[kots]: add firewall check for the pull registry

Simon Emms · roboquat · commit 2946c9f52809 · 2022-07-05T22:44:52.000+05:30
diff --git a/install/kots/manifests/kots-preflight.yaml b/install/kots/manifests/kots-preflight.yaml
@@ -44,6 +44,32 @@ spec:
           - '{{repl ConfigOption "store_s3_access_key_id" }}' # S3_ACCESS_KEY_ID
           - '{{repl ConfigOption "store_s3_secret_access_key" }}' # S3_SECRET_ACCESS_KEY
           - '{{repl ConfigOption "store_s3_bucket" }}' # S3_BUCKET_NAME
+    - run:
+        # Check that the pull registry is accessible from the cluster
+        collectorName: ping-registry
+        image: alpine/curl
+        name: ping-registry
+        command:
+          - /bin/sh
+          - -c
+        args:
+          - |
+            CONNECTION="error"
+
+            if [ '{{repl HasLocalRegistry }}' = "true" ];
+            then
+              # Don't test for airgapped
+              CONNECTION="ok"
+            else
+              URL="https://eu.gcr.io/v2/"
+              echo "ping ${URL}"
+              if curl --silent --max-time 5 "${URL}" > /dev/null;
+              then
+                CONNECTION="ok"
+              fi
+            fi
+
+            echo "connection: ${CONNECTION}"
   analyzers:
     - clusterVersion:
         outcomes:
@@ -206,3 +232,13 @@ spec:
               message: Object storage connection is valid
           - fail:
               message: Object storage connection is invalid. Please check your settings and that the resource is accessible from your cluster
+    - textAnalyze:
+        checkName: Pull registry is accessible from cluster
+        fileName: ping-registry/ping-registry.log
+        regexGroups: 'connection: (?P<Connection>\w+)'
+        outcomes:
+          - pass:
+              when: "Connection == ok"
+              message: Registry is accessible
+          - fail:
+              message: Registry is inaccessible. Please check your network and firewall settings
diff --git a/install/kots/manifests/kots-support-bundle.yaml b/install/kots/manifests/kots-support-bundle.yaml
@@ -35,6 +35,31 @@ spec:
           - '{{repl ConfigOption "store_s3_access_key_id" }}' # S3_ACCESS_KEY_ID
           - '{{repl ConfigOption "store_s3_secret_access_key" }}' # S3_SECRET_ACCESS_KEY
           - '{{repl ConfigOption "store_s3_bucket" }}' # S3_BUCKET_NAME
+    - run:
+        collectorName: ping-registry
+        image: alpine/curl
+        name: ping-registry
+        command:
+          - /bin/sh
+          - -c
+        args:
+          - |
+            CONNECTION="error"
+
+            if [ '{{repl HasLocalRegistry }}' = "true" ];
+            then
+              # Don't test for airgapped
+              CONNECTION="ok"
+            else
+              URL="https://eu.gcr.io/v2/"
+              echo "ping ${URL}"
+              if curl --silent --max-time 5 "${URL}" > /dev/null;
+              then
+                CONNECTION="ok"
+              fi
+            fi
+
+            echo "connection: ${CONNECTION}"
     - clusterInfo: {}
     - clusterResources: {}
     - logs:
