Description of problem: Whenever we update docker registry the DC that gets deployed changes all HTTPS to HTTP and removes any TLS and secrets references Version-Release number of selected component (if applicable): This commit in 1.5 added a new function "get_hosted_registry_insecure()" : https://github.com/openshift/openshift-ansible/commit/33da79e7389a3fceeaf735663fd8051a0a2fe057#diff-8c83287a125220bc46f58c79f26c6670R1140 This function looks at the /etc/sysconfig/docker file and inspects the OPTIONS looking for any --insecure-registry entry. If an entry is found it sets hosted_registry_insecure=true. When that variable is set to true the registry playbook will configure the internal registry to be HTTP and not HTTPS. This occurs even if the registry is already set up as HTTPS. This logic is flawed as that --insecure-registry entry maybe for another Docker registry within the corporation. Additional info: https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_facts/library/openshift_facts.py#L1197-L1213 This as a very minor bug as it will set "hosted_registry_insecure = True" if insecure-registries is seen in the OPTIONS variable. However it should be noted, we have switched to configuring the registries in the following file: /etc/containers/registries.conf To work around the issue the following in the hosts file before upgrades.
Switching to the Upgrade component. This isn't something the registry console can effect.
Reviewing the current code we no longer do the parsing of /etc/sysconfig/docker to set this value in the 3.9 code base so this should no longer happen.
Verified openshift-ansible-3.9.15-1.git.0.4858ebc.el7.noarch upgrade an openshift cluster from 3.7 to 3.9 with inventory option "hosted_registry_insecure = True", the secured integrated registry still be secured, does not remove any TLS and secrets references.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1566