Merge "Never make Docker registry insecure by default"

ansible/group_vars/all.yml

@@ -112,7 +112,8 @@ docker_registry_email:
 docker_registry:
 docker_namespace: "kolla"
 docker_registry_username:
-docker_registry_insecure: "{{ 'yes' if docker_registry else 'no' }}"
+# Please read the docs carefully before applying docker_registry_insecure.
+docker_registry_insecure: "no"
 docker_runtime_directory: ""
 # Docker client timeout in seconds.
 docker_client_timeout: 120

doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst

@@ -168,10 +168,13 @@ The ``docker_registry`` variable, which is not set by default, defines the
 address of the Docker registry. If the variable is not set, Dockerhub will be
 used.
 
-The ``docker_registry_insecure`` variable, which defaults to ``true`` if
-``docker_registry`` is set, or ``false`` otherwise, defines whether to
-configure ``docker_registry`` as an insecure registry. Insecure registries use
-HTTP rather than HTTPS.
+The ``docker_registry_insecure`` variable, which defaults to ``false``,
+defines whether to configure ``docker_registry`` as an insecure registry.
+Insecure registries allow to use broken certificate chains and HTTP without
+TLS but it's strongly discouraged in production unless in very specific
+circumstances. For more discussion, see the official Docker documentation on
+`insecure registries <https://docs.docker.com/registry/insecure/>`__.
+Additionally, notice this will disable Docker registry authentication.
 
 The ``docker_log_max_file`` variable, which defaults to ``5``, defines the
 maximum number of log files to retain per container. The

etc/kolla/globals.yml

@@ -77,7 +77,8 @@
 
 # Custom docker registry settings:
 #docker_registry:
-#docker_registry_insecure: "{{ 'yes' if docker_registry else 'no' }}"
+# Please read the docs carefully before applying docker_registry_insecure.
+#docker_registry_insecure: "no"
 #docker_registry_username:
 # docker_registry_password is set in the passwords.yml file.
 

releasenotes/notes/bug-1940547-771f6affb3547748.yaml

@@ -0,0 +1,18 @@
+---
+upgrade:
+  - |
+    Kolla Ansible now defaults ``docker_registry_insecure`` to ``false``.
+    If you relied on the previous behaviour, please switch it back on
+    but bear in mind the consequences as discussed in the related security
+    note as well as the linked bug report.
+    `LP#1940547 <https://launchpad.net/bugs/1940547>`__
+security:
+  - |
+    Previously, Kolla Ansible, by default (as documented in several places),
+    configured Docker to insecure mode for the configured registry (i.e., if
+    not using the default one). This is controlled by the
+    ``docker_registry_insecure`` variable.
+    If operators did not notice this quirk, they could have opened their
+    deployments up for potential MITM attacks. See the bug report for
+    more discussion.
+    `LP#1940547 <https://launchpad.net/bugs/1940547>`__

tests/templates/globals-default.j2

@@ -58,7 +58,6 @@ openstack_tag: "{{ build_image_tag }}"
 {% else %}
 # use the published images from a site mirror of quay.io
 docker_registry: "{{ zuul_site_mirror_fqdn }}:4447"
-docker_registry_insecure: no
 docker_namespace: openstack.kolla
 {% if docker_image_tag_suffix %}
 openstack_tag_suffix: "{{ docker_image_tag_suffix }}"