adding cabundle for airgapped

Budi Darmawan · Budi Darmawan · commit 0b22ad4d0b30 · 2021-05-31T08:02:55.000-05:00
diff --git a/.gitignore b/.gitignore
@@ -8,3 +8,4 @@
 # .tfvars files
 *.tfvars
 openshift_pull_secret.json
+.terraform.lock.hcl
diff --git a/README.md b/README.md
@@ -229,6 +229,8 @@ Setting up the mirror repository using AWS ECR:
        --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}
     ```
 
+4. Provide the certificate(s) for the registry in a file and refers that from the vars to be included in the `install-config.yaml`.
+
 Once the mirror registry is created - use the terraform.tfvars similar to below:
 
 ```
@@ -253,10 +255,11 @@ aws_publish_strategy = "Internal"
 airgapped = {
   enabled = true
   repository = "1234567812345678.dkr.ecr.us-east-1.amazonaws.com/ocp435"
+  cabundle = "./cabundle"
 }
 ```
 
-**Note**: To use `airgapped.enabled` of `true` must be done with `aws_publish_strategy` of `Internal` otherwise the deployment will fail.
+**Note**: To use `airgapped.enabled` of `true` must be done with `aws_publish_strategy` of `Internal` otherwise the deployment will fail. Also ECR does not allow for unauthenticated image pulls, additional IAM policies must be defined and attached to the nodes to be able to pull from ECR.
 
 Create your cluster and then associate the private Hosted Zone Record in Route53 with the loadbalancer for the `*.apps.<cluster>.<domain>`.  
 
diff --git a/config.tf b/config.tf
@@ -38,16 +38,6 @@ The name of the cluster. It will be suffixed by the base_domain to make cluster_
 EOF
 }
 
-variable "aws_access_key_id" {
-  type        = string
-  description = "AWS Key"
-}
-
-variable "aws_secret_access_key" {
-  type        = string
-  description = "AWS Secret"
-}
-
 variable "openshift_pull_secret" {
   type = string
   description = "File containing pull secret - get it from https://cloud.redhat.com/openshift/install/pull-secret"
diff --git a/install/installer.tf b/install/installer.tf
@@ -72,6 +72,11 @@ aws_secret_access_key = ${var.aws_secret_access_key}
 EOF
 }
 
+data "local_file" "cabundle" {
+  count = var.airgapped["enabled"] ? 1 : 0
+  filename = "${var.airgapped.cabundle}"
+}
+
 
 data "template_file" "install_config_yaml" {
   template = <<-EOF
@@ -117,6 +122,8 @@ sshKey: '${tls_private_key.installkey.public_key_openssh}'
 - mirrors:
   - ${var.airgapped["repository"]}
   source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
+additionalTrustBundle: | 
+  ${indent(2,data.local_file.cabundle[0].content)}
 %{endif}
 EOF
 }
diff --git a/install/variables.tf b/install/variables.tf
@@ -107,5 +107,6 @@ variable "airgapped" {
   default = {
     airgapped  = false
     repository = ""
+    cabundle = ""
   }
 }
diff --git a/variables-aws.tf b/variables-aws.tf
@@ -149,10 +149,22 @@ variable "aws_skip_region_validation" {
   description = "This decides if the AWS provider should validate if the region is known."
 }
 
+
+variable "aws_access_key_id" {
+  type        = string
+  description = "AWS Key"
+}
+
+variable "aws_secret_access_key" {
+  type        = string
+  description = "AWS Secret"
+}
+
 variable "airgapped" {
   type = map(string)
   default = {
     enabled  = false
     repository = ""
+    cabundle = ""
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -107,5 +107,6 @@ variable "airgapped" {`
`107`	`107`	`default = {`
`108`	`108`	`airgapped = false`
`109`	`109`	`repository = ""`
	`110`	`+ cabundle = ""`
`110`	`111`	`}`
`111`	`112`	`}`