apko icon indicating copy to clipboard operation
apko copied to clipboard

Published 20 hours ago verified publisher icon chainguard-dev

Insecure Fetch/Push with publish

Open kameshsampath opened this issue 2 years ago • 5 comments

As a developer using apko in test/build environment, I would like to build and push using apko publish to insecure registries e.g. local docker registry.

kameshsampath avatar Feb 09 '23 03:02 kameshsampath

It is already possible with apko publish --local.

kaniini avatar Feb 09 '23 13:02 kaniini

@kaniini - --local is fine if we want to load into docker demon. But in this case let say I start a registry docker run -p 5000:50001 registry:2 and I want to push to localhost:5001/example/my-image using apko. This requires images to be pushed w/o TLS. Tools like crane, ko all have this option of using --insecure in addition to --local.

CC: @imjasonh

kameshsampath avatar Feb 09 '23 13:02 kameshsampath

Got it. Yes, we can add --insecure for that purpose.

kaniini avatar Feb 09 '23 13:02 kaniini

crane and ko have an --insecure flag, and we hate it. It conflates two things, "allow HTTP", and "allow HTTPS without verifying TLS", and users who only want one are forced to allow both.

I'd recommend two flags, --insecure-allow-http and --insecure-tls-skip-verify, and if you personally only need one, only implement that one for now.

The problem is that conflation of the two flags might exist so deeply into go-containerregistry that it will be hard to separate, but I think we can do it, and I'm willing to help. If we crack it, we can roll out the same flags to crane and ko and everybody wins.

imjasonh avatar Feb 09 '23 21:02 imjasonh

Yeah lets see if we can split the flags. That would be ideal.

kaniini avatar Feb 14 '23 05:02 kaniini