operator-sdk: run bundle{-upgrade} support insecure registry server

Supporting insecure registry is useful for testing operator installation
from bundle image stored at local registry.

Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>

changelog/fragments/run-bundle-from-insecure-registry.yaml

@@ -0,0 +1,4 @@
+entries:
+  - description: >
+       Add new optional flag `--skip-tls` to the commands `operator-sdk run bundle` and `operator-sdk run bundle-upgrade`. This option allow to install the operator from a bundle image stored at an insecure docker registry. (e.g. `operator-sdk run bundle localhost:5000/my-operator-bundle:latest --skip-tls`)
+    kind: "addition"

internal/cmd/operator-sdk/scorecard/cmd.go

@@ -211,5 +211,5 @@ func extractBundleImage(bundleImage string) (string, error) {
 		logger = log.WithFields(log.Fields{"bundle": bundleImage})
 	}
 	// FEAT: enable explicit local image extraction.
-	return registryutil.ExtractBundleImage(context.TODO(), logger, bundleImage, false)
+	return registryutil.ExtractBundleImage(context.TODO(), logger, bundleImage, false, false)
 }

internal/olm/operator/bundle/install.go

@@ -72,7 +72,7 @@ func (i *Install) setup(ctx context.Context) error {
 	}
 
 	// Load bundle labels and set label-dependent values.
-	labels, bundle, err := operator.LoadBundle(ctx, i.BundleImage)
+	labels, bundle, err := operator.LoadBundle(ctx, i.BundleImage, i.SkipTLS)
 	if err != nil {
 		return err
 	}

internal/olm/operator/bundleupgrade/upgrade.go

@@ -69,7 +69,7 @@ func (u *Upgrade) setup(ctx context.Context) error {
 		}
 	}
 
-	labels, bundle, err := operator.LoadBundle(ctx, u.BundleImage)
+	labels, bundle, err := operator.LoadBundle(ctx, u.BundleImage, u.SkipTLS)
 	if err != nil {
 		return err
 	}

internal/olm/operator/helpers.go

@@ -34,8 +34,8 @@ func CatalogNameForPackage(pkg string) string {
 }
 
 // LoadBundle returns metadata and manifests from within bundleImage.
-func LoadBundle(ctx context.Context, bundleImage string) (registryutil.Labels, *apimanifests.Bundle, error) {
-	bundlePath, err := registryutil.ExtractBundleImage(ctx, nil, bundleImage, false)
+func LoadBundle(ctx context.Context, bundleImage string, skipTLS bool) (registryutil.Labels, *apimanifests.Bundle, error) {
+	bundlePath, err := registryutil.ExtractBundleImage(ctx, nil, bundleImage, false, skipTLS)
 	if err != nil {
 		return nil, nil, fmt.Errorf("pull bundle image: %v", err)
 	}

internal/olm/operator/registry/index/registry_pod.go

@@ -50,6 +50,8 @@ type BundleItem struct {
 	ImageTag string `json:"imageTag"`
 	// AddMode describes how the bundle should be added to an index image.
 	AddMode BundleAddMode `json:"mode"`
+	// SkipTLS controls wether to ignore SSL errors while pulling bundle image from registry server.
+	SkipTLS bool `json:"SkipTLS"`
 }
 
 // RegistryPod holds resources necessary for creation of a registry server
@@ -302,7 +304,7 @@ func newBool(b bool) *bool {
 
 const cmdTemplate = `/bin/mkdir -p {{ dirname .DBPath }} && \
 {{- range $i, $item := .BundleItems }}
-/bin/opm registry add -d {{ $.DBPath }} -b {{ $item.ImageTag }} --mode={{ $item.AddMode }}{{ if $.CASecretName }} --ca-file=/certs/cert.pem{{ end }} && \
+/bin/opm registry add -d {{ $.DBPath }} -b {{ $item.ImageTag }} --mode={{ $item.AddMode }}{{ if $.CASecretName }} --ca-file=/certs/cert.pem{{ end }} --skip-tls={{ $item.SkipTLS }} && \
 {{- end }}
 /bin/opm registry serve -d {{ .DBPath }} -p {{ .GRPCPort }}
 `

internal/olm/operator/registry/index/registry_pod_test.go

@@ -104,6 +104,15 @@ var _ = Describe("RegistryPod", func() {
 				Expect(output).Should(Equal(containerCommandFor(defaultDBPath, defaultBundleItems, true)))
 			})
 
+			It("should return a container command for image with --skip-tls", func() {
+				bundles := []BundleItem{defaultBundleItems[0]}
+				bundles[0].SkipTLS = true
+				rp.BundleItems = bundles
+				output, err := rp.getContainerCmd()
+				Expect(err).To(BeNil())
+				Expect(output).Should(Equal(containerCommandFor(defaultDBPath, bundles, false)))
+			})
+
 			It("should return a valid container command for three images", func() {
 				bundleItems := append(defaultBundleItems,
 					BundleItem{
@@ -114,6 +123,11 @@ var _ = Describe("RegistryPod", func() {
 						ImageTag: "quay.io/example/example-operator-bundle:1.0.1",
 						AddMode:  SemverBundleAddMode,
 					},
+					BundleItem{
+						ImageTag: "localhost/example-operator-bundle:1.0.1",
+						AddMode:  SemverBundleAddMode,
+						SkipTLS:  true,
+					},
 				)
 				rp2 := RegistryPod{
 					DBPath:      defaultDBPath,
@@ -224,7 +238,7 @@ func containerCommandFor(dbPath string, items []BundleItem, hasCA bool) string {
 	}
 	additions := &strings.Builder{}
 	for _, item := range items {
-		additions.WriteString(fmt.Sprintf("/bin/opm registry add -d %s -b %s --mode=%s%s && \\\n", dbPath, item.ImageTag, item.AddMode, caFlag))
+		additions.WriteString(fmt.Sprintf("/bin/opm registry add -d %s -b %s --mode=%s%s --skip-tls=%v && \\\n", dbPath, item.ImageTag, item.AddMode, caFlag, item.SkipTLS))
 	}
 	return fmt.Sprintf("/bin/mkdir -p /database && \\\n%s/bin/opm registry serve -d /database/index.db -p 50051\n", additions.String())
 }

internal/olm/operator/registry/index_image.go

@@ -62,6 +62,7 @@ type IndexImageCatalogCreator struct {
 	PackageName   string
 	IndexImage    string
 	BundleImage   string
+	SkipTLS       bool
 	BundleAddMode index.BundleAddMode
 	SecretName    string
 	CASecretName  string
@@ -87,6 +88,8 @@ func (c *IndexImageCatalogCreator) BindFlags(fs *pflag.FlagSet) {
 		"Name of a generic secret containing a PEM root certificate file required to pull bundle images. "+
 			"This secret *must* be in the namespace that this command is configured to run in, "+
 			"and the file *must* be encoded under the key \"cert.pem\"")
+	fs.BoolVar(&c.SkipTLS, "skip-tls", false, "skip authentication of image registry TLS "+
+		"certificate when pulling a bundle image in-cluster")
 }
 
 func (c IndexImageCatalogCreator) CreateCatalog(ctx context.Context, name string) (*v1alpha1.CatalogSource, error) {
@@ -101,7 +104,7 @@ func (c IndexImageCatalogCreator) CreateCatalog(ctx context.Context, name string
 
 	c.setAddMode()
 
-	newItems := []index.BundleItem{{ImageTag: c.BundleImage, AddMode: c.BundleAddMode}}
+	newItems := []index.BundleItem{{ImageTag: c.BundleImage, AddMode: c.BundleAddMode, SkipTLS: c.SkipTLS}}
 	if err := c.createAnnotatedRegistry(ctx, cs, newItems); err != nil {
 		return nil, fmt.Errorf("error creating registry pod: %v", err)
 	}
@@ -137,7 +140,7 @@ func (c IndexImageCatalogCreator) UpdateCatalog(ctx context.Context, cs *v1alpha
 
 	c.setAddMode()
 
-	newItem := index.BundleItem{ImageTag: c.BundleImage, AddMode: c.BundleAddMode}
+	newItem := index.BundleItem{ImageTag: c.BundleImage, AddMode: c.BundleAddMode, SkipTLS: c.SkipTLS}
 	existingItems = append(existingItems, newItem)
 
 	opts := []func(*v1alpha1.CatalogSource){

internal/registry/image.go

@@ -28,7 +28,7 @@ import (
 
 // ExtractBundleImage returns a bundle directory containing files extracted
 // from image. If local is true, the image will not be pulled.
-func ExtractBundleImage(ctx context.Context, logger *log.Entry, image string, local bool) (string, error) {
+func ExtractBundleImage(ctx context.Context, logger *log.Entry, image string, local bool, skipTLS bool) (string, error) {
 	if logger == nil {
 		logger = DiscardLogger()
 	}
@@ -51,7 +51,7 @@ func ExtractBundleImage(ctx context.Context, logger *log.Entry, image string, lo
 	logger = logger.WithFields(log.Fields{"dir": bundleDir})
 
 	// Use a containerd registry instead of shelling out to a container tool.
-	reg, err := containerdregistry.NewRegistry(containerdregistry.WithLog(logger))
+	reg, err := containerdregistry.NewRegistry(containerdregistry.WithLog(logger), containerdregistry.SkipTLS(skipTLS))
 	if err != nil {
 		return "", err
 	}

website/content/en/docs/cli/operator-sdk_run_bundle-upgrade.md

@@ -23,6 +23,7 @@ operator-sdk run bundle-upgrade <bundle-image> [flags]
   -n, --namespace string          If present, namespace scope for this CLI request
       --pull-secret-name string   Name of image pull secret ("type: kubernetes.io/dockerconfigjson") required to pull bundle images. This secret *must* be both in the namespace and an imagePullSecret of the service account that this command is configured to run in
       --service-account string    Service account name to bind registry objects to. If unset, the default service account is used. This value does not override the operator's service account
+      --skip-tls                  skip authentication of image registry TLS certificate when pulling a bundle image in-cluster
       --timeout duration          Duration to wait for the command to complete before failing (default 2m0s)
 ```
 

website/content/en/docs/cli/operator-sdk_run_bundle.md

@@ -25,6 +25,7 @@ operator-sdk run bundle <bundle-image> [flags]
   -n, --namespace string                If present, namespace scope for this CLI request
       --pull-secret-name string         Name of image pull secret ("type: kubernetes.io/dockerconfigjson") required to pull bundle images. This secret *must* be both in the namespace and an imagePullSecret of the service account that this command is configured to run in
       --service-account string          Service account name to bind registry objects to. If unset, the default service account is used. This value does not override the operator's service account
+      --skip-tls                        skip authentication of image registry TLS certificate when pulling a bundle image in-cluster
       --timeout duration                Duration to wait for the command to complete before failing (default 2m0s)
 ```