Adding RegistryTLS to the MIC image spec

yevgeny-shnaidman · k8s-ci-robot · commit 6a30977829be · 2025-02-24T03:04:28.000-08:00
MIC image spec is being propagated as is to the MBSC image spec.
As part of building sign and build pod, one of the inputs is the
RegistryTLS configuration used during build/sign process.
This PR does the following:
1. Add RegistryTLS field to the ModuleImageSpec
2. module reconciler sets the RegistryTLS in the imageSpec variable
3. changing unit-tests
diff --git a/api/v1beta1/moduleimagesconfig_types.go b/api/v1beta1/moduleimagesconfig_types.go
@@ -49,6 +49,10 @@ type ModuleImageSpec struct {
 	// Sign contains sign instructions, in case image needs signing
 	// +optional
 	Sign *Sign `json:"sign,omitempty"`
+
+	// +optional
+	// RegistryTLS set the TLS configs for accessing the registry of the image.
+	RegistryTLS *TLSOptions `json:"registryTLS,omitempty"`
 }
 
 // ModuleImagesConfigSpec describes the images of the Module whose status needs to be verified
diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/kmm.sigs.x-k8s.io_modulebuildsignconfigs.yaml b/config/crd/bases/kmm.sigs.x-k8s.io_modulebuildsignconfigs.yaml
@@ -164,6 +164,19 @@ spec:
                     kernelVersion:
                       description: kernel version for which this image is targeted
                       type: string
+                    registryTLS:
+                      description: RegistryTLS set the TLS configs for accessing the
+                        registry of the image.
+                      properties:
+                        insecure:
+                          description: If Insecure is true, the operator will be able
+                            to access a registry in an insecure (plain HTTP) protocol.
+                          type: boolean
+                        insecureSkipTLSVerify:
+                          description: If InsecureSkipTLSVerify, the operator will
+                            accept any certificate provided by the registry.
+                          type: boolean
+                      type: object
                     sign:
                       description: Sign contains sign instructions, in case image
                         needs signing
diff --git a/config/crd/bases/kmm.sigs.x-k8s.io_moduleimagesconfigs.yaml b/config/crd/bases/kmm.sigs.x-k8s.io_moduleimagesconfigs.yaml
@@ -159,6 +159,19 @@ spec:
                     kernelVersion:
                       description: kernel version for which this image is targeted
                       type: string
+                    registryTLS:
+                      description: RegistryTLS set the TLS configs for accessing the
+                        registry of the image.
+                      properties:
+                        insecure:
+                          description: If Insecure is true, the operator will be able
+                            to access a registry in an insecure (plain HTTP) protocol.
+                          type: boolean
+                        insecureSkipTLSVerify:
+                          description: If InsecureSkipTLSVerify, the operator will
+                            accept any certificate provided by the registry.
+                          type: boolean
+                      type: object
                     sign:
                       description: Sign contains sign instructions, in case image
                         needs signing
diff --git a/internal/controllers/module_reconciler.go b/internal/controllers/module_reconciler.go
@@ -353,6 +353,7 @@ func (mrh *moduleReconcilerHelper) handleMIC(ctx context.Context, mod *kmmv1beta
 			KernelVersion: mld.KernelVersion,
 			Build:         mld.Build,
 			Sign:          mld.Sign,
+			RegistryTLS:   mld.RegistryTLS,
 		}
 		images = append(images, mis)
 	}
diff --git a/internal/controllers/module_reconciler_test.go b/internal/controllers/module_reconciler_test.go
@@ -475,12 +475,14 @@ var _ = Describe("handleMIC", func() {
 			Build:          &kmmv1beta1.Build{},
 			Sign:           &kmmv1beta1.Sign{},
 			KernelVersion:  "some version",
+			RegistryTLS:    &kmmv1beta1.TLSOptions{},
 		}
 		expectedSpec := kmmv1beta1.ModuleImageSpec{
 			Image:         img,
 			KernelVersion: "some version",
 			Build:         mld.Build,
 			Sign:          mld.Sign,
+			RegistryTLS:   mld.RegistryTLS,
 		}
 		mockKernelMapper.EXPECT().GetModuleLoaderDataForKernel(mod, gomock.Any()).Return(mld, nil)
 		mockMICAPI.EXPECT().CreateOrPatch(ctx, mod.Name, mod.Namespace, []kmmv1beta1.ModuleImageSpec{expectedSpec}, mod.Spec.ImageRepoSecret, mod).Return(nil)

Original file line number	Diff line number	Diff line change
`@@ -353,6 +353,7 @@ func (mrh moduleReconcilerHelper) handleMIC(ctx context.Context, mod kmmv1beta`
`353`	`353`	`KernelVersion: mld.KernelVersion,`
`354`	`354`	`Build: mld.Build,`
`355`	`355`	`Sign: mld.Sign,`
	`356`	`+ RegistryTLS: mld.RegistryTLS,`
`356`	`357`	`}`
`357`	`358`	`images = append(images, mis)`
`358`	`359`	`}`