Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make --insecure-registry work with TLS registries whose certs we can't verify. #398

Merged
merged 2 commits into from
Jul 28, 2021
Merged

Make --insecure-registry work with TLS registries whose certs we can't verify. #398

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cfa3e01
Make --insecure-registry work with TLS registries whose certs we can'…
Jul 26, 2021
1ea8fb9
Don't error if we can't disable TLS checking when insecure.
evankanderson Jul 28, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions pkg/publish/options.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@
package publish

import (
"crypto/tls"
"fmt"
"log"
"net/http"
"path"
Expand Down Expand Up @@ -105,6 +107,17 @@ func WithTagOnly(tagOnly bool) Option {
func Insecure(b bool) Option {
return func(i *defaultOpener) error {
i.insecure = b
t, ok := i.t.(*http.Transport)
if !ok {
return fmt.Errorf("unable to configure insecure roundtripper (not HTTP)")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it makes sense to error here.

If we can't override the TLSClientConfig, then in the case where we needed to, it will fail anyway, and in the case where we didn't need to, it fails even when it shouldn't.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've switched this -- do you think I should log anything here for the debugging case?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logging sounds reasonable, but also the only time anyone is going to hit this is if they are using ko as a library and supplying their own transport, so it might not really matter.

}
t = t.Clone()
if t.TLSClientConfig == nil {
t.TLSClientConfig = &tls.Config{} //nolint: gosec
}
t.TLSClientConfig.InsecureSkipVerify = b //nolint: gosec
i.t = t

return nil
}
}