift Container Platform Reporter: Josh Foots <jfoots>
Component: Cluster Version OperatorAssignee: Scott Dodson <sdodson>
Status: CLOSED ERRATA QA Contact: Dongbo Yan <dyan>
Severity: low Docs Contact:
Priority: low    
Version: 3.6.0CC: aos-bugs, jokerman, mmccomas, yinzhou
Target Milestone: ---   
Target Release: 3.9.z   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previous releases of OCP would improperly reconfigure docker to mark the internal registry as insecure when it shouldn't have. This has been fixed in OCP 3.9 and should no longer happen.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-17 06:42:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Foots 2017-10-13 18:45:03 UTC 
Description of problem:

Whenever we update docker registry the DC that gets deployed changes all HTTPS to HTTP and removes any TLS and secrets references

Version-Release number of selected component (if applicable):


This commit in 1.5 added a new function "get_hosted_registry_insecure()" : https://github.com/openshift/openshift-ansible/commit/33da79e7389a3fceeaf735663fd8051a0a2fe057#diff-8c83287a125220bc46f58c79f26c6670R1140

This function looks at the /etc/sysconfig/docker file and inspects the OPTIONS looking for any --insecure-registry entry.  If an entry is found it sets hosted_registry_insecure=true.  When that variable is set to true the registry playbook will configure the internal registry to be HTTP and not HTTPS.  This occurs even if the registry is already set up as HTTPS.  This logic is flawed as that --insecure-registry entry maybe for another Docker registry within the corporation.




Additional info:

https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_facts/library/openshift_facts.py#L1197-L1213

This as a very minor bug as it will set "hosted_registry_insecure = True" if insecure-registries is seen in the OPTIONS variable. 

However it should be noted, we have switched to configuring the registries in the following file: 
  /etc/containers/registries.conf

To work around the issue the following in the hosts file before upgrades.
Comment 1 Peter 2017-10-14 19:35:38 UTC 
Switching to the Upgrade component. This isn't something the registry console can effect.
Comment 2 Scott Dodson 2018-03-23 14:38:38 UTC 
Reviewing the current code we no longer do the parsing of /etc/sysconfig/docker to set this value in the 3.9 code base so this should no longer happen.
Comment 3 Dongbo Yan 2018-03-30 07:41:08 UTC 
Verified
openshift-ansible-3.9.15-1.git.0.4858ebc.el7.noarch

upgrade an openshift cluster from 3.7 to 3.9 with inventory option "hosted_registry_insecure = True", the secured integrated registry still be secured, does not remove any TLS and secrets references.
Comment 7 errata-xmlrpc 2018-05-17 06:42:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1566