-
Feature Request
-
Resolution: Done
-
Major
-
None
-
openshift-4.16, openshift-4.17
-
False
-
None
-
False
-
Not Selected
-
-
-
1. Proposed title of this feature request
Add Option to Skip TLS Verification in config.image for Custom S3 Storage Using Self-Signed Certificates
2. What is the nature and description of the request?
This feature request proposes adding an option to skip TLS verification when connecting to custom S3 storage via the config.image object. The current implementation requires customers to specify a trustedCA, which is mandatory even when using self-signed certificates. The requested feature will give customers the flexibility to either provide a trustedCA or bypass the TLS verification by introducing a new optional parameter like skipTLSVerification: true.
At the moment there is no option to skip TLS verification:
$ oc explain config.spec.storage.s3 FIELDS: bucket <string> bucket is the bucket name in which you want to store the registry's data. Optional, will be generated if not provided. chunkSizeMiB <integer> chunkSizeMiB defines the size of the multipart upload chunks of the S3 API. The S3 API requires multipart upload chunks to be at least 5MiB. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is 10 MiB. The value is an integer number of MiB. The minimum value is 5 and the maximum value is 5120 (5 GiB). cloudFront <Object> cloudFront configures Amazon Cloudfront as the storage middleware in a registry. encrypt <boolean> encrypt specifies whether the registry stores the image in encrypted format or not. Optional, defaults to false. keyID <string> keyID is the KMS key ID to use for encryption. Optional, Encrypt must be true, or this parameter is ignored. region <string> region is the AWS region in which your bucket exists. Optional, will be set based on the installed AWS Region. regionEndpoint <string> regionEndpoint is the endpoint for S3 compatible storage services. It should be a valid URL with scheme, e.g. https://s3.example.com. Optional, defaults based on the Region that is provided. trustedCA <Object> trustedCA is a reference to a config map containing a CA bundle. The image registry and its operator use certificates from this bundle to verify S3 server certificates. The namespace for the config map referenced by trustedCA is "openshift-config". The key for the bundle in the config map is "ca-bundle.crt". virtualHostedStyle <boolean> virtualHostedStyle enables using S3 virtual hosted style bucket paths with a custom RegionEndpoint Optional, defaults to false.
3. Why does the customer need this? (List the business requirements here)
- Customers using self-signed certificates for their custom S3 storage need a more flexible way to connect without having to specify a trustedCA.
- It simplifies the process by allowing them to skip TLS verification, reducing operational overhead and time spent configuring and managing trusted certificates.
- It prevents connection issues that arise from not providing a trustedCA, which currently makes connecting to custom S3 storage impossible if it’s not specified.
- This will help users who prefer self-signed certificates or lack access to a trusted CA, improving customer satisfaction and reducing friction in custom S3 storage connections.
4. List any affected packages or components.
image-registry
