Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix support for insecure registry #169

Merged

Conversation

guilhermebr
Copy link
Contributor

@guilhermebr guilhermebr commented May 4, 2018

fixes #168

@dlorenc
Copy link
Collaborator

dlorenc commented May 7, 2018

What's left on this?

@guilhermebr guilhermebr changed the title Fix support for insecure registry [WIP] Fix support for insecure registry May 7, 2018
@guilhermebr
Copy link
Contributor Author

guilhermebr commented May 7, 2018

This PR needs google/go-containerregistry#125

@dlorenc
Copy link
Collaborator

dlorenc commented Jun 4, 2018

@guilhermebr are you still planning on fixing this?

@guilhermebr
Copy link
Contributor Author

@dlorenc Yes I will back this week to solve this! sorry for the delay

@StephenLiuYa
Copy link

I'm looking forward to this.

@shashankkoppar
Copy link

Is there any progress on this one?

@asvasyanin
Copy link

Any updates?

@guilhermebr
Copy link
Contributor Author

Waiting for google/go-containerregistry#125

@diclophis
Copy link

You can install your own set of root-certificates and volume map them into the kaniko deployment as a possible alternative to using HTTP or ignoring bad SSL...

---
apiVersion: v1
kind: Pod
metadata:
  name: kaniko-build
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec:
  containers:
  - image: gcr.io/kaniko-project/executor:latest
    imagePullPolicy: IfNotPresent
    name: kaniko-build
    args: [...]
    volumeMounts:
    - mountPath: /kaniko/ssl/certs
      name: ca-certificates
  restartPolicy: Never
  volumes:
  - configMap:
      name: ca-certificates
    name: ca-certificates
...

I extract my CA authorities from a known good source, and then build a configmap mentioned above:

kubectl create configmap ca-certificates --from-file=ca-certificates.crt --from-file=ca.private.crt

For example, the ca trust chain is typically found on FROM ubuntu:bionic-20180526 at /etc/ssl/certs/ca-certificates.crt ...

@dlorenc
Copy link
Collaborator

dlorenc commented Jul 31, 2018

Waiting for google/go-containerregistry#125

👍 3

I think the change got into go-containerregistry now, still interested in porting it over here now?

@amit-uc
Copy link

amit-uc commented Aug 11, 2018

When is this issue going to be resolved?

@guilhermebr
Copy link
Contributor Author

PTAL @dlorenc

@guilhermebr guilhermebr changed the title [WIP] Fix support for insecure registry Fix support for insecure registry Aug 14, 2018
Copy link
Collaborator

@priyawadhwa priyawadhwa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for fixing this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Flag --insecure-skip-tls-verify has no effect
10 participants