fix: Configure bastion registry as insecure for HTTP access

- Add registries.conf.d/bastion-registry.conf to mark 10.0.1.4:5000 and localhost:5000 as insecure
- Allows oc-mirror and podman to use HTTP registry without TLS
- Fixes "http: server gave HTTP response to HTTPS client" error

Author: butler54

charts/coco-supported/hello-openshift-2/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+description: Deploys a 'hello openshift' pod 3 times, twice with different coco configurations and once as a standard pod
+keywords:
+- pattern
+name: hello-openshift
+version: 0.0.1

charts/coco-supported/hello-openshift-2/insecure-policy.rego

@@ -0,0 +1,38 @@
+package agent_policy
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default ExecProcessRequest := true
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := true
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SetPolicyRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := true

charts/coco-supported/hello-openshift-2/templates/insecure-policy-pod.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insecure-policy
+  labels:
+    app: insecure-policy
+  annotations:
+    io.katacontainers.config.agent.policy: '{{ tpl ( .Files.Get "insecure-policy.rego") . | b64enc }}'
+spec:
+  runtimeClassName: kata-remote
+  containers:
+    - name: hello-openshift
+      image: quay.io/openshift/origin-hello-openshift
+      ports:
+        - containerPort: 8888
+      securityContext:
+        privileged: false
+        allowPrivilegeEscalation: false
+        runAsNonRoot: true
+        runAsUser: 1001
+        capabilities:
+          drop:
+            - ALL
+        seccompProfile:
+          type: RuntimeDefault
+
+---

charts/coco-supported/hello-openshift-2/templates/insecure-policy-route.yaml

@@ -0,0 +1,12 @@
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: insecure-policy
+spec:
+  port:
+    targetPort: 8888
+  to:
+    kind: Service
+    name: standard
+    weight: 100
+  wildcardPolicy: None

charts/coco-supported/hello-openshift-2/templates/insecure-policy-svc.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: insecure-policy
+spec:
+  ports:
+  - name: 8888-tcp
+    port: 8888
+    protocol: TCP
+    targetPort: 8888
+  selector:
+    app: insecure-policy
+  sessionAffinity: None
+  type: ClusterIP

charts/coco-supported/hello-openshift-2/templates/secure-pod.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: secure
+  labels:
+    app: secure
+  annotations:
+    peerpods: "true"
+spec:
+  runtimeClassName: kata-remote
+  containers:
+    - name: hello-openshift
+      image: quay.io/openshift/origin-hello-openshift
+      ports:
+        - containerPort: 8888
+      securityContext:
+        privileged: false
+        allowPrivilegeEscalation: false
+        runAsNonRoot: true
+        runAsUser: 1001
+        capabilities:
+          drop:
+            - ALL
+        seccompProfile:
+          type: RuntimeDefault
+

charts/coco-supported/hello-openshift-2/templates/secure-route.yaml

@@ -0,0 +1,12 @@
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: secure
+spec:
+  port:
+    targetPort: 8888
+  to:
+    kind: Service
+    name: secure
+    weight: 100
+  wildcardPolicy: None

charts/coco-supported/hello-openshift-2/templates/secure-svc.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: secure
+spec:
+  ports:
+  - name: 8888-tcp
+    port: 8888
+    protocol: TCP
+    targetPort: 8888
+  selector:
+    app: secure
+  sessionAffinity: None
+  type: ClusterIP

charts/coco-supported/hello-openshift-2/templates/standard-pod.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: standard
+  labels:
+    app: standard
+spec:
+  runtimeClassName: {{ .Values.global.runtimeClass }}
+  containers:
+    - name: hello-openshift
+      image: quay.io/openshift/origin-hello-openshift
+      ports:
+        - containerPort: 8888
+      securityContext:
+        privileged: false
+        allowPrivilegeEscalation: false
+        runAsNonRoot: true
+        runAsUser: 1001
+        capabilities:
+          drop:
+            - ALL
+        seccompProfile:
+          type: RuntimeDefault

charts/coco-supported/hello-openshift-2/templates/standard-route.yaml

@@ -0,0 +1,12 @@
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: standard
+spec:
+  port:
+    targetPort: 8888
+  to:
+    kind: Service
+    name: standard
+    weight: 100
+  wildcardPolicy: None