Bug 1502028 - Updating Docker registry reverts HTTPS/TLS to HTTP
Summary: Updating Docker registry reverts HTTPS/TLS to HTTP
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cluster Version Operator
Version: 3.6.0
Hardware: All
OS: All
low
low
Target Milestone: ---
: 3.9.z
Assignee: Scott Dodson
QA Contact: Dongbo Yan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-13 18:45 UTC by Josh Foots
Modified: 2021-01-18 05:24 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previous releases of OCP would improperly reconfigure docker to mark the internal registry as insecure when it shouldn't have. This has been fixed in OCP 3.9 and should no longer happen.
Clone Of:
Environment:
Last Closed: 2018-05-17 06:42:42 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1566 0 None None None 2018-05-17 06:43:24 UTC

Description Josh Foots 2017-10-13 18:45:03 UTC 
Description of problem:

Whenever we update docker registry the DC that gets deployed changes all HTTPS to HTTP and removes any TLS and secrets references

Version-Release number of selected component (if applicable):


This commit in 1.5 added a new function "get_hosted_registry_insecure()" : https://github.com/openshift/openshift-ansible/commit/33da79e7389a3fceeaf735663fd8051a0a2fe057#diff-8c83287a125220bc46f58c79f26c6670R1140

This function looks at the /etc/sysconfig/docker file and inspects the OPTIONS looking for any --insecure-registry entry.  If an entry is found it sets hosted_registry_insecure=true.  When that variable is set to true the registry playbook will configure the internal registry to be HTTP and not HTTPS.  This occurs even if the registry is already set up as HTTPS.  This logic is flawed as that --insecure-registry entry maybe for another Docker registry within the corporation.




Additional info:

https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_facts/library/openshift_facts.py#L1197-L1213

This as a very minor bug as it will set "hosted_registry_insecure = True" if insecure-registries is seen in the OPTIONS variable. 

However it should be noted, we have switched to configuring the registries in the following file: 
  /etc/containers/registries.conf

To work around the issue the following in the hosts file before upgrades.
Comment 1 Peter 2017-10-14 19:35:38 UTC 
Switching to the Upgrade component. This isn't something the registry console can effect.
Comment 2 Scott Dodson 2018-03-23 14:38:38 UTC 
Reviewing the current code we no longer do the parsing of /etc/sysconfig/docker to set this value in the 3.9 code base so this should no longer happen.
Comment 3 Dongbo Yan 2018-03-30 07:41:08 UTC 
Verified
openshift-ansible-3.9.15-1.git.0.4858ebc.el7.noarch

upgrade an openshift cluster from 3.7 to 3.9 with inventory option "hosted_registry_insecure = True", the secured integrated registry still be secured, does not remove any TLS and secrets references.
Comment 7 errata-xmlrpc 2018-05-17 06:42:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1566
Note You need to log in before you can comment on or make changes to this bug.