fix: Configure cluster nodes to accept insecure bastion registry

butler54 · butler54 · commit 44bd809ff384 · 2025-11-13T15:57:17.000+09:00
- Change oc-mirror flag from --dest-skip-tls to --dest-tls-verify=false (correct v2 syntax)
- Add MachineConfig manifests to configure insecure registry on all cluster nodes
- Update deploy-cluster.sh to copy MachineConfig before generating ignition
- Add imageContentSources to install-config for bastion registry
- Ensures cluster nodes can pull images from HTTP registry at 10.0.1.4:5000
diff --git a/rhdp-isolated/bastion/deploy-cluster.sh b/rhdp-isolated/bastion/deploy-cluster.sh
@@ -129,6 +129,16 @@ fi
 cp openshift-install-upi/install-config.yaml openshift-install-upi/install-config.yaml.backup
 log_success "Install config generated"
 
+# Copy insecure registry MachineConfig to manifests
+log_info "Adding insecure registry configuration for cluster nodes..."
+mkdir -p openshift-install-upi/openshift
+if [ -f rhdp-isolated/bastion/manifests/99-insecure-registry.yaml ]; then
+    cp rhdp-isolated/bastion/manifests/99-insecure-registry.yaml openshift-install-upi/openshift/
+    log_success "Insecure registry MachineConfig added"
+else
+    log_warn "Insecure registry manifest not found, cluster may have issues pulling from HTTP registry"
+fi
+
 # ============================================================================
 # STEP 3: Generate Ignition Configs
 # ============================================================================
diff --git a/rhdp-isolated/bastion/install-config.yaml.j2 b/rhdp-isolated/bastion/install-config.yaml.j2
@@ -48,4 +48,8 @@ pullSecret: '{{ pull_secret }}'
 sshKey: '{{ ssh_key }}'
 imageDigestSources:
 {{ image_digest_sources | indent(2, True) }}
+imageContentSources:
+- mirrors:
+  - 10.0.1.4:5000
+  source: 10.0.1.4:5000
 
diff --git a/rhdp-isolated/bastion/manifests/99-insecure-registry.yaml b/rhdp-isolated/bastion/manifests/99-insecure-registry.yaml
@@ -0,0 +1,36 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  labels:
+    machineconfiguration.openshift.io/role: master
+  name: 99-master-insecure-registry
+spec:
+  config:
+    ignition:
+      version: 3.2.0
+    storage:
+      files:
+      - contents:
+          source: data:text/plain;charset=utf-8;base64,W1tyZWdpc3RyeV1dCmxvY2F0aW9uID0gIjEwLjAuMS40OjUwMDAiCmluc2VjdXJlID0gdHJ1ZQo=
+        mode: 0644
+        overwrite: true
+        path: /etc/containers/registries.conf.d/99-bastion-registry.conf
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  labels:
+    machineconfiguration.openshift.io/role: worker
+  name: 99-worker-insecure-registry
+spec:
+  config:
+    ignition:
+      version: 3.2.0
+    storage:
+      files:
+      - contents:
+          source: data:text/plain;charset=utf-8;base64,W1tyZWdpc3RyeV1dCmxvY2F0aW9uID0gIjEwLjAuMS40OjUwMDAiCmluc2VjdXJlID0gdHJ1ZQo=
+        mode: 0644
+        overwrite: true
+        path: /etc/containers/registries.conf.d/99-bastion-registry.conf
+
diff --git a/rhdp-isolated/bastion/mirror.sh b/rhdp-isolated/bastion/mirror.sh
@@ -141,14 +141,14 @@ log_info "oc-mirror will use auth from: ${MERGED_AUTH_FILE}"
 START_TIME=$(date +%s)
 
 log_info "Executing oc-mirror..."
-log_info "Command: oc-mirror --config=${MIRROR_WORKSPACE}/imageset-config.yaml --workspace file://${MIRROR_WORKSPACE} docker://${REGISTRY_URL} --v2 --dest-skip-tls"
+log_info "Command: oc-mirror --config=${MIRROR_WORKSPACE}/imageset-config.yaml --workspace file://${MIRROR_WORKSPACE} docker://${REGISTRY_URL} --v2 --dest-tls-verify=false"
 
 if oc-mirror \
     --config="${MIRROR_WORKSPACE}/imageset-config.yaml" \
     --workspace "file://${MIRROR_WORKSPACE}" \
     "docker://${REGISTRY_URL}" \
     --v2 \
-    --dest-skip-tls; then
+    --dest-tls-verify=false; then
     
     END_TIME=$(date +%s)
     DURATION=$((END_TIME - START_TIME))
