odo icon indicating copy to clipboard operation
odo copied to clipboard
verified publisher icon redhat-developer

Support Devfile registries with self-signed or untrusted certificates by allowing to skip TLS checks

Open rm3l opened this issue 2 years ago • 5 comments

/kind user-story

User Story

As an odo user, I want odo to allow me to use a registry with a self-signed or even invalid TLS certificate, So that I can purposely use odo with my registry, regardless of the security issues. This can be the case for example for local registries or even a registry behind some reverse proxy doing TLS termination using a self-signed certificate.

Acceptance Criteria

  • [ ] Remove --token flag from odo preference add registry
  • [ ] Ignore secure field in preferences file
  • [ ] Add --skip-tls-verify flag to odo preference add registry
  • [ ] Add new SkipTLSVerify field to preferences file
  • [ ] Add new skipTLSVerify field to odo preference view JSON and human-readable output
  • [ ] Remove Secure column from odo preference view human-readable output
  • [ ] Handle mapping of skipTLSVerify field from DevfileRegistriesList and ClusterDevfileRegistriesList custom resources
  • [ ] Pass skipTLSVerify when calling the registry

Unable to force-use Devfile registries with self-signed or untrusted certificates + confusing Secure property

What versions of software are you using?

Operating System: Fedora 37

Output of odo version: odo v3.7.0 (26c90d7c4)

How did you run odo exactly?

Let's say that I have a registry exposed using a self-signed or untrusted certificate, and I intentionally want to use it. It might be a local non-production registry for example.

$ odo preference add registry my-local-devfile-registry https://my-local-devfile-registry.172.17.0.1.nip.io
$ odo registry --devfile-registry my-local-devfile-registry --details --devfile go

Actual behavior

$ odo registry --devfile-registry my-local-devfile-registry --details --devfile go
 ⚠  Registry my-local-devfile-registry is not set up properly with error: 
Get "https://my-local-devfile-registry.172.17.0.1.nip.io": 
x509: certificate is valid for ingress.local, not https://my-local-devfile-registry.172.17.0.1.nip.io, 
please check the registry URL, and credential and remove add the registry again 
(refer to `odo preference add registry --help`)

 ✗  no deployable components found

Expected behavior

I think it is okay to enforce TLS checks by default, but users should be allowed to bypass those checks if needed, just like it is doable with curl --insecure or wget --no-check-certificate. They might want to use a local registry or even a registry behind some reverse proxy doing TLS termination using a self-signed certificate.

I thought that would be the purpose of the Secure property on Registries, but it looks like this is set to True only if users pass a token when adding their registries. The token value seems to be stored and deleted, but never read, so not sure how this token is being used to interact with the corresponding Devfile registry.

Looking at the code, the Registry Library provides a SkipTLSVerify field, but it is always set to false by odo: https://github.com/redhat-developer/odo/blob/ef6489c424c9233d0aed9d983010580530bb5839/pkg/segment/integrations.go#L63

So maybe we should provide a way for users to explicitly skip TLS checks when registering a registry.

Any logs, error output, etc?

Also, in https://github.com/redhat-developer/odo/pull/6622 (PR for https://github.com/redhat-developer/odo/issues/5128), we translated the skipTLSVerify field in the {Cluster,}DevfileRegistriesList Custom Resource into a Secure property, but it would probably make more sense to use a dedicated property for this.

rm3l avatar Mar 06 '23 14:03 rm3l

I thought that would be the purpose of the Secure property on Registries, but it looks like this is set to True only if users pass a token when adding their registries. The token value seems to be stored and deleted, but never read, so not sure how this token is being used to interact with the corresponding Devfile registry.

I think that Secure property is reminder from old "github" based implementation of devfile registries. This is why it is not used anymore. We should remove it.

+1 for new skipTLSVerify property.

kadel avatar Mar 10 '23 10:03 kadel

A friendly reminder that this issue had no activity for 90 days. Stale issues will be closed after an additional 30 days of inactivity.

github-actions[bot] avatar Jun 10 '23 00:06 github-actions[bot]

/remove-lifecycle stale

rm3l avatar Jun 12 '23 14:06 rm3l

A friendly reminder that this issue had no activity for 90 days. Stale issues will be closed after an additional 30 days of inactivity.

github-actions[bot] avatar Nov 28 '23 00:11 github-actions[bot]

/remove-lifecycle stale /lifecycle frozen /priority Medium /retitle Support Devfile registries with self-signed or untrusted certificates by allowing to skip TLS checks

rm3l avatar Nov 28 '23 07:11 rm3l