Amend script to ensure the registry has SSL certs, signed with the cl…

…uster's CA cert

Signed-off-by: Jordi Gil <[email protected]>

container-builder/builder/kubernetes/kaniko.go

@@ -88,6 +88,7 @@ func addKanikoTaskToPod(ctx context.Context, c client.Client, build *api.Contain
 		"--context=dir://" + task.ContextDir,
 		"--destination=" + task.GetRepositoryImageTag(),
 		"--ignore-path=/product_uuid",
+		"--registry-certificate=" + task.Registry.Address + "=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
 	}
 
 	if task.AdditionalFlags != nil && len(task.AdditionalFlags) > 0 {

hack/ci/create-kind-cluster-with-registry.sh

@@ -1,40 +1,19 @@
 #!/bin/sh
-# Copyright 2024 Apache Software Foundation (ASF)
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Source from https://kind.sigs.k8s.io/docs/user/local-registry/
-# Step 6 has been added to wait for the kube-system pods to be in Ready state before continuing
 set -o errexit
 
-# 1. Create registry container unless it already exists
 reg_name='kind-registry'
 reg_port='5001'
-if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then
-  docker run \
-    -d --restart=always -p "127.0.0.1:${reg_port}:5000" --network bridge --name "${reg_name}" \
-    registry:2
-fi
 
-# 2. Create kind cluster with containerd registry config dir enabled
+
+# 1. Create kind cluster with containerd registry config dir enabled
 # TODO: kind will eventually enable this by default and this patch will
 # be unnecessary.
 #
 # See:
 # https://github.com/kubernetes-sigs/kind/issues/2875
 # https://github.com/containerd/containerd/blob/main/docs/cri/config.md#registry-configuration
 # See: https://github.com/containerd/containerd/blob/main/docs/hosts.md
-cat <<EOF | kind create cluster --config=-
+cat <<EOF | kind create cluster -n kind --config=-
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 containerdConfigPatches:
@@ -43,29 +22,65 @@ containerdConfigPatches:
     config_path = "/etc/containerd/certs.d"
 EOF
 
-# 3. Add the registry config to the nodes
+# 2. Wait for kube system pods to reach running state
+if ! kubectl wait -n kube-system --for=condition=ready pods --all --timeout=120s ; then
+  echo "some pods in the system are not running"
+  kubectl get pods -A -o wide || true
+  exit 1
+fi
+
+# 3 Create registry container with SSL certificates signed with the cluster's CA cert
+mkdir -p /tmp/certs
+# extract cluster's CA certificate
+declare -a nodes=$(kind get nodes)
+docker cp ${nodes[0]}:/etc/kubernetes/pki/ca.key /tmp/certs/
+docker cp ${nodes[0]}:/etc/kubernetes/pki/ca.crt /tmp/certs/
+# create new SSL PEMs using the cluster's ca.crt and ca.key
+echo reg_name $reg_name
+openssl req -x509 -newkey rsa:4096 \
+  -CA /tmp/certs/ca.crt \
+  -CAkey /tmp/certs/ca.key \
+  -keyout /tmp/certs/key.pem \
+  -out /tmp/certs/cert.pem \
+  -sha256 \
+  -days 1 \
+  -nodes \
+  -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=localhost" \
+  -addext 'subjectAltName=DNS:'$reg_name',DNS:localhost'
+
+# pass the new files to the docker container as environment variables
+docker run \
+  -d --restart=always -p "127.0.0.1:${reg_port}:5000" --network bridge --name "${reg_name}" \
+  -v /tmp/certs:/certs \
+  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/cert.pem \
+  -e REGISTRY_HTTP_TLS_KEY=/certs/key.pem \
+  registry:2
+
+# 4. Connect the registry to the cluster network if not already connected
+# This allows kind to bootstrap the network but ensures they're on the same network
+if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" = 'null' ]; then
+  docker network connect "kind" "${reg_name}"
+fi
+
+# 5. Add the registry config to the nodes
 #
 # This is necessary because localhost resolves to loopback addresses that are
 # network-namespace local.
 # In other words: localhost in the container is not localhost on the host.
 #
 # We want a consistent name that works from both ends, so we tell containerd to
 # alias localhost:${reg_port} to the registry container when pulling images
-REGISTRY_DIR="/etc/containerd/certs.d/localhost:${reg_port}"
+REGISTRY_DIR="/etc/containerd/certs.d/${reg_name}:5000"
 for node in $(kind get nodes); do
   docker exec "${node}" mkdir -p "${REGISTRY_DIR}"
   cat <<EOF | docker exec -i "${node}" cp /dev/stdin "${REGISTRY_DIR}/hosts.toml"
 [host."http://${reg_name}:5000"]
+  capabilities = ["pull", "resolve", "push"]
+  skip_verify = true
 EOF
 done
 
-# 4. Connect the registry to the cluster network if not already connected
-# This allows kind to bootstrap the network but ensures they're on the same network
-if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" = 'null' ]; then
-  docker network connect "kind" "${reg_name}"
-fi
-
-# 5. Document the local registry
+# 6. Document the local registry
 # https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
 cat <<EOF | kubectl apply -f -
 apiVersion: v1
@@ -75,14 +90,6 @@ metadata:
   namespace: kube-public
 data:
   localRegistryHosting.v1: |
-    host: "localhost:${reg_port}"
+    hostFromClusterNetwork: "${reg_name}:5000"
     help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
 EOF
-
-
-# 6. Wait for kube system pods to reach running state
-if ! kubectl wait -n kube-system --for=condition=ready pods --all --timeout=120s ; then
-  echo "some pods in the system are not running"
-  kubectl get pods -A -o wide || true
-  exit 1
-fi