From 53f62d99766fc7c216d2abaf67e76b6e46c070ad Mon Sep 17 00:00:00 2001
From: Jack Hodgkiss <jack@stackhpc.com>
Date: Thu, 24 Jul 2025 21:48:27 +0100
Subject: [PATCH] feat: install registry `CA` if registry is secure

Provide more control over install the registry `CA` by adding an
additional conditional using the existing `_registry_insecure` variable
for either `Podman` or `Docker`.

Change-Id: If1ba49e23e1b3acc57bcc6313a8688f29fce4e37
Signed-off-by: Jack Hodgkiss <jack@stackhpc.com>
---
 ...ainer-registry-ca-conditional-0247b0014379ba82.yaml |  6 ++++++
 roles/docker/tasks/config.yml                          | 10 ++++++++--
 roles/podman/tasks/config.yml                          |  2 ++
 3 files changed, 16 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/improve-container-registry-ca-conditional-0247b0014379ba82.yaml

diff --git a/releasenotes/notes/improve-container-registry-ca-conditional-0247b0014379ba82.yaml b/releasenotes/notes/improve-container-registry-ca-conditional-0247b0014379ba82.yaml
new file mode 100644
index 0000000..0175ad3
--- /dev/null
+++ b/releasenotes/notes/improve-container-registry-ca-conditional-0247b0014379ba82.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    The tasks related to installing CA file for private registry will now
+    only run if either ``docker_registry_insecure`` or
+    ``podman_registry_insecure`` is set to false.
diff --git a/roles/docker/tasks/config.yml b/roles/docker/tasks/config.yml
index 442b452..89bb65b 100644
--- a/roles/docker/tasks/config.yml
+++ b/roles/docker/tasks/config.yml
@@ -99,7 +99,10 @@
     mode: "0700"
     state: directory
   become: true
-  when: docker_registry is not none and docker_registry_ca is not none
+  when: >
+    docker_registry is not none and
+    docker_registry_ca is not none and
+    not docker_registry_insecure | bool
 
 - name: Ensure the CA file for private registry exists
   copy:
@@ -109,7 +112,10 @@
     group: root
     mode: "0600"
   become: true
-  when: docker_registry is not none and docker_registry_ca is not none
+  when: >
+    docker_registry is not none and
+    docker_registry_ca is not none and
+    not docker_registry_insecure | bool
   notify:
     - Restart docker
 
diff --git a/roles/podman/tasks/config.yml b/roles/podman/tasks/config.yml
index 851eb31..6ea9311 100644
--- a/roles/podman/tasks/config.yml
+++ b/roles/podman/tasks/config.yml
@@ -63,6 +63,7 @@
   when:
     - podman_registry is not none
     - podman_registry_ca is not none
+    - not podman_registry_insecure | bool
 
 - name: Ensure the CA file for private registry exists
   copy:
@@ -75,3 +76,4 @@
   when:
     - podman_registry is not none
     - podman_registry_ca is not none
+    - not podman_registry_insecure | bool