Bug 1664423

Summary: TLS Configuration for Undercloud should make docker-distribution (registry) serve its registry over HTTPS
Product: Red Hat OpenStack Reporter: Nathan Kinder <nkinder>
Component: python-tripleoclientAssignee: RHOS Maint <rhos-maint>
Status: CLOSED EOL QA Contact: Gurenko Alex <agurenko>
Severity: high Docs Contact:
Priority: high    
Version: 14.0 (Rocky)CC: hbrock, hrybacki, jslagle, mburns, rmascena
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1547826
: 1664424 (view as bug list) Environment:
Last Closed: 2020-08-06 16:28:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1547826    
Bug Blocks: 1664424    

Description Nathan Kinder 2019-01-08 17:59:40 UTC 
+++ This bug was initially created as a clone of Bug #1547826 +++

Description of problem:
If I configure OSP12 for TLS, or TLS everywhere, docker-distribution serves the docker registry over an unencrypted port by default on the provisioning network.  This network is (mostly) routable in production instances.

Version-Release number of selected component (if applicable):
python-tripleoclient-7.3.3-7.el7ost.noarch

How reproducible:
100%

Steps to Reproduce:
1. deploy OSP12 with TLS enabled, or do TLS everywhere config and add TLS after deployment
2. Create a local container registry
3. registry is served on a (usually) routable network over HTTP

Actual results:
registry is served over https

Expected results:
encrypted registry as there is transit across wires between nodes on encrypted protocol

Additional info:
Adding these lines to /etc/docker-distribution/registry would fix the issue (assuming your ssl cert is in /etc/pki/instack-certs/undercloud.pem
---
    tls:
        certificate: /etc/pki/instack-certs/undercloud.pem
        key: /etc/pki/instack-certs/undercloud.pem
---