Buildah can use registry self-signed certificate

Signed-off-by: Martin Vala <[email protected]>

Author: mvalarh

README.md

@@ -53,6 +53,27 @@ tkn pipeline start operator-ci-pipeline \
   --showlog
 ```
 
+If using an kind cluster with registry, the CI pipeline can be triggered using the tkn CLI like so:
+> Warning: This mode is currently in development and it might not work yet.
+
+> Note: kind cluster with registry setup is documented [here](docs/kind-cluster.md#kind-cluster-setup)
+```bash
+tkn pipeline start operator-ci-pipeline \
+  --use-param-defaults \
+  --param git_repo_url=https://github.com/redhat-openshift-ecosystem/operator-pipelines-test.git \
+  --param git_branch=main \
+  --param bundle_path=operators/kogito-operator/1.6.0-ok \
+  --param env=prod \
+  --param gitInitImage=quay.io/operator_testing/pipelines-git-init-rhel8:latest \
+  --param builder_image=quay.io/operator_testing/buildah:latest \
+  --param registry=$(hostname):5000 \
+  --workspace name=pipeline,volumeClaimTemplateFile=templates/workspace-template.yml \
+  --workspace name=registry-cacert,config=registry-ca-cert
+  --showlog
+```
+
+
+
 To enable opening the PR and uploading the pipeline logs (visible to the certification project
 owner in Red Hat Connect), pass the following argument:
 

ansible/roles/install-kind-cluster/defaults/main.yml

@@ -9,6 +9,7 @@ kind_binary: kind
 kind_version: v0.12.0
 kind_kube_version: v1.23.4
 kind_cluster_name: "operator-test"
+kind_cluster_apiServerAddress: "127.0.0.1"
 kund_cluster_install_retries: 1
 kind_config_path: "{{ ikc_tmp_dir }}/kind_config.yaml"
 kind_config_map_registry_path: "{{ ikc_tmp_dir }}/kind_config_map_registry.yaml"
@@ -21,6 +22,9 @@ registry_name: kind-registry
 registry_port: 5000
 registry_ssl: false
 registry_cert_dir: "{{ op_work_dir }}/certs"
+registry_ca_cert_name: "registry-ca-cert"
+registry_ca_cert_namespace: "default"
+
 kubectl_binary: kubectl
 kubectl_version: v1.23.5
 oc_binary: oc

ansible/roles/install-kind-cluster/tasks/install.yml

@@ -9,6 +9,20 @@
         - clean
         - install
 
+    - name: "Create secret 'kubeconfig'"
+      kubernetes.core.k8s:
+        state: present
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: "kubeconfig"
+            namespace: "default"
+          data:
+            kubeconfig: "{{ lookup('file', ansible_env.HOME + '/.kube/config') | b64encode }}"
+      tags:
+        - install
+
     - name: "Install registry"
       ansible.builtin.include_tasks:
         file: install_registry.yml

ansible/roles/install-kind-cluster/tasks/install_registry.yml

@@ -90,5 +90,17 @@
       kubernetes.core.k8s:
         state: present
         src: "{{ kind_config_map_registry_path }}"
+
+    - name: "Create configMap '{{ registry_ca_cert_name }}' in namespace '{{ registry_ca_cert_namespace }}' from file '{{ registry_cert_dir }}/domain.crt'"
+      kubernetes.core.k8s:
+        state: present
+        definition:
+          apiVersion: v1
+          kind: ConfigMap
+          metadata:
+            name: "{{ registry_ca_cert_name }}"
+            namespace: "{{ registry_ca_cert_namespace }}"
+          data:
+            registry-ca.crt: "{{ lookup('file', registry_cert_dir + '/domain.crt') }}"
   tags:
     - install

ansible/roles/install-kind-cluster/templates/kind_config.yaml.j2

@@ -1,5 +1,10 @@
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
+networking:
+  # WARNING: It is _strongly_ recommended that you keep this the default
+  # (127.0.0.1) for security reasons. However it is possible to change this.
+  apiServerAddress: "{{ kind_cluster_apiServerAddress }}"
+  apiServerPort: 6443
 {% if registry_enable|bool == true %}
 containerdConfigPatches:
 - |-

ansible/roles/operator-pipeline/templates/openshift/pipelines/operator-ci-pipeline.yml

@@ -27,6 +27,9 @@ spec:
       default: "registry.redhat.io/rhel8/buildah@sha256:a1e5cc0fb334e333e5eab69689223e8bd1f0c060810d260603b26cf8c0da2023"
     - name: registry
       default: image-registry.openshift-image-registry.svc:5000
+    - name: podman_image
+      description: Podman image
+      default: "registry.redhat.io/rhel8/podman:8.5-13"
     - name: env
       description: Which environment to run in. Can be one of [dev, qa, stage, prod]
       default: "prod"
@@ -72,6 +75,8 @@ spec:
       optional: true
     - name: registry-credentials
       optional: true
+    - name: registry-cacert
+      optional: true
   tasks:
     - name: set-env
       taskRef:
@@ -313,6 +318,8 @@ spec:
           subPath: src
         - name: credentials
           workspace: registry-credentials
+        - name: cacert
+          workspace: registry-cacert
 
     # Index image contains a record of bundle images from which
     # manifests could be extract in order to install an operator.
@@ -327,6 +334,8 @@ spec:
           value: "$(params.pipeline_image)"
         - name: bundle_image
           value: *bundleImage
+        - name: podman_image
+          value: "$(params.podman_image)"
         - name: from_index
           value: "$(tasks.get-supported-versions.results.max_supported_index)"
       workspaces:

ansible/roles/operator-pipeline/templates/openshift/tasks/buildah.yml

@@ -28,7 +28,8 @@ spec:
       name: CONTEXT
       type: string
     - default: "true"
-      description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS
+      description: >-
+        Verify the TLS on the registry endpoint (for push/pull to a non-TLS
         registry)
       name: TLSVERIFY
       type: string
@@ -88,6 +89,10 @@ spec:
           EXTRA_ARGS+=" --authfile $(workspaces.credentials.path)/.dockerconfigjson"
         fi
 
+        if [[ "$(workspaces.cacert.bound)" == "true" ]]; then
+          export SSL_CERT_FILE=$(workspaces.cacert.path)/registry-ca.crt
+        fi
+
         echo "Pushing $(params.IMAGE)"
         buildah --storage-driver=$(params.STORAGE_DRIVER) push \
           $(params.PUSH_EXTRA_ARGS) $EXTRA_ARGS --tls-verify=$(params.TLSVERIFY) \
@@ -115,3 +120,5 @@ spec:
     - name: source
     - name: credentials
       optional: true
+    - name: cacert
+      optional: true