pkg/oc/cli/admin/release: Add --insecure

[wking]

Matching oc image mirror --insecure. This lets callers avoid:

$ podman run -d -p 5000:5000 --name registry docker.io/library/registry
$ oc adm release mirror --from=registry.svc.ci.openshift.org/openshift/origin-release:v4.0 --to localhost:5000/openshift-v4.0
info: Mirroring 79 images to localhost:5000/openshift-v4.0 ...

error: unable to connect to localhost:5000/openshift-v4.0: Get https://localhost:5000/v2/: http: server gave HTTP response to HTTPS client
...
error: unable to connect to localhost:5000/openshift-v4.0: Get https://localhost:5000/v2/: http: server gave HTTP response to HTTPS client
error: an error occurred during planning

when the local registry only speaks HTTP.

Ideally we could turn this off only for pushes, allowing us to pull from a remote registry over HTTPS but push to the local registry over HTTP. But oc image mirror doesn't seem to support that level of granularity. And even though the coarse --insecure allows access over HTTP, we should still be using HTTPS where possible, so the risk of leaking secrets from a properly-configured registry is small. Although maybe there are increased man-in-the-middle risks? I'm not entirely clear on whether --insecure weakens our "acceptable" HTTPS quality as well (like curl --insecure), or if it's just limited to the documented "allow HTTPS too".

CC @smarterclayton.

[wking]

On the other hand, this may not be much use unless we can talk the cluster into pulling over HTTP. Launching a cluster based on an image mirrored to an insecure registry is giving me errors like:

[core@wking-bootstrap ~]$ journalctl -f
...
Oct 16 05:26:40 wking-bootstrap bootkube.sh[1350]: Trying to pull 192.168.122.1:5000/openshift-v4.0:release...Failed
Oct 16 05:26:40 wking-bootstrap bootkube.sh[1350]: unable to pull 192.168.122.1:5000/openshift-v4.0:release: unable to pull image: Error determining manifest MIME type for docker://192.168.122.1:5000/openshift-v4.0:release: pinging docker registry returned: Get https://192.168.122.1:5000/v2/: http: server gave HTTP response to HTTPS client
...

[wking]

On the other hand, this may not be much use unless we can talk the cluster into pulling over HTTP.

CRI-O's docs have:

Enabling --insecure-registry is useful when running a local registry. However, because its use creates security vulnerabilities, it should ONLY be enabled for testing purposes. For increased security, users should add their CA to their system's list of trusted CAs instead of using --insecure-registry.

So while this PR may be useful for consistency with oc image mirror, it's probably not very useful for the local-registry case. I've opened a very-WIP openshift/installer#472 as part of supporting a local registry with a self-signed cert.

[smarterclayton]

The intention is that all "docker registry" modifier security related flags would be on all oc image and all relevant oc adm release commands.

[smarterclayton]

You need to run hack/update-generated-completions.sh

[wking]

You need to run hack/update-generated-completions.sh

Done with 2bb9c08 -> 7524633.

[wking]

Unit (and basically everyone I checked) died with:

E1016 20:44:24.147738      11 event.go:209] Unable to write event: 'Post https://172.30.0.1:443/api/v1/namespaces/ci-op-n4ibmm3g/events: dial tcp 172.30.0.1:443: connect: connection refused' (may retry after sleeping)
2018/10/16 20:44:25 Ran for 3m23s
error: could not run steps: could not wait for build: could not list builds: Get https://172.30.0.1:443/apis/build.openshift.io/v1/namespaces/ci-op-n4ibmm3g/builds?fieldSelector=metadata.name%3Dsrc: dial tcp 172.30.0.1:443: connect: connection refused

Looking at the unit history, I'm just very unlucky ;).

/retest

[wking]

/retest

[wking]

/retest

[flaper87]

@wking can we do this for the new subcommand too? When creating a new release, the command fails to talk to a registry that has a self-signed certificate.

[wking]

can we do this for the new subcommand too?

Done (and rebased onto master) with 7524633 -> 4fd4121.

[flaper87]

/lgtm

[flaper87]

/approve

[soltysh]

/approve

[flaper87]

/test ci/prow/cmd

[flaper87]

/retest

[flaper87]

I don't know why the ci/prow/cmd job is stuck

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[soltysh]

I don't know why the ci/prow/cmd job is stuck

Stuff has changed in the mean time, re-testing should solve the problem 😉

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[flaper87]

The oc adm release new --insecure works when pushing new images but it fails when I try to overwrite some of the images in the release:

This command fails with: Unable to connect to the server: x509: certificate signed by unknown authority

oc adm release new --insecure -n openshift machine-config-operator=10.1.8.88:8787/openshift/machine-config-operator:latest --from-image-stream=origin-v4.0 --to-image=10.1.8.88:8787/shiftstack/origin-release:v4.0

Whereas this one works:

oc adm release new --insecure -n openshift --from-image-stream=origin-v4.0 --to-image=10.1.8.88:8787/shiftstack/origin-release:v4.0

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[flaper87]

I found the issue. We should pass the Insecure flag to the extract options too. It should be enough to add opts.Insecure = o.Insecure to https://github.com/openshift/origin/pull/21266/files#diff-e7e7595e7ee6718351c88cf2e07449acR639

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[wking]

/hold

[cgwalters]

I didn't know this PR existed and started on it in openshift/machine-config-operator#496 (comment) too

One higher level question though; how hard/hacky would it be to use the cluster CA from the active KUBECONFIG?

[openshift-ci-robot]

New changes are detected. LGTM label has been removed.

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: soltysh, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• contrib/completions/OWNERS [soltysh]
• pkg/oc/OWNERS [soltysh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wking]

One higher level question though; how hard/hacky would it be to use the cluster CA from the active KUBECONFIG?

For the registry access? I'd have expected that was already happening for registries that belong to the cluster (e.g. via this). Is it not?

I've pushed 4fd4121 -> 1607ad7, rebasing onto master and addressing (I think) @flaper87's ExtractOptions.Insecure suggestion.

[cgwalters]

I still need this PR for openshift/machine-config-operator#496

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[flaper87]

/unassign @flaper87

[openshift-bot]

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

[openshift-ci-robot]

@openshift-bot: Closed this PR.

Details

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.