Skip to content

AGENT-1375: Configure local registry to run without TLS certificates #616

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rwsu wants to merge 2 commits into from
Closed

AGENT-1375: Configure local registry to run without TLS certificates #616

rwsu wants to merge 2 commits into from

Conversation

@rwsu
Copy link

@rwsu rwsu commented Nov 20, 2025

Removed TLS certificate generation and configuration from the local registry setup.

Changes:

  • Remove certificate generation from setup-local-registry.sh and setup-local-registry-upgrade.sh scripts
  • Remove TLS certificate environment variables and volume mounts from start-local-registry.service and [email protected]
  • Configure registry containers to listen on HTTP (port 5000)
  • Mark registry mirrors as insecure in registries.conf to allow HTTP connections from container runtimes
  • Preserve DNS configuration for registry.appliance.openshift.com

This change requires clients to use HTTP instead of HTTPS when connecting to the appliance's local registry. The registries.conf file now includes 'insecure = true' for all registry mirrors to ensure podman/skopeo/CRI-O accept HTTP connections.

🤖 Generated with Claude Code

Assisted-by: Claude [email protected]

@rwsu
AGENT-1375: Configure local registry to run without TLS certificates
47fcdb6 
Removed TLS certificate generation and configuration from the local
registry setup.

Changes:
- Remove certificate generation from setup-local-registry.sh and
  setup-local-registry-upgrade.sh scripts
- Remove TLS certificate environment variables and volume mounts from
  start-local-registry.service and [email protected]
- Configure registry containers to listen on HTTP (port 5000)
- Mark registry mirrors as insecure in registries.conf to allow HTTP
  connections from container runtimes
- Preserve DNS configuration for registry.appliance.openshift.com

This change requires clients to use HTTP instead of HTTPS when
connecting to the appliance's local registry. The registries.conf
file now includes 'insecure = true' for all registry mirrors to
ensure podman/skopeo/CRI-O accept HTTP connections.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Assisted-by: Claude <[email protected]>
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Nov 20, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 20, 2025
edited by openshift-ci bot
Loading

@rwsu: This pull request references AGENT-1375 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.21.0" version, but no target version was set.

In response to this:

Removed TLS certificate generation and configuration from the local registry setup.

Changes:

  • Remove certificate generation from setup-local-registry.sh and setup-local-registry-upgrade.sh scripts
  • Remove TLS certificate environment variables and volume mounts from start-local-registry.service and [email protected]
  • Configure registry containers to listen on HTTP (port 5000)
  • Mark registry mirrors as insecure in registries.conf to allow HTTP connections from container runtimes
  • Preserve DNS configuration for registry.appliance.openshift.com

This change requires clients to use HTTP instead of HTTPS when connecting to the appliance's local registry. The registries.conf file now includes 'insecure = true' for all registry mirrors to ensure podman/skopeo/CRI-O accept HTTP connections.

🤖 Generated with Claude Code

Assisted-by: Claude [email protected]

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 20, 2025
@openshift-ci openshift-ci bot requested review from jhernand and oourfali November 20, 2025 04:08
@openshift-ci
Copy link

openshift-ci bot commented Nov 20, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rwsu
Once this PR has been reviewed and has the lgtm label, please assign danielerez for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@rwsu
Update registry tests to expect insecure flag
4b72ac0 
Update test expectations to include 'insecure = true' in the
registries.conf output, reflecting the changes made to configure
the local registry to run without TLS certificates.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Assisted-by: Claude <[email protected]>
@rwsu rwsu changed the title [WIP] AGENT-1375: Configure local registry to run without TLS certificates AGENT-1375: Configure local registry to run without TLS certificates Dec 2, 2025
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 2, 2025
@openshift-ci
Copy link

openshift-ci bot commented Dec 2, 2025

@rwsu: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@andfasano
Copy link
Contributor

andfasano commented Dec 3, 2025

/hold

just to avoid getting merged until the approach will be verified via openshift/assisted-service#8455

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 3, 2025
@rwsu
Copy link
Author

rwsu commented Dec 4, 2025

Closing. The updated plan is to use TLS certificates.

@rwsu rwsu closed this Dec 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhernand jhernand Awaiting requested review from jhernand

@oourfali oourfali Awaiting requested review from oourfali

Assignees

No one assigned

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rwsu @openshift-ci-robot @andfasano