AGENT-1526: disable htpasswd auth on IRI registry, keep read-only

[andfasano]

- What I did
Temporary disabling of the IRI registry auth. To be re-enabled once https://redhat.atlassian.net/browse/AGENT-1393 will be fully completed

- How to verify it
openshift/release#79640 rehearsal must pass

Summary by CodeRabbit

• Bug Fixes

  • Registry service now relies on explicit HTTP/TLS configuration and readonly storage mode instead of local file-based HTTP basic auth, improving secure access behavior.

• Tests

  • Updated tests to expect and verify unauthenticated read access to the registry; removed prior basic-auth verification tests and added an end-to-end check that unauthenticated reads succeed.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@andfasano: This pull request references AGENT-1526 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

- What I did
Temporary disabling of the IRI registry auth. To be re-enabled once https://redhat.atlassian.net/browse/AGENT-1393 will be fully completed

- How to verify it
openshift/release#79640 rehearsal must pass

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[andfasano]

/test ?

[coderabbitai]

Walkthrough

The PR removes htpasswd-based config from the iri-registry systemd unit, adds HTTP/TLS and storage env vars to the ExecStart, and updates unit tests and e2e tests to verify unauthenticated registry reads (including a new curl-based unauthenticated read test).

Changes

Registry Service Authentication Configuration

Layer / File(s)	Summary
Registry service template and helper test pkg/controller/internalreleaseimage/templates/master/units/iri-registry.service.yaml, pkg/controller/internalreleaseimage/internalreleaseimage_helpers_test.go	Remove REGISTRY_AUTH_HTPASSWD_REALM and REGISTRY_AUTH_HTPASSWD_PATH from the iri-registry ExecStart; add REGISTRY_HTTP_ADDR, REGISTRY_HTTP_TLS_CERTIFICATE/REGISTRY_HTTP_TLS_KEY, and REGISTRY_STORAGE_MAINTENANCE_READONLY. Update the test to assert the htpasswd env vars are absent.
E2E tests: drop Basic Auth, ping unauthenticated registry, add curl test test/e2e-iri/iri_test.go	Remove encoding/base64 import and Basic Auth behavior; update TestIRIController_VerifyIRIRegistryOnAllTheMasterNodes_NoCert and TestIRIController_VerifyIRIRegistryOnApiInt_WithCert to ping /v2/ without credentials; add TestIRIRegistry_UnauthenticatedReadSucceeds which runs curl from a random master node and expects HTTP 200.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	TestIRIRegistry_UnauthenticatedReadSucceeds missing skipIfNoBaremetal and skipIfOpenShiftCI that all other IRI registry tests include, causing test failures on non-baremetal platforms.	Add skipIfOpenShiftCI(t) and skipIfNoBaremetal(t) to TestIRIRegistry_UnauthenticatedReadSucceeds to match established patterns.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: disabling htpasswd authentication on the IRI registry while keeping it read-only, which aligns with modifications across three files that remove auth credentials and update service configuration.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR uses standard Go testing framework, not Ginkgo. Custom check for Ginkgo test name stability is not applicable to this codebase.
Microshift Test Compatibility	✅ Passed	Custom check applies only to Ginkgo e2e tests. The new test TestIRIRegistry_UnauthenticatedReadSucceeds is a standard Go test (func TestXXX), not Ginkgo.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	TestIRIRegistry_UnauthenticatedReadSucceeds uses GetRandomNode("master") which works on SNO's single master node. It does not assume multiple masters or multi-node topology.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only systemd service config for IRI registry on control-plane nodes via MCD. No Kubernetes scheduling constraints (anti-affinity, topology spread, nodeSelector) are introduced.
Ote Binary Stdout Contract	✅ Passed	No OTE Binary Stdout Contract violations detected. All code changes are within test functions or configuration templates, with no module-level logging or stdout writes at process level.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Custom check applies only to Ginkgo e2e tests (It(), Describe(), etc.), but PR modifies only standard Go testing.T tests, not Ginkgo tests.
No-Weak-Crypto	✅ Passed	No weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons detected. PR removes weak htpasswd auth.
Container-Privileges	✅ Passed	Pre-existing privilege escalations (-u 0, --net host) in iri-registry systemd service are not introduced by this PR, which only removes authentication args and adds TLS/HTTP config variables.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data exposed in logs; PR removes htpasswd env vars and uses unauthenticated registry access without logging credentials.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[andfasano]

/test e2e-agent-compact-ipv4-iso-no-registry

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/controller/internalreleaseimage/internalreleaseimage_helpers_test.go (1)

38-38: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Inconsistency: htpasswd file is verified but authentication is disabled.

The test verifies that the htpasswd file exists on disk (Line 38), but also verifies that the registry is not configured to use it (lines 31-32 confirm REGISTRY_AUTH_HTPASSWD_* environment variables are absent). This creates an inconsistent security posture: credentials are deployed but unused.

Consider whether the htpasswd file should:

1. Be removed entirely if authentication is truly disabled, or
2. Remain in place with a comment explaining it's for future re-enablement per AGENT-1393

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/internalreleaseimage/internalreleaseimage_helpers_test.go` at
line 38, The test is inconsistent: it asserts the htpasswd file via
verifyIgnitionFile(t, &ignCfg, "/etc/iri-registry/auth/htpasswd", "...") while
the environment vars REGISTRY_AUTH_HTPASSWD_* are intentionally absent; either
remove the htpasswd verification from the test (delete the verifyIgnitionFile
call) so the test reflects authentication-disabled state, or keep the
verification but add a clarifying comment referencing AGENT-1393 and ensure the
test also asserts that the registry config does not enable htpasswd auth (check
the code path that reads REGISTRY_AUTH_HTPASSWD_*); update the test near
verifyIgnitionFile and any related assertions to make the intended behavior
explicit.

🧹 Nitpick comments (1)

pkg/controller/internalreleaseimage/internalreleaseimage_helpers_test.go (1)

31-32: ⚡ Quick win

Consider adding positive assertions for TLS configuration.

While correctly verifying that htpasswd environment variables are absent, the test should also verify that the TLS configuration that replaced htpasswd authentication is present. Based on the service template, the registry now relies on TLS.

✅ Proposed additions to verify TLS configuration

 	assert.NotContains(t, *ignCfg.Systemd.Units[0].Contents, "REGISTRY_AUTH_HTPASSWD_REALM")
 	assert.NotContains(t, *ignCfg.Systemd.Units[0].Contents, "REGISTRY_AUTH_HTPASSWD_PATH")
+	assert.Contains(t, *ignCfg.Systemd.Units[0].Contents, "REGISTRY_HTTP_ADDR=0.0.0.0:22625")
+	assert.Contains(t, *ignCfg.Systemd.Units[0].Contents, "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/tls.crt")
+	assert.Contains(t, *ignCfg.Systemd.Units[0].Contents, "REGISTRY_HTTP_TLS_KEY=/certs/tls.key")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/internalreleaseimage/internalreleaseimage_helpers_test.go`
around lines 31 - 32, Add positive assertions that the registry TLS environment
variables are present in the systemd unit content to complement the existing
NotContains checks for htpasswd; specifically, in the same test where
ignCfg.Systemd.Units[0].Contents is inspected, add assert.Contains checks for
the TLS keys (e.g., "REGISTRY_HTTP_TLS_CERTIFICATE" and "REGISTRY_HTTP_TLS_KEY")
against *ignCfg.Systemd.Units[0].Contents so the test verifies the switch from
htpasswd to TLS configuration.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@pkg/controller/internalreleaseimage/internalreleaseimage_helpers_test.go`:
- Line 38: The test is inconsistent: it asserts the htpasswd file via
verifyIgnitionFile(t, &ignCfg, "/etc/iri-registry/auth/htpasswd", "...") while
the environment vars REGISTRY_AUTH_HTPASSWD_* are intentionally absent; either
remove the htpasswd verification from the test (delete the verifyIgnitionFile
call) so the test reflects authentication-disabled state, or keep the
verification but add a clarifying comment referencing AGENT-1393 and ensure the
test also asserts that the registry config does not enable htpasswd auth (check
the code path that reads REGISTRY_AUTH_HTPASSWD_*); update the test near
verifyIgnitionFile and any related assertions to make the intended behavior
explicit.

---

Nitpick comments:
In `@pkg/controller/internalreleaseimage/internalreleaseimage_helpers_test.go`:
- Around line 31-32: Add positive assertions that the registry TLS environment
variables are present in the systemd unit content to complement the existing
NotContains checks for htpasswd; specifically, in the same test where
ignCfg.Systemd.Units[0].Contents is inspected, add assert.Contains checks for
the TLS keys (e.g., "REGISTRY_HTTP_TLS_CERTIFICATE" and "REGISTRY_HTTP_TLS_KEY")
against *ignCfg.Systemd.Units[0].Contents so the test verifies the switch from
htpasswd to TLS configuration.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c1f89fc0-8d60-4a01-8384-ce897f8958bc

📥 Commits

Reviewing files that changed from the base of the PR and between d72b715 and d374adc.

📒 Files selected for processing (2)

• pkg/controller/internalreleaseimage/internalreleaseimage_helpers_test.go
• pkg/controller/internalreleaseimage/templates/master/units/iri-registry.service.yaml

💤 Files with no reviewable changes (1)

• pkg/controller/internalreleaseimage/templates/master/units/iri-registry.service.yaml

[andfasano]

/test e2e-agent-compact-ipv4-iso-no-registry

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

test/e2e-iri/iri_test.go (1)

360-372: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

IPv6 URL construction will produce invalid URLs.

The URL construction on line 361 uses fmt.Sprintf("https://%s:%d/v2/", ipAddr, ...) which does not handle IPv6 addresses correctly. IPv6 addresses must be enclosed in brackets in URLs (e.g., https://[::1]:22625/v2/).

Use net.JoinHostPort() for proper IPv6 support:

🐛 Proposed fix for IPv6 compatibility

+import "net"
+
 func pingIRIRegistry(t *testing.T, client *http.Client, ipAddr string) {
-	iriRegistryUrl := fmt.Sprintf("https://%s:%d/v2/", ipAddr, ctrlcommon.IRIRegistryPort)
+	iriRegistryUrl := fmt.Sprintf("https://%s/v2/", net.JoinHostPort(ipAddr, fmt.Sprintf("%d", ctrlcommon.IRIRegistryPort)))
 
 	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, iriRegistryUrl, nil)

As per coding guidelines: "verify IPv6 and disconnected network compatibility by checking for...URL construction without net.JoinHostPort() for IPv6"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-iri/iri_test.go` around lines 360 - 372, The URL built in
pingIRIRegistry currently uses fmt.Sprintf("https://%s:%d/v2/", ipAddr,
ctrlcommon.IRIRegistryPort) which breaks for IPv6; change construction to use
net.JoinHostPort(ipAddr, strconv.Itoa(ctrlcommon.IRIRegistryPort)) (or
equivalent) to produce a properly bracketed host:port, then prefix with
"https://" and append "/v2/" to form iriRegistryUrl; update imports as needed
and keep the rest of pingIRIRegistry (request creation, client.Do, and
assertions) unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e-iri/iri_test.go`:
- Around line 384-394: The new test TestIRIRegistry_UnauthenticatedReadSucceeds
is missing the baremetal guard and will fail on non-baremetal platforms; add a
call to skipIfNoBaremetal(t) at the start of that test (and if needed also
skipIfOpenShiftCI(t) to mirror other registry tests) so the test is skipped on
unsupported environments, ensuring behavior matches
TestIRIController_VerifyIRIRegistryOnAllTheMasterNodes_NoCert and
TestIRIController_VerifyIRIRegistryOnApiInt_WithCert.

---

Outside diff comments:
In `@test/e2e-iri/iri_test.go`:
- Around line 360-372: The URL built in pingIRIRegistry currently uses
fmt.Sprintf("https://%s:%d/v2/", ipAddr, ctrlcommon.IRIRegistryPort) which
breaks for IPv6; change construction to use net.JoinHostPort(ipAddr,
strconv.Itoa(ctrlcommon.IRIRegistryPort)) (or equivalent) to produce a properly
bracketed host:port, then prefix with "https://" and append "/v2/" to form
iriRegistryUrl; update imports as needed and keep the rest of pingIRIRegistry
(request creation, client.Do, and assertions) unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 372c99f7-ec79-4c1f-9ca1-2c3e6375b68b

📥 Commits

Reviewing files that changed from the base of the PR and between d374adc and 5da9577.

📒 Files selected for processing (1)

• test/e2e-iri/iri_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing skipIfNoBaremetal(t) will cause test failures on non-baremetal platforms.

Every other IRI test in this file includes skipIfNoBaremetal(t) because the IRI registry is a baremetal-specific feature. This new test accesses the IRI registry but lacks this skip, so it will fail on non-baremetal platforms (e.g., AWS, GCP, vSphere).

Additionally, other registry connectivity tests (TestIRIController_VerifyIRIRegistryOnAllTheMasterNodes_NoCert, TestIRIController_VerifyIRIRegistryOnApiInt_WithCert) also use skipIfOpenShiftCI(t) due to proxy issues—consider whether this test has similar constraints.

🐛 Proposed fix to add skip conditions

 func TestIRIRegistry_UnauthenticatedReadSucceeds(t *testing.T) {
+	skipIfOpenShiftCI(t)
+	skipIfNoBaremetal(t)
+
 	cs := framework.NewClientSet("")
 
 	baseDomain := getBaseDomain(t, cs)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-iri/iri_test.go` around lines 384 - 394, The new test
TestIRIRegistry_UnauthenticatedReadSucceeds is missing the baremetal guard and
will fail on non-baremetal platforms; add a call to skipIfNoBaremetal(t) at the
start of that test (and if needed also skipIfOpenShiftCI(t) to mirror other
registry tests) so the test is skipped on unsupported environments, ensuring
behavior matches TestIRIController_VerifyIRIRegistryOnAllTheMasterNodes_NoCert
and TestIRIController_VerifyIRIRegistryOnApiInt_WithCert.

[pawanpinjarkar]

@andfasano Looks like a genuine suggestion. Will it really fail for none platfoem?

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

[andfasano]

Yes, but for the moment that was intended, since in the MCO repo we only have the default compact (baremetal) iso-no-registry job. We don't have any plan to add more kind of jobs here, but in case that part will need to be bumped (but definitely not as part of this PR)

[andfasano]

/test e2e-agent-compact-ipv4-iso-no-registry

[andfasano]

/verified by @andfasano

[openshift-ci-robot]

@andfasano: This PR has been marked as verified by @andfasano.

Details

In response to this:

/verified by @andfasano

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bfournie]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-upgrade
/test e2e-gcp-op-ocl-part1
/test e2e-gcp-op-ocl-part2
/test e2e-gcp-op-part1
/test e2e-gcp-op-part2
/test e2e-gcp-op-single-node
/test e2e-hypershift

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andfasano, bfournie

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/controller/internalreleaseimage/OWNERS [andfasano,bfournie]
• test/e2e-iri/OWNERS [andfasano,bfournie]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD d72b715 and 2 for PR HEAD 5da9577 in total

[mhanss]

/retest-required

[isabella-janssen]

/retest-required

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 26d41f7 and 1 for PR HEAD 5da9577 in total

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD bf66c0b and 0 for PR HEAD 5da9577 in total

[openshift-merge-bot]

/hold

Revision 5da9577 was retested 3 times: holding

[bfournie]

/unhold

[zaneb]

Tests are blocked by #6121

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD c13cdd8 and 2 for PR HEAD 5da9577 in total

[zaneb]

/retest-required

[andfasano]

/test e2e-gcp-op-ocl-part1

[openshift-ci]

@andfasano: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.