Make --insecure-registry work with TLS registries whose certs we can't verify. #398
Conversation
evankanderson
force-pushed
the
in-secure
branch
9 times, most recently
from
cf4ed82 to
4d61bbc
Compare
pkg/publish/options.go
Outdated
| @@ -105,6 +107,17 @@ func WithTagOnly(tagOnly bool) Option { | |||
| func Insecure(b bool) Option { | |||
| return func(i *defaultOpener) error { | |||
| i.insecure = b | |||
| t, ok := i.t.(*http.Transport) | |||
| if !ok { | |||
| return fmt.Errorf("unable to configure insecure roundtripper (not HTTP)") | |||
There was a problem hiding this comment.
I don't think it makes sense to error here.
If we can't override the TLSClientConfig, then in the case where we needed to, it will fail anyway, and in the case where we didn't need to, it fails even when it shouldn't.
There was a problem hiding this comment.
I've switched this -- do you think I should log anything here for the debugging case?
There was a problem hiding this comment.
Logging sounds reasonable, but also the only time anyone is going to hit this is if they are using ko as a library and supplying their own transport, so it might not really matter.
Codecov Report
@@ Coverage Diff @@
## main #398 +/- ##
==========================================
- Coverage 44.15% 43.33% -0.82%
==========================================
Files 34 34
Lines 1701 1740 +39
==========================================
+ Hits 751 754 +3
- Misses 817 847 +30
- Partials 133 139 +6
Continue to review full report at Codecov.
|
Fixes #396
Note that this is technically breaking if people are using --insecure-registry and replacing the RoundTripper with something that's not an
http.Transport. I decided to blow up loudly, rather than let it pass, but I could be convinced to go the other way.Verified on harbor 2.2.3 with a self-signed cert with a SAN of 192.168.10.12.