Merge branch 'main' into fix-deploy-metallb

.github/workflows/testing-pr.yml

@@ -51,7 +51,6 @@ jobs:
           RELEASE=${RELEASE} make pipe-image-ci
 
       - name: Build and Push UI Image
-        continue-on-error: true  # Workaround until the generation is fixed
         id: build-ui
         run: |
           cd ${{ github.workspace }}
@@ -121,6 +120,7 @@ jobs:
           echo "Git hash: ${{ github.sha }}"
           echo ">>>>"
 
+          BRANCH=${{ github.event.pull_request.head.ref }} make bootstrap
           RELEASE=${RELEASE} make build-edgecluster-compact
           RELEASE=${RELEASE} make deploy-pipe-edgecluster-compact-ci
 

.pre-commit-config.yaml

@@ -14,7 +14,7 @@ repos:
   - files: \.(css|js|md|markdown|json)
     id: prettier
   repo: https://github.com/pre-commit/mirrors-prettier
-  rev: v2.7.0
+  rev: v2.7.1
 - hooks:
   - id: seed-isort-config
   repo: https://github.com/asottile/seed-isort-config

Makefile

@@ -193,10 +193,10 @@ clean-ci:
 	kcli delete vm -y $(EDGE_NAME)-m0 $(EDGE_NAME)-m1 $(EDGE_NAME)-m2 $(EDGE_NAME)-w0; \
 	list=$$(tkn pr ls -n edgecluster-deployer |grep -i running | cut -d' ' -f1); \
 	for i in ${list}; do tkn pr cancel $${i} -n edgecluster-deployer; done; \
-	oc delete --ignore-not-found=true managedcluster $(EDGE_NAME); \
 	list=$$($ oc get bmh -n $(EDGE_NAME) --no-headers|awk '{print $$1}'); \
 	for i in $${list}; do oc patch -n $(EDGE_NAME) bmh $${i} --type json -p '[ { "op": "remove", "path": "/metadata/finalizers" } ]'; done; \
 	list=$$(oc get secret -n $(EDGE_NAME) --no-headers |grep bmc|awk '{print $$1}'); \
 	for i in $${list}; do oc patch -n $(EDGE_NAME) secret $${i} --type json -p '[ { "op": "remove", "path": "/metadata/finalizers" } ]'; done; \
+	oc delete --ignore-not-found=true managedcluster $(EDGE_NAME); \
 	oc delete --ignore-not-found=true ns $(EDGE_NAME); \
 	oc rollout restart -n openshift-machine-api deployment/metal3;

deploy-disconnected-registry/common.sh

@@ -75,16 +75,22 @@ function trust_internal_registry() {
         MYREGISTRY=$(oc --kubeconfig=${KBKNFG} get route -n ztpfw-registry ztpfw-registry-quay -o jsonpath='{.spec.host}')
     fi
 
+    export PATH_CA_CERT="/etc/pki/ca-trust/source/anchors/internal-registry-${clus}.crt"
     echo ">>>> Trusting internal registry: ${1}"
     echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
     echo ">> Kubeconfig: ${KBKNFG}"
     echo ">> Mode: ${1}"
     echo ">> Cluster: ${clus}"
-    ## Update trusted CA from Helper
-    #TODO after sync pull secret global because crictl can't use flags and uses the generic with https://access.redhat.com/solutions/4902871
-    export CA_CERT_DATA=$(oc --kubeconfig=${KBKNFG} get secret -n openshift-ingress router-certs-default -o go-template='{{index .data "tls.crt"}}')
-    export PATH_CA_CERT="/etc/pki/ca-trust/source/anchors/internal-registry-${clus}.crt"
-    echo ">> Cert: ${PATH_CA_CERT}"
+
+    if [[ ${CUSTOM_REGISTRY} == "false" ]]; then
+        ## Update trusted CA from Helper
+        #TODO after sync pull secret global because crictl can't use flags and uses the generic with https://access.redhat.com/solutions/4902871
+        export CA_CERT_DATA=$(oc --kubeconfig=${KBKNFG} get secret -n openshift-ingress router-certs-default -o go-template='{{index .data "tls.crt"}}')
+        echo ">> Cert: ${PATH_CA_CERT}"
+    else
+        export CA_CERT_DATA=$(openssl s_client -connect ${LOCAL_REG} -showcerts </dev/null | openssl x509 | base64 | tr -d '\n')
+        MYREGISTRY=${LOCAL_REG}
+    fi
 
     ## Update trusted CA from Helper
     echo "${CA_CERT_DATA}" | base64 -d >"${PATH_CA_CERT}"
@@ -116,7 +122,6 @@ source ${WORKDIR}/shared-utils/common.sh
 
 echo ">>>> Get the pull secret from hub to file pull-secret"
 echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
-export REGISTRY=ztpfw-registry
 export AUTH_SECRET=../${SHARED_DIR}/htpasswd
 export REGISTRY_MANIFESTS=manifests
 export QUAY_MANIFESTS=quay-manifests
@@ -139,7 +144,11 @@ if [[ ${1} == "hub" ]]; then
     export SOURCE_REGISTRY="quay.io"
     export SOURCE_INDEX="registry.redhat.io/redhat/redhat-operator-index:v${OC_OCP_VERSION_MIN}"
     export CERTIFIED_SOURCE_INDEX="registry.redhat.io/redhat/certified-operator-index:v${OC_OCP_VERSION_MIN}"
-    export DESTINATION_REGISTRY="$(oc --kubeconfig=${KUBECONFIG_HUB} get route -n ${REGISTRY} ${REGISTRY} -o jsonpath={'.status.ingress[0].host'})"
+    if [[ ${CUSTOM_REGISTRY} == "false" ]]; then
+        export DESTINATION_REGISTRY="$(oc --kubeconfig=${KUBECONFIG_HUB} get route -n ${REGISTRY} ${REGISTRY} -o jsonpath={'.status.ingress[0].host'})"
+    else
+        export DESTINATION_REGISTRY=${LOCAL_REG}
+    fi
     # OLM
     ## NS where the OLM images will be mirrored
     export OLM_DESTINATION_REGISTRY_IMAGE_NS=olm

deploy-disconnected-registry/deploy.sh

@@ -38,48 +38,6 @@ function extract_kubeconfig() {
     oc --kubeconfig=${KUBECONFIG_HUB} get secret -n $edgecluster $edgecluster-admin-kubeconfig -o jsonpath='{.data.kubeconfig}' | base64 -d >${EDGE_KUBECONFIG}
 }
 
-function side_evict_error() {
-
-    KUBEC=${1}
-    echo ">> Looking for eviction errors"
-    status='SchedulingDisabled'
-
-    conflicting_node="$(oc --kubeconfig=${KUBEC} get node --no-headers | grep ${status} | cut -f1 -d\ )"
-
-    if [[ -z ${conflicting_node} ]]; then
-        echo "No masters on ${status}"
-    else
-        conflicting_daemon_pod=$(oc --kubeconfig=${KUBEC} get pod -n openshift-machine-config-operator -o wide --no-headers | grep daemon | grep ${conflicting_node} | cut -f1 -d\ )
-
-        # Check if conflicting_daemon_pod is not empty
-        if [[ -z ${conflicting_daemon_pod} ]]; then
-            echo "No conflicting daemon pod exists in ${conflicting_node}"
-        else
-            pattern_1="$(oc --kubeconfig=${KUBEC} logs -n openshift-machine-config-operator ${conflicting_daemon_pod} -c machine-config-daemon | grep drain.go | grep evicting | tail -1 | grep pods)"
-            pattern_2="$(oc --kubeconfig=${KUBEC} logs -n openshift-machine-config-operator ${conflicting_daemon_pod} -c machine-config-daemon | grep drain.go | grep "Draining failed" | tail -1 | grep pod)"
-
-            for log_entry in "${pattern_1}" "${pattern_2}"; do
-                if [[ -z ${log_entry} ]]; then
-                    echo "No Conflicting LogEntry on ${conflicting_daemon_pod}"
-                else
-                    echo ">> Conflicting LogEntry Found!!"
-                    pod=$(echo ${log_entry##*pods/} | cut -d\" -f2)
-                    conflicting_ns=$(oc --kubeconfig=${KUBEC} get pod -A | grep ${pod} | cut -f1 -d\ )
-
-                    echo ">> Clean Eviction triggered info: "
-                    echo NODE: ${conflicting_node}
-                    echo DAEMON: ${conflicting_daemon_pod}
-                    echo NS: ${conflicting_ns}
-                    echo LOG: ${log_entry}
-                    echo POD: ${pod}
-
-                    oc --kubeconfig=${KUBEC} delete pod -n ${conflicting_ns} ${pod} --force --grace-period=0
-                fi
-            done
-        fi
-    fi
-}
-
 function check_mcp() {
 
     echo Mode: ${1}
@@ -239,16 +197,30 @@ function deploy_registry() {
 
 }
 
+function custom_registry() {
+    trust_internal_registry 'hub'
+    check_mcp 'hub'
+    render_file manifests/machine-config-certs-worker.yaml 'hub'
+    render_file manifests/machine-config-certs-master.yaml 'hub'
+    check_resource "mcp" "master" "Updated" "default" "${KUBECONFIG_HUB}"
+
+}
+
 if [[ ${1} == 'hub' ]]; then
+
     if ! ./verify.sh 'hub'; then
-        deploy_registry 'hub'
-        trust_internal_registry 'hub'
-        check_resource "deployment" "${REGISTRY}" "Available" "${REGISTRY}" "${KUBECONFIG_HUB}"
-        check_mcp 'hub'
-        render_file manifests/machine-config-certs-master.yaml 'hub'
-        render_file manifests/machine-config-certs-worker.yaml 'hub'
-        check_resource "mcp" "master" "Updated" "default" "${KUBECONFIG_HUB}"
-        check_resource "deployment" "${REGISTRY}" "Available" "${REGISTRY}" "${KUBECONFIG_HUB}"
+        if [[ ${CUSTOM_REGISTRY} == "false" ]]; then
+            deploy_registry 'hub'
+            trust_internal_registry 'hub'
+            check_resource "deployment" "${REGISTRY}" "Available" "${REGISTRY}" "${KUBECONFIG_HUB}"
+            check_mcp 'hub'
+            render_file manifests/machine-config-certs-worker.yaml 'hub'
+            render_file manifests/machine-config-certs-master.yaml 'hub'
+            check_resource "mcp" "master" "Updated" "default" "${KUBECONFIG_HUB}"
+            check_resource "deployment" "${REGISTRY}" "Available" "${REGISTRY}" "${KUBECONFIG_HUB}"
+        else
+            custom_registry 'hub'
+        fi
     else
         echo ">>>> This step to deploy registry on Hub is not neccesary, everything looks ready"
     fi

deploy-disconnected-registry/ocp-sync.sh

@@ -42,10 +42,15 @@ function mirror_ocp() {
     echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
     echo
 
-    ####### WORKAROUND: Newer versions of podman/buildah try to set overlayfs mount options when
-    ####### using the vfs driver, and this causes errors.
-    export STORAGE_DRIVER=vfs
-    sed -i '/^mountopt =.*/d' /etc/containers/storage.conf
+    if [[ ${CUSTOM_REGISTRY} == "true" ]]; then
+        echo "Checking Private registry creds"
+        if [[ ! $(podman login ${LOCAL_REG} --authfile ${PULL_SECRET}) ]]; then
+            echo "ERROR: Failed to login to ${LOCAL_REG}, please check Pull Secret"
+            exit 1
+        else
+            echo "Login successfully to ${LOCAL_REG}"
+        fi
+    fi
     #######
 
     # Empty log file
@@ -82,10 +87,13 @@ if [[ ${1} == 'hub' ]]; then
     trust_internal_registry 'hub'
 
     if ! ./verify_ocp_sync.sh 'hub'; then
-        oc create namespace ${REGISTRY} -o yaml --dry-run=client | oc apply -f -
 
-        export REGISTRY_NAME="$(oc get route -n ${REGISTRY} ${REGISTRY} -o jsonpath={'.status.ingress[0].host'})"
-        ${PODMAN_LOGIN_CMD} ${DESTINATION_REGISTRY} -u ${REG_US} -p ${REG_PASS} --authfile=${PULL_SECRET} # to create a merge with the registry original adding the registry auth entry
+        if [[ ${CUSTOM_REGISTRY} == "false" ]]; then
+            oc create namespace ${REGISTRY} -o yaml --dry-run=client | oc apply -f -
+            # TODO: commented out the next line seems not needed
+            # export REGISTRY_NAME="$(oc get route -n ${REGISTRY} ${REGISTRY} -o jsonpath={'.status.ingress[0].host'})"
+        fi
+        registry_login ${DESTINATION_REGISTRY}
         mirror_ocp 'hub' 'hub'
     else
         echo ">>>> This step to mirror ocp is not neccesary, everything looks ready: ${1}"

deploy-disconnected-registry/olm-sync.sh

@@ -41,10 +41,14 @@ function prepare_env() {
 
 function check_registry() {
     REG=${1}
+    if [[ ${CUSTOM_REGISTRY} == "true" ]]; then
+        COMMAND=""
+    else
+        COMMAND="--username ${REG_US} --password ${REG_PASS}"
+    fi
 
     for a in {1..30}; do
-        skopeo login ${REG} --authfile=${PULL_SECRET} --username ${REG_US} --password ${REG_PASS}
-        if [[ $? -eq 0 ]]; then
+        if [[ $(skopeo login ${REG} --authfile=${PULL_SECRET} ${COMMAND}) ]]; then
             echo "Registry: ${REG} available"
             break
         fi
@@ -67,11 +71,9 @@ function mirror() {
     fi
 
     echo ">>>> Podman Login into Source Registry: ${SOURCE_REGISTRY}"
-    ${PODMAN_LOGIN_CMD} ${SOURCE_REGISTRY} -u ${REG_US} -p ${REG_PASS} --authfile=${PULL_SECRET}
-    ${PODMAN_LOGIN_CMD} ${SOURCE_REGISTRY} -u ${REG_US} -p ${REG_PASS}
+    registry_login ${SOURCE_REGISTRY}
     echo ">>>> Podman Login into Destination Registry: ${DESTINATION_REGISTRY}"
-    ${PODMAN_LOGIN_CMD} ${DESTINATION_REGISTRY} -u ${REG_US} -p ${REG_PASS} --authfile=${PULL_SECRET}
-    ${PODMAN_LOGIN_CMD} ${DESTINATION_REGISTRY} -u ${REG_US} -p ${REG_PASS}
+    registry_login ${DESTINATION_REGISTRY}
 
     if [ ! -f ~/.docker/config.json ]; then
         echo "INFO: missing ~/.docker/config.json config"
@@ -256,11 +258,9 @@ function mirror_certified() {
     fi
 
     echo ">>>> Podman Login into Source Registry: ${SOURCE_REGISTRY}"
-    ${PODMAN_LOGIN_CMD} ${SOURCE_REGISTRY} -u ${REG_US} -p ${REG_PASS} --authfile=${PULL_SECRET}
-    ${PODMAN_LOGIN_CMD} ${SOURCE_REGISTRY} -u ${REG_US} -p ${REG_PASS}
+    registry_login ${SOURCE_REGISTRY}
     echo ">>>> Podman Login into Destination Registry: ${DESTINATION_REGISTRY}"
-    ${PODMAN_LOGIN_CMD} ${DESTINATION_REGISTRY} -u ${REG_US} -p ${REG_PASS} --authfile=${PULL_SECRET}
-    ${PODMAN_LOGIN_CMD} ${DESTINATION_REGISTRY} -u ${REG_US} -p ${REG_PASS}
+    registry_login ${DESTINATION_REGISTRY}
 
     if [ ! -f ~/.docker/config.json ]; then
         echo "INFO: missing ~/.docker/config.json config"

deploy-disconnected-registry/update-global-pullsecret.sh

@@ -42,7 +42,7 @@ function prepare_env() {
 if [[ ${1} == 'hub' ]]; then
 
     prepare_env 'hub'
-    ${PODMAN_LOGIN_CMD} ${DESTINATION_REGISTRY} -u ${REG_US} -p ${REG_PASS} --authfile=${PULL_SECRET}
+    registry_login ${DESTINATION_REGISTRY}
     oc --kubeconfig=${KUBECONFIG_HUB} set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=${PULL_SECRET}
 
 elif [[ ${1} == "edgecluster" ]]; then

deploy-disconnected-registry/verify.sh

@@ -19,13 +19,18 @@ elif [[ ${1} == 'edgecluster' ]]; then
     TG_KUBECONFIG=${EDGE_KUBECONFIG}
 fi
 
-if [[ $(oc --kubeconfig=${TG_KUBECONFIG} get ns | grep ${REGISTRY} | wc -l) -eq 0 || $(oc --kubeconfig=${TG_KUBECONFIG} get -n ztpfw-registry deployment ztpfw-registry -ojsonpath='{.status.availableReplicas}') -eq 0 ]]; then
-    #namespace or resources does not exist. Launching the step to create it...
-    exit 1
-fi
+if [[ ${CUSTOM_REGISTRY} == "false" ]]; then
+    if [[ $(oc --kubeconfig=${TG_KUBECONFIG} get ns | grep ${REGISTRY} | wc -l) -eq 0 || $(oc --kubeconfig=${TG_KUBECONFIG} get -n ztpfw-registry deployment ztpfw-registry -ojsonpath='{.status.availableReplicas}') -eq 0 ]]; then
+        #namespace or resources does not exist. Launching the step to create it...
+        exit 1
+    fi
 
-if [[ $(oc get --kubeconfig=${TG_KUBECONFIG} route -n ${REGISTRY} --no-headers | wc -l) -lt 1 ]]; then
-    exit 2
+    if [[ $(oc get --kubeconfig=${TG_KUBECONFIG} route -n ${REGISTRY} --no-headers | wc -l) -lt 1 ]]; then
+        exit 2
+    fi
+else
+    # Running with  Custom registry
+    exit 10
 fi
 
 exit 0

deploy-disconnected-registry/verify_ocp_sync.sh

@@ -19,8 +19,7 @@ elif [[ ${1} == 'edgecluster' ]]; then
     TARGET_KUBECONFIG=${EDGE_KUBECONFIG}
 fi
 
-echo "Logging into ${DESTINATION_REGISTRY}"
-${PODMAN_LOGIN_CMD} ${DESTINATION_REGISTRY} -u ${REG_US} -p ${REG_PASS} --authfile=${PULL_SECRET}                                                                                                         # to create a merge with the registry original adding the registry auth entry
+registry_login ${DESTINATION_REGISTRY}
 if [[ $(oc --kubeconfig=${TARGET_KUBECONFIG} adm release info "${DESTINATION_REGISTRY}"/"${OCP_DESTINATION_REGISTRY_IMAGE_NS}":"${OC_OCP_TAG}" --registry-config="${PULL_SECRET}" | wc -l) -gt 1 ]]; then ## line 1 == error line. If found image should show more information (>1 line)
     #Everyting is ready
     exit 0

deploy-disconnected-registry/verify_olm_sync.sh

@@ -41,7 +41,7 @@ elif [[ ${1} == 'edgecluster' ]]; then
 fi
 
 echo ">>>> Verifying OLM Sync: ${1}"
-${PODMAN_LOGIN_CMD} ${DESTINATION_REGISTRY} -u ${REG_US} -p ${REG_PASS} --authfile=${PULL_SECRET}
+registry_login ${DESTINATION_REGISTRY}
 for packagemanifest in $(oc --kubeconfig=${TGT_KUBECONFIG} get packagemanifest -n openshift-marketplace -o name ${PACKAGES_FORMATED}); do
     for package in $(oc --kubeconfig=${TGT_KUBECONFIG} get ${packagemanifest} -o jsonpath='{.status.channels[*].currentCSVDesc.relatedImages}' | sed "s/ /\n/g" | tr -d '[],' | sed 's/"/ /g'); do
         echo "Verify Package: ${package}"
@@ -51,7 +51,7 @@ for packagemanifest in $(oc --kubeconfig=${TGT_KUBECONFIG} get packagemanifest -
 done
 
 echo ">>>> Verifying Certified OLM Sync: ${1}"
-${PODMAN_LOGIN_CMD} ${DESTINATION_REGISTRY} -u ${REG_US} -p ${REG_PASS} --authfile=${PULL_SECRET}
+registry_login ${DESTINATION_REGISTRY}
 for packagemanifest in $(oc --kubeconfig=${TGT_KUBECONFIG} get packagemanifest -n openshift-marketplace -o name ${CERTIFIED_PACKAGES_FORMATED}); do
     for package in $(oc --kubeconfig=${TGT_KUBECONFIG} get ${packagemanifest} -o jsonpath='{.status.channels[*].currentCSVDesc.relatedImages}' | sed "s/ /\n/g" | tr -d '[],' | sed 's/"/ /g'); do
         echo "Verify Package: ${package}"

deploy-edgecluster/configure_disconnected.sh

@@ -170,44 +170,11 @@ function icsp_maker() {
         RAW_SRC=${entry%%=*}
         RAW_DST=${entry##*=}
         SRC_IMG="${RAW_SRC%%@*}"
-        DST_IMG="${RAW_DST%%:*}"
+        DST_IMG="${RAW_DST}"
         add_icsp_entry ${SRC_IMG} ${DST_IMG}
     done <${MAP_FILE}
 }
 
-function side_evict_error() {
-
-    KUBEC=${1}
-    echo ">> Looking for eviction errors"
-    pattern='SchedulingDisabled'
-
-    conflicting_node="$(oc --kubeconfig=${KUBEC} get node --no-headers | grep ${pattern} | cut -f1 -d\ )"
-
-    if [[ -z ${conflicting_node} ]]; then
-        echo "No masters on ${pattern}"
-    else
-        conflicting_daemon_pod=$(oc --kubeconfig=${KUBEC} get pod -n openshift-machine-config-operator -o wide --no-headers | grep daemon | grep ${conflicting_node} | cut -f1 -d\ )
-        log_entry="$(oc --kubeconfig=${KUBEC} logs -n openshift-machine-config-operator ${conflicting_daemon_pod} -c machine-config-daemon | grep drain.go | grep evicting | tail -1 | grep pods)"
-
-        if [[ -z ${log_entry} ]]; then
-            echo "No Conflicting LogEntry on ${conflicting_daemon_pod}"
-        else
-            echo ">> Conflicting LogEntry Found!!"
-            pod=$(echo ${log_entry##*pods/} | cut -d\" -f2)
-            conflicting_ns=$(oc --kubeconfig=${KUBEC} get pod -A | grep ${pod} | cut -f1 -d\ )
-
-            echo ">> Clean Eviction triggered info: "
-            echo NODE: ${conflicting_node}
-            echo DAEMON: ${conflicting_daemon_pod}
-            echo NS: ${conflicting_ns}
-            echo LOG: ${log_entry}
-            echo POD: ${pod}
-
-            oc --kubeconfig=${KUBEC} delete pod -n ${conflicting_ns} ${pod}
-        fi
-    fi
-}
-
 function wait_for_mcp_ready() {
     # This function waits for the MCP to be ready
     # It will wait for the MCP to be ready for the given number of seconds

deploy-hub-configs/deploy.sh

@@ -22,12 +22,21 @@ if ./verify.sh; then
     sed -i "s/HTTPD_SERVICE/${HTTPSERVICE}/g" 04-agent-service-config.yml
     pull=$(oc get secret -n openshift-config pull-secret -ojsonpath='{.data.\.dockerconfigjson}' | base64 -d | jq -c)
     echo -n "  .dockerconfigjson: "\'$pull\' >>05-pullsecrethub.yml
-    REGISTRY=ztpfw-registry
-    LOCAL_REG="$(oc get route -n ${REGISTRY} ${REGISTRY} -o jsonpath={'.status.ingress[0].host'})" #TODO change it to use the global common variable importing here the source commons
+    if [[ ${CUSTOM_REGISTRY} == "false" ]]; then
+        REGISTRY=ztpfw-registry
+        LOCAL_REG="$(oc get route -n ${REGISTRY} ${REGISTRY} -o jsonpath={'.status.ingress[0].host'})" #TODO change it to use the global common variable importing here the source commons
+    fi
     sed -i "s/CHANGEDOMAIN/${LOCAL_REG}/g" registryconf.txt
-    CABUNDLE=$(oc get cm -n openshift-image-registry kube-root-ca.crt --template='{{index .data "ca.crt"}}')
-    echo "  ca-bundle.crt: |" >>01_Mirror_ConfigMap.yml
-    echo -n "${CABUNDLE}" | sed "s/^/    /" >>01_Mirror_ConfigMap.yml
+    if [[ ${CUSTOM_REGISTRY} == "true" ]]; then
+        export CA_CERT_DATA=$(openssl s_client -connect ${LOCAL_REG} -showcerts </dev/null | openssl x509)
+        echo "" >>01_Mirror_ConfigMap.yml
+        echo "  ca-bundle.crt: |" >>01_Mirror_ConfigMap.yml
+        echo -n "${CA_CERT_DATA}" | sed "s/^/    /" >>01_Mirror_ConfigMap.yml
+    else
+        CABUNDLE=$(oc get cm -n openshift-image-registry kube-root-ca.crt --template='{{index .data "ca.crt"}}')
+        echo "  ca-bundle.crt: |" >>01_Mirror_ConfigMap.yml
+        echo -n "${CABUNDLE}" | sed "s/^/    /" >>01_Mirror_ConfigMap.yml
+    fi
     echo "" >>01_Mirror_ConfigMap.yml
     cat registryconf.txt >>01_Mirror_ConfigMap.yml
     NEWTAG=${LOCAL_REG}/ocp4/openshift4:${OC_OCP_TAG}