Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Match insecure registry behavior from Docker #127

Merged
merged 1 commit into from
Aug 3, 2022
Merged

Match insecure registry behavior from Docker #127

merged 1 commit into from
Aug 3, 2022

Conversation

carolynvs
Copy link
Collaborator

@carolynvs carolynvs commented Aug 1, 2022
edited

This tweaks how we create a resolver so that we handle plain http connections, and TLS validation the same way as Docker.

  • When a loopback address is specified as insecure, that should take precedence over it being plain http. So if I'm running a local registry with self-signed certificates, it should use the skipTLS http client, and not attempt to use plain http.
  • All loopback addresses, not just localhost and 127.0.0.1, should default to plain http unless specified as insecure.

The impact is that you only need to specify that a registry is insecure when:

  • You used self-signed certificates
  • It uses plain http on a non-loopback address

When I was looking at the docker library we are using to create a resolver, I saw that we were using deprecated functionality. By using the Hosts function that is called per registry to determine how to connect to that registry, I was able to simplify the resolver and not need to create 3 separate resolvers.

@carolynvs carolynvs mentioned this pull request Aug 1, 2022
Merged
4 tasks
@carolynvs carolynvs changed the title Fix how we default and fallback when working with insecure registries Match insecure registry behavior from Docker Aug 2, 2022
@carolynvs carolynvs marked this pull request as ready for review August 2, 2022 16:39
radu-matei
radu-matei approved these changes Aug 2, 2022
View reviewed changes
Copy link
Member

@radu-matei radu-matei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

LGTM

@carolynvs
Match insecure registry behavior from Docker
fcdf2c4 
This tweaks how we create a resolver so that we handle plain http
connections, and TLS validation the same way as Docker.

* When a loopback address is specified as insecure, that should take
  precedence over it being plain http. So if I'm running a local
  registry with self-signed certificates, it should use the skipTLS http
  client, and not attempt to use plain http.
* All loopback addresses, not just localhost and 127.0.0.1, should
  default to plain http unless specified as insecure.

The impact is that you only need to specify that a registry is insecure
when:

* You used self-signed certificates
* It uses plain http on a non-loopback address

When I was looking at the docker library we are using to create a
resolver, I saw that we were using deprecated functionality. By using
the Hosts function that is called per registry to determine how to
connect to that registry, I was able to simplify the resolver and not
need to create 3 separate resolvers.

Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com>
@carolynvs carolynvs merged commit 1cae69f into cnabio:main Aug 3, 2022
@carolynvs carolynvs deleted the fix-skip-tls branch August 3, 2022 15:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@radu-matei radu-matei radu-matei approved these changes

@silvin-lubecki silvin-lubecki Awaiting requested review from silvin-lubecki

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@carolynvs @radu-matei