Skip to content

Add TLS certificates for internal release registry in agent installer #10187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
zaneb wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add TLS certificates for internal release registry in agent installer #10187

zaneb wants to merge 1 commit into from
+437 −4

Conversation

@zaneb
Copy link
Member

@zaneb zaneb commented Dec 22, 2025

Implement TLS certificate infrastructure to enable secure communication with the built-in registry used by the agent installer. This addresses the need for proper certificate management across the agent ISO boot, bootstrap, and cluster startup phases.

Create three new certificate assets:

  • InternalReleaseRegistrySignerCertKey: CA certificate that signs registry server certificates and tracks when loaded from disk
  • InternalReleaseRegistryCertKey: Server certificate valid for both localhost and api-int. for use during bootstrap
  • InternalReleaseRegistryLocalhostCertKey: Server certificate valid only for localhost for use in the unconfigured ignition (ISO phase)

The implementation ensures certificates are distributed appropriately:

  • Unconfigured ignition includes CA cert+key in /opt/agent/tls/ for assisted-service to load, CA cert in system trust store, and localhost-only server cert in /opt/registry/tls/
  • Bootstrap and master ignitions conditionally include the api-int server certificate when the CA was loaded from disk
  • AdditionalTrustBundle ConfigMap automatically includes the CA when loaded from disk to ensure cluster-wide trust
  • Bootkube restarts registry.service if running to pick up new certs

All certificate inclusions in bootstrap/master ignitions and trust bundles are conditional on the CA being loaded from disk, ensuring this only affects agent-based installations.

@zaneb
Add TLS certificates for internal release registry in agent installer
0cc992d 
Implement TLS certificate infrastructure to enable secure communication
with the built-in registry used by the agent installer. This addresses
the need for proper certificate management across the agent ISO boot,
bootstrap, and cluster startup phases.

Create three new certificate assets:
- InternalReleaseRegistrySignerCertKey: CA certificate that signs
  registry server certificates and tracks when loaded from disk
- InternalReleaseRegistryCertKey: Server certificate valid for both
  localhost and api-int.<cluster-domain> for use during bootstrap
- InternalReleaseRegistryLocalhostCertKey: Server certificate valid
  only for localhost for use in the unconfigured ignition (ISO phase)

The implementation ensures certificates are distributed appropriately:
- Unconfigured ignition includes CA cert+key in /opt/agent/tls/ for
  assisted-service to load, CA cert in system trust store, and
  localhost-only server cert in /opt/registry/tls/
- Bootstrap and master ignitions conditionally include the api-int
  server certificate when the CA was loaded from disk
- AdditionalTrustBundle ConfigMap automatically includes the CA when
  loaded from disk to ensure cluster-wide trust
- Bootkube restarts registry.service if running to pick up new certs

All certificate inclusions in bootstrap/master ignitions and trust
bundles are conditional on the CA being loaded from disk, ensuring
this only affects agent-based installations.

Assisted-by: Claude Code
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 22, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 22, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 22, 2025
@openshift-merge-robot
Copy link
Contributor

openshift-merge-robot commented Dec 22, 2025

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 22, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign vr4manta for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zaneb @openshift-merge-robot