porter icon indicating copy to clipboard operation
porter copied to clipboard

Published 20 hours ago verified publisher icon getporter

Support plain http registries that are not localhost/127.x.x.x

Open carolynvs opened this issue 2 years ago • 0 comments

What does this change

After fixing insecure registries, that use an untrusted TLS certificate, it was discovered that unsecured registries (plain http) don't work when communicating with a non-localhost or loopback address. Basically the library has no way to automatically determine that we should use http, and we need to rely on the --insecure-registry flag to know that plain http is okay too.

The porter publish --archive and porter copy commands were affected by this because they used the github.com/pivotal/image-relocation library, which never supported configuring plain http, only detecting based on the hostname (e.g. localhost/127.0.0.1).

I have created a fork of the image relocation library at https://github.com/cnabio/image-relocation that has a workaround for not being able to configure plain http. I am checking if skipTLS is configured for the http transport passed to the image-relocation library, and also allowing plain http in that case too. This means that the --insecure-registry flag now properly controls plain http too for that library.

The fork has a different go module name so that we don't need to forever maintain a replace statement for that library since it's archived/unmaintained.

I have updated the airgap smoke test to check insecure and unsecured registry functions and included a copy as well so that the bulk of our --insecure-registry test cases are in that one test.

What issue does it fix

Closes #2297

Notes for the reviewer

I will update the go.mod with a tagged release of github.com/cnabio/image-relocation once that is merged.

Checklist

  • [x] Did you write tests?
  • [ ] Did you write documentation? Already documented in #2273
  • [ ] Did you change porter.yaml or a storage document record? Update the corresponding schema file.
  • [ ] If this is your first pull request, please add your name to the bottom of our Contributors list. Thank you for making Porter better! 🙇‍♀️

Reviewer Checklist

  • Comment with /azp run test-porter-release if a magefile or build script was modified
  • Comment with /azp run porter-integration if it's a non-trivial PR

carolynvs avatar Aug 16 '22 14:08 carolynvs