From 2e2c96e394358a5cea5d14be21b9f774ec95d7d7 Mon Sep 17 00:00:00 2001
From: Pierre Riteau <pierre@stackhpc.com>
Date: Mon, 4 Oct 2021 12:05:09 +0200
Subject: [PATCH] Allow Docker to use insecure registry when deployed by Kayobe

Kolla Ansible has recently updated the default Docker configuration to
stop using an insecure registry [1]. To avoid breaking existing Kayobe
deployments, automatically set docker_registry_insecure to true if we
deploy a registry without TLS.

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/805449

Change-Id: Ifec7102812b5503cb02f207098192e99e7193d49
---
 ansible/group_vars/all/kolla                       |  5 +++++
 ansible/roles/kolla-ansible/defaults/main.yml      |  5 +++++
 .../kolla-ansible/templates/kolla/globals.yml      |  3 +++
 .../configuration/reference/kolla-ansible.rst      |  4 ++++
 etc/kayobe/kolla.yml                               |  5 +++++
 .../docker-registry-insecure-b0f529b9eb85737e.yaml | 14 ++++++++++++++
 6 files changed, 36 insertions(+)
 create mode 100644 releasenotes/notes/docker-registry-insecure-b0f529b9eb85737e.yaml

diff --git a/ansible/group_vars/all/kolla b/ansible/group_vars/all/kolla
index 954dbabff..501b4b86e 100644
--- a/ansible/group_vars/all/kolla
+++ b/ansible/group_vars/all/kolla
@@ -65,6 +65,11 @@ kolla_docker_namespace: "openstack.kolla"
 # Url of docker registry to use for Kolla images.
 kolla_docker_registry: "{{ docker_registry }}"
 
+# Whether docker should be configured to use an insecure registry for Kolla
+# images. Default is false, unless docker_registry_enabled is true and
+# docker_registry_enable_tls is false.
+kolla_docker_registry_insecure: "{{ docker_registry_enabled | bool and not docker_registry_enable_tls | bool }}"
+
 # Username to use to access a docker registry.
 kolla_docker_registry_username:
 
diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml
index fb0667172..541571d37 100644
--- a/ansible/roles/kolla-ansible/defaults/main.yml
+++ b/ansible/roles/kolla-ansible/defaults/main.yml
@@ -104,6 +104,11 @@ kolla_docker_namespace:
 # Url of docker registry to use for Kolla images.
 kolla_docker_registry:
 
+# Whether docker should be configured to use an insecure registry for Kolla
+# images. Default is false, unless docker_registry_enabled is true and
+# docker_registry_enable_tls is false.
+kolla_docker_registry_insecure:
+
 # Username to use to access a docker registry.
 kolla_docker_registry_username:
 
diff --git a/ansible/roles/kolla-ansible/templates/kolla/globals.yml b/ansible/roles/kolla-ansible/templates/kolla/globals.yml
index 9a7eff29f..f1296f655 100644
--- a/ansible/roles/kolla-ansible/templates/kolla/globals.yml
+++ b/ansible/roles/kolla-ansible/templates/kolla/globals.yml
@@ -65,6 +65,9 @@ docker_registry_username: "{{ kolla_docker_registry_username }}"
 {% endif %}
 docker_storage_driver: "{{ docker_storage_driver }}"
 docker_custom_config: {{ kolla_docker_custom_config | to_nice_json | indent(2) }}
+{% if kolla_docker_registry_insecure | bool %}
+docker_registry_insecure: "yes"
+{% endif %}
 
 #docker_configure_for_zun: "no"
 
diff --git a/doc/source/configuration/reference/kolla-ansible.rst b/doc/source/configuration/reference/kolla-ansible.rst
index 951062943..4e6db4289 100644
--- a/doc/source/configuration/reference/kolla-ansible.rst
+++ b/doc/source/configuration/reference/kolla-ansible.rst
@@ -120,6 +120,10 @@ accessed.
 ``kolla_docker_registry``
     URL of docker registry to use for Kolla images. Default is not set, in
     which case Dockerhub will be used.
+``kolla_docker_registry_insecure``
+    Whether docker should be configured to use an insecure registry for Kolla
+    images. Default is false, unless ``docker_registry_enabled`` is true and
+    ``docker_registry_enable_tls`` is false.
 ``kolla_docker_namespace``
     Docker namespace to use for Kolla images. Default is ``kolla``.
 ``kolla_docker_registry_username``
diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml
index 3f910058c..a07406f01 100644
--- a/etc/kayobe/kolla.yml
+++ b/etc/kayobe/kolla.yml
@@ -75,6 +75,11 @@
 # Docker namespace to use for Kolla images. Default is 'kolla'.
 #kolla_docker_namespace:
 
+# Whether docker should be configured to use an insecure registry for Kolla
+# images. Default is false, unless docker_registry_enabled is true and
+# docker_registry_enable_tls is false.
+#kolla_docker_registry_insecure:
+
 # Username to use to access a docker registry. Default is not set, in which
 # case the registry will be used without authentication.
 #kolla_docker_registry_username:
diff --git a/releasenotes/notes/docker-registry-insecure-b0f529b9eb85737e.yaml b/releasenotes/notes/docker-registry-insecure-b0f529b9eb85737e.yaml
new file mode 100644
index 000000000..112c307f7
--- /dev/null
+++ b/releasenotes/notes/docker-registry-insecure-b0f529b9eb85737e.yaml
@@ -0,0 +1,14 @@
+---
+features:
+  - |
+    Adds a new variable ``kolla_docker_registry_insecure`` to configure whether
+    Docker should use an insecure registry for Kolla images.
+upgrade:
+  - |
+    The default configuration of Docker, as set by Kolla Ansible, has changed
+    to stop using an insecure registry for Kolla images. To avoid breaking
+    existing deployments, ``kolla_docker_registry_insecure`` is automatically
+    set to ``true`` if Kayobe is configured to deploy an insecure registry
+    service. If using an insecure registry not deployed by Kayobe, you will
+    need to set the value of ``kolla_docker_registry_insecure`` to ``true`` or
+    configure TLS for your registry.