Adding RegistryTLS to the MIC image spec

api/v1beta1/moduleimagesconfig_types.go

@@ -49,6 +49,10 @@ type ModuleImageSpec struct {
 	// Sign contains sign instructions, in case image needs signing
 	// +optional
 	Sign *Sign `json:"sign,omitempty"`
+
+	// +optional
+	// RegistryTLS set the TLS configs for accessing the registry of the image.
+	RegistryTLS *TLSOptions `json:"registryTLS,omitempty"`
 }
 
 // ModuleImagesConfigSpec describes the images of the Module whose status needs to be verified

config/crd/bases/kmm.sigs.x-k8s.io_modulebuildsignconfigs.yaml

@@ -164,6 +164,19 @@ spec:
                     kernelVersion:
                       description: kernel version for which this image is targeted
                       type: string
+                    registryTLS:
+                      description: RegistryTLS set the TLS configs for accessing the
+                        registry of the image.
+                      properties:
+                        insecure:
+                          description: If Insecure is true, the operator will be able
+                            to access a registry in an insecure (plain HTTP) protocol.
+                          type: boolean
+                        insecureSkipTLSVerify:
+                          description: If InsecureSkipTLSVerify, the operator will
+                            accept any certificate provided by the registry.
+                          type: boolean
+                      type: object
                     sign:
                       description: Sign contains sign instructions, in case image
                         needs signing

config/crd/bases/kmm.sigs.x-k8s.io_moduleimagesconfigs.yaml

@@ -159,6 +159,19 @@ spec:
                     kernelVersion:
                       description: kernel version for which this image is targeted
                       type: string
+                    registryTLS:
+                      description: RegistryTLS set the TLS configs for accessing the
+                        registry of the image.
+                      properties:
+                        insecure:
+                          description: If Insecure is true, the operator will be able
+                            to access a registry in an insecure (plain HTTP) protocol.
+                          type: boolean
+                        insecureSkipTLSVerify:
+                          description: If InsecureSkipTLSVerify, the operator will
+                            accept any certificate provided by the registry.
+                          type: boolean
+                      type: object
                     sign:
                       description: Sign contains sign instructions, in case image
                         needs signing

internal/controllers/module_reconciler.go

@@ -353,6 +353,7 @@ func (mrh *moduleReconcilerHelper) handleMIC(ctx context.Context, mod *kmmv1beta
 			KernelVersion: mld.KernelVersion,
 			Build:         mld.Build,
 			Sign:          mld.Sign,
+			RegistryTLS:   mld.RegistryTLS,
 		}
 		images = append(images, mis)
 	}

internal/controllers/module_reconciler_test.go

@@ -475,12 +475,14 @@ var _ = Describe("handleMIC", func() {
 			Build:          &kmmv1beta1.Build{},
 			Sign:           &kmmv1beta1.Sign{},
 			KernelVersion:  "some version",
+			RegistryTLS:    &kmmv1beta1.TLSOptions{},
 		}
 		expectedSpec := kmmv1beta1.ModuleImageSpec{
 			Image:         img,
 			KernelVersion: "some version",
 			Build:         mld.Build,
 			Sign:          mld.Sign,
+			RegistryTLS:   mld.RegistryTLS,
 		}
 		mockKernelMapper.EXPECT().GetModuleLoaderDataForKernel(mod, gomock.Any()).Return(mld, nil)
 		mockMICAPI.EXPECT().CreateOrPatch(ctx, mod.Name, mod.Namespace, []kmmv1beta1.ModuleImageSpec{expectedSpec}, mod.Spec.ImageRepoSecret, mod).Return(nil)