imgpkg icon indicating copy to clipboard operation
imgpkg copied to clipboard
verified publisher icon carvel-dev

Imgpkg will use http for in cluster service dns names

Open ewrenn8 opened this issue 4 years ago • 2 comments

What steps did you take:

  1. Start a minikube or kind cluster locally

  2. Deploy a registry with self signed certs to the cluster (registry.yml in https://gist.github.com/ewrenn8/ab66e8df50b7a79905b3ba7fefcd0aa0) Note: the certs in the gist aren't used anywhere, so they're ok to include in the issue

  3. deploy a debug image with a terminal and imgpkg (debug.yml in https://gist.github.com/ewrenn8/ab66e8df50b7a79905b3ba7fefcd0aa0)

  4. exec on to debug pod: k exec <pod-name> -it -- /bin/bash

  5. run imgpkg pull regsitry-svc.registry.svc.cluster.local:443/my-repo/image -o /tmp/b (this image doesn't exist, but it's enough to see the issue)

What happened: Imgpkg fails with two error messages:

Error: Collecting images: Working with registry-svc.registry.svc.cluster.local/my-repo/image:latest: Get "https://registry-svc.registry.svc.cluster.local/v2/": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0; Get "http://registry-svc.registry.svc.cluster.local/v2/": dial tcp 10.107.213.254:80: i/o timeout

Which shows that it tried to communicate with the registry over both https (which failed because of invalid certs) and http.

What did you expect: Imgpkg to not try to use http since I didn't use the --registry-insecure flag.

Anything else you would like to add: This is seems to be because of the ggcr local host regex which is used to determine if http should be used as a fallback

Environment:

  • imgpkg version (use imgpkg --version): 0.5.0
  • Docker registry used (e.g. Docker HUB): Registry Image
  • OS (e.g. from /etc/os-release): Photon 3.0

ewrenn8 avatar Mar 18 '21 20:03 ewrenn8

:+1: Validated and got the same results, attempts on both https and http.

Error: Collecting images: Working with regsitry-svc.registry.svc.cluster.local:443/my-repo/image:latest: Get "https://regsitry-svc.registry.svc.cluster.local:443/v2/": dial tcp: lookup regsitry-svc.registry.svc.cluster.local on 10.96.0.10:53: no such host; Get "http://regsitry-svc.registry.svc.cluster.local:443/v2/": dial tcp: lookup regsitry-svc.registry.svc.cluster.local on 10.96.0.10:53: no such host

I tried playing with the go playground to see if I could get the registry name to match the regex but didn't have any luck. Worth further investigation.

StevenLocke avatar Mar 22 '21 20:03 StevenLocke

Chatted with @DennisDenuto on this one, we're considering this as needing more information to truly determine what the security risk/concern is.

@ewrenn8 Could you provide any further insight into what the risk is?

aaronshurley avatar Aug 26 '21 17:08 aaronshurley