Skip to content

Add mirror registry CA certificate support for dataplane nodes #1784

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rabi wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add mirror registry CA certificate support for dataplane nodes #1784

rabi wants to merge 1 commit into from
+166 −63

Conversation

@rabi
Copy link
Contributor

@rabi rabi commented Jan 29, 2026
edited
Loading

Mirror registries configured via IDMS/ICSP require TLS verification by default. For registries using private or self-signed CA certificates, dataplane nodes need access to these CA certificates to verify TLS connections when pulling container images.

Note: The presence of IDMS/ICSP doesn't necessarily mean the cluster is disconnected. Mirror registries may be configured for other reasons (performance, policy, etc.).

This change retrieves CA certificates from the ConfigMap referenced by image.config.openshift.io/cluster's additionalTrustedCA field (located in openshift-config namespace) and adds them to the combined-ca-bundle secret.

The existing bootstrap service copies this bundle to EDPM nodes and updates the system trust store, so no edpm-ansible changes are required.

Assisted-By: Claude
Signed-off-by: rabi [email protected]

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 29, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rabi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot requested review from abays and rebtoor January 29, 2026 10:38
rabi added a commit to rabi/edpm-ansible that referenced this pull request Jan 29, 2026
@rabi
Add mirror registry CA certificate support to edpm_podman role
8aca396 
When OCP is configured with mirror registries using private/self-signed
CA certificates, the openstack-operator now passes these certificates
via the edpm_podman_registry_ca_certs variable.

This enables dataplane nodes to verify TLS connections when pulling
container images from mirror registries that use private CAs.

Depends-On: openstack-k8s-operators/openstack-operator#1784

Assisted-By: Claude
Signed-off-by: rabi <[email protected]>
@rabi rabi mentioned this pull request Jan 29, 2026
Closed
rabi added a commit to rabi/edpm-ansible that referenced this pull request Jan 29, 2026
@rabi
Add mirror registry CA certificate support to edpm_podman role
bd219f6 
When OCP is configured with mirror registries using private/self-signed
CA certificates, the openstack-operator now passes these certificates
via the edpm_podman_registry_ca_certs variable.

This enables dataplane nodes to verify TLS connections when pulling
container images from mirror registries that use private CAs.

Depends-On: openstack-k8s-operators/openstack-operator#1784

Assisted-By: Claude
Signed-off-by: rabi <[email protected]>
@rabi
Copy link
Contributor Author

rabi commented Feb 1, 2026

/retest-required

@rabi
Add mirror registry CA certificate support for dataplane nodes
d42f0d3 
Mirror registries configured via IDMS/ICSP require TLS verification by
default. For registries using private or self-signed CA certificates,
dataplane nodes need access to these CA certificates to verify TLS
connections when pulling container images.

Note: The presence of IDMS/ICSP doesn't necessarily mean the cluster is
disconnected. Mirror registries may be configured for other reasons
(performance, policy, etc.).

This change retrieves CA certificates from the ConfigMap referenced by
image.config.openshift.io/cluster's additionalTrustedCA field (located
in openshift-config namespace) and adds them to the combined-ca-bundle
secret. The existing bootstrap service copies this bundle to EDPM nodes
and updates the system trust store, so no edpm-ansible changes are required.

Assisted-By: Claude
Signed-off-by: rabi <[email protected]>
@softwarefactory-project-zuul
Copy link

softwarefactory-project-zuul bot commented Feb 1, 2026

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/e1efe6387274461e8d7658e6a735920c

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 48m 06s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 18m 42s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 35m 09s
openstack-operator-tempest-multinode RETRY_LIMIT in 5m 55s

@rabi
Copy link
Contributor Author

rabi commented Feb 2, 2026

recheck

@rabi rabi requested a review from stuggi February 2, 2026 03:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abays abays Awaiting requested review from abays

@rebtoor rebtoor Awaiting requested review from rebtoor

@stuggi stuggi Awaiting requested review from stuggi

Assignees

No one assigned

Labels

approved

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rabi