Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support insecure registries #1140

Merged
merged 38 commits into from
Sep 22, 2023

Conversation

dlion
Copy link
Member

@dlion dlion commented Jul 4, 2023

This PR Implements the support for insecure registries.

Sample command

creator --run-image=develoment-registry.com/run-java:v16 --insecure-registry=develoment-registry.com --insecure-registry=testing-registry.com testing-registry.com/java-sample:latest

Others

Tracking issue: buildpacks/rfcs#246

@dlion dlion force-pushed the 524-insecure-registries branch from 5109e9a to 611940c Compare July 5, 2023 14:04
@dlion

This comment was marked as outdated.

@dlion dlion force-pushed the 524-insecure-registries branch 2 times, most recently from 4945999 to 0e95c54 Compare July 25, 2023 14:04
@dlion

This comment was marked as resolved.

@dlion dlion marked this pull request as ready for review July 26, 2023 13:19
@dlion dlion requested a review from a team as a code owner July 26, 2023 13:19
Copy link
Member

@natalieparellano natalieparellano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies for being slow to review @dlion. I left a few comments... let's discuss how we might be able to test this out at the acceptance level.

platform/lifecycle_inputs_test.go Outdated Show resolved Hide resolved
cmd/lifecycle/cli/flags.go Outdated Show resolved Hide resolved
image/remote_handler.go Outdated Show resolved Hide resolved
cmd/lifecycle/cli/flags.go Outdated Show resolved Hide resolved
@dlion dlion force-pushed the 524-insecure-registries branch from 8422f32 to 2e00258 Compare August 7, 2023 10:04
@dlion dlion force-pushed the 524-insecure-registries branch 3 times, most recently from e30eee1 to a3e0c37 Compare August 21, 2023 10:01
@dlion
Copy link
Member Author

dlion commented Aug 21, 2023

Uhm, locally the TestCreator is passing, same for the amd64 on the CI so I guess it's flaky.
@natalieparellano Can you have a look on my latest changes to see if the code makes sense and I haven't forgot anything?
After your approval I will go starting investigating on the default values for the WithRegistrySettings function.

UPDATE:
Nevermind I just saw that I still need to complete the rebaser and the restorer

@dlion dlion force-pushed the 524-insecure-registries branch 3 times, most recently from 3ff65d6 to ad831be Compare August 24, 2023 13:58
Copy link
Member

@natalieparellano natalieparellano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good @dlion - and you added an acceptance test for every phase 🥇

Thanks for being so thorough and for making the code incrementally better :)

.gitignore Outdated Show resolved Hide resolved
acceptance/restorer_test.go Show resolved Hide resolved
image/handler_test.go Show resolved Hide resolved
return &DefaultRegistryHandler{
keychain: keychain,
keychain: keychain,
insecureRegistry: insecureRegistries,
}
}

func (rv *DefaultRegistryHandler) EnsureReadAccess(imageRefs ...string) error {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check makes difficult to test the insecure-registry feature properly so for now I'm skipping it.
We are doing this check in the analyzer only (and used also in the creator of course making the acceptance test difficult to create)

@dlion dlion force-pushed the 524-insecure-registries branch from bd87e2b to cd42518 Compare August 31, 2023 12:50
@dlion
Copy link
Member Author

dlion commented Aug 31, 2023

Some update on the refactoring

I wanted to use the RegistryHandler in the image.NewHandler using the RegistryHandler.GetInsecureRegistryOptions to get the RegistrySetting option that we can use in the remote.NewImage call.

I tried to start creating a test for it but then I realised that the WithRegistrySetting function implementation returns an anonymous function that receive a parameter of type options which is a private struct making it impossible to use/mock it from lifecycle.

Refactoring this part would require lots of time and effort, so I decided to leave it there, trying to minimize the duplication as much as possible and then open a new issue to address this problem as a future improvement.

Copy link
Member

@natalieparellano natalieparellano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing work @dlion! I left a few comments. Overall this is looking really great.

platform/defaults.go Outdated Show resolved Hide resolved
platform/defaults.go Outdated Show resolved Hide resolved
go.mod Outdated Show resolved Hide resolved
cmd/lifecycle/restorer.go Outdated Show resolved Hide resolved
cmd/lifecycle/restorer.go Outdated Show resolved Hide resolved
cmd/lifecycle/exporter.go Outdated Show resolved Hide resolved
cmd/lifecycle/rebaser.go Outdated Show resolved Hide resolved
image/registry_handler.go Outdated Show resolved Hide resolved
@dlion dlion force-pushed the 524-insecure-registries branch from 7f72959 to 2457621 Compare September 13, 2023 14:27
cmd/lifecycle/rebaser.go Outdated Show resolved Hide resolved
image/registry_handler.go Outdated Show resolved Hide resolved
@dlion dlion force-pushed the 524-insecure-registries branch from 2457621 to ef27044 Compare September 14, 2023 15:14
@jabrown85
Copy link
Contributor

I am a bit confused. There are 2 distinct insecure paths that seemingly are tied to a single setting.

The first path is accessing http only registries, which seems to work in imgutil with

        destinationImageName := "myregistry.domain.com:6443/test/test:latest"
	remoteImage, err := remote.NewImage(destinationImageName,
		authn.DefaultKeychain,
		remote.FromBaseImage(baseImageName),		
		remote.WithRegistrySetting("myregistry.domain.com:6443", true),
	)

However, if myregistry.domain.com:6443 only accepts HTTPS requests - this does not work. Am I missing a way to only set TLSSkipVerify? I still need to speak over HTTPS, but am OK skipping the TLS verification step for a self-signed situation.

@dlion
Copy link
Member Author

dlion commented Sep 14, 2023

I still need to speak over HTTPS, but am OK skipping the TLS verification step for a self-signed situation.
Uhm, we haven't considered that scenario, we thought that if you are using insecure-registry it means you are doing that for testing purposes or an internal network where having a self-sign certificated doesn't really matter.

Here the PR I opened to simplify those parameters into a single one trying to emulate what Google did: buildpacks/imgutil#218

Do you think we should change this implementation giving that scenario?

I also /cc @natalieparellano since we had this conversation a few weeks ago (and from that the PR)

@jabrown85
Copy link
Contributor

Hmm, maybe we need to use the remote.DefaultTransport instead of http.Transport in imgutil. The transport looks to have some magic in it that may help with the http/https negotiation.

@jabrown85
Copy link
Contributor

Ok - I think I found part of the problem. The doSave here needs the same if insecure { InsecureSkipVerify stuff } logic. When you create a remote image with a base image, it hits the InsecureSkipVerify path on reading from that registry, but doesn't do anything with insecure during the save process.

I do wonder if there are other operations that need the InsecureSkipVerify that we don't have yet in imgutil remote. Found/Delete/etc.

I do believe we still need to be able to have multiple remote.WithRegistrySetting to in remote.NewImage. The current pattern only lets a single registry be marked as insecure/tlsnoverify AFAICT.

Domenico Luciani added 14 commits September 19, 2023 17:53
Signed-off-by: Domenico Luciani <[email protected]>
Signed-off-by: Domenico Luciani <[email protected]>
Signed-off-by: Domenico Luciani <[email protected]>
Signed-off-by: Domenico Luciani <[email protected]>
…and renamed the getInsecureRegistryOptions function

Signed-off-by: Domenico Luciani <[email protected]>
…o remove duplications

Signed-off-by: Domenico Luciani <[email protected]>
Signed-off-by: Domenico Luciani <[email protected]>
@dlion dlion force-pushed the 524-insecure-registries branch from ab417b7 to 22114fc Compare September 19, 2023 15:59
image/registry_handler.go Outdated Show resolved Hide resolved
image/registry_handler_test.go Outdated Show resolved Hide resolved
platform/lifecycle_inputs.go Outdated Show resolved Hide resolved
Copy link
Contributor

@jabrown85 jabrown85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks pretty good to me! I'll let @natalieparellano take a peek as well.

@natalieparellano natalieparellano merged commit 7ffcd58 into buildpacks:main Sep 22, 2023
7 checks passed
@jjbustamante
Copy link
Member

@natalieparellano is this PR fixing #524 ?

@natalieparellano
Copy link
Member

@jjbustamante I believe so... it's worth noting that while this has been merged, it only applies for Platform APIs later than 0.12, for which we don't have anything released yet in the spec.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants