From acfc4fd26acd007a72061adc97c9c62c06bab86b Mon Sep 17 00:00:00 2001
From: Kevin Tibi <kevintibi@hotmail.com>
Date: Wed, 13 Jun 2018 10:25:33 +0200
Subject: [PATCH] Option for enable SSL verification on docker registry

By default, kolla configure docker to use an insecure connection
with the private registry. If we want to use SSL verification we need
to add an option.

Change-Id: Id1805c9cfeb499da9bb56c70028f14c6f8bb20b6
---
 ansible/group_vars/all.yml                                  | 1 +
 ansible/roles/baremetal/templates/docker_systemd_service.j2 | 2 +-
 .../notes/docker_insecure_registry-857bfb9c760aa3bf.yaml    | 6 ++++++
 3 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/docker_insecure_registry-857bfb9c760aa3bf.yaml

diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 10b29c889b..581ecf0530 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -89,6 +89,7 @@ docker_registry_email:
 docker_registry:
 docker_namespace: "kolla"
 docker_registry_username:
+docker_registry_insecure: "{{ 'yes' if docker_registry else 'no' }}"
 
 # Valid options are [ never, on-failure, always, unless-stopped ]
 docker_restart_policy: "unless-stopped"
diff --git a/ansible/roles/baremetal/templates/docker_systemd_service.j2 b/ansible/roles/baremetal/templates/docker_systemd_service.j2
index e9b89384c3..31b9ef5032 100644
--- a/ansible/roles/baremetal/templates/docker_systemd_service.j2
+++ b/ansible/roles/baremetal/templates/docker_systemd_service.j2
@@ -1,4 +1,4 @@
 [Service]
 MountFlags=shared
 ExecStart=
-ExecStart=/usr/bin/{{ docker_binary_name|default("docker daemon", true) }}{% if docker_registry %} --insecure-registry {{ docker_registry }}{% endif %}{% if docker_storage_driver %} --storage-driver {{ docker_storage_driver }}{% endif %}{% if docker_runtime_directory %} --graph {{ docker_runtime_directory }}{% endif %}{% if docker_custom_option %} {{ docker_custom_option }}{% endif %}
+ExecStart=/usr/bin/{{ docker_binary_name|default("docker daemon", true) }}{% if docker_registry_insecure | bool %} --insecure-registry {{ docker_registry }}{% endif %}{% if docker_storage_driver %} --storage-driver {{ docker_storage_driver }}{% endif %}{% if docker_runtime_directory %} --graph {{ docker_runtime_directory }}{% endif %}{% if docker_custom_option %} {{ docker_custom_option }}{% endif %}
diff --git a/releasenotes/notes/docker_insecure_registry-857bfb9c760aa3bf.yaml b/releasenotes/notes/docker_insecure_registry-857bfb9c760aa3bf.yaml
new file mode 100644
index 0000000000..f65b7d4d52
--- /dev/null
+++ b/releasenotes/notes/docker_insecure_registry-857bfb9c760aa3bf.yaml
@@ -0,0 +1,6 @@
+---
+upgrade:
+  - |
+    Add option `docker_registry_insecure` to enable the SSL verification
+    for the docker registry. Default value is true when a private
+    registry is defined.