-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support insecure registries #1140
Support insecure registries #1140
Conversation
5109e9a
to
611940c
Compare
This comment was marked as outdated.
This comment was marked as outdated.
4945999
to
0e95c54
Compare
This comment was marked as resolved.
This comment was marked as resolved.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies for being slow to review @dlion. I left a few comments... let's discuss how we might be able to test this out at the acceptance level.
8422f32
to
2e00258
Compare
e30eee1
to
a3e0c37
Compare
Uhm, locally the UPDATE: |
3ff65d6
to
ad831be
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good @dlion - and you added an acceptance test for every phase 🥇
Thanks for being so thorough and for making the code incrementally better :)
cmd/lifecycle/main.go
Outdated
return &DefaultRegistryHandler{ | ||
keychain: keychain, | ||
keychain: keychain, | ||
insecureRegistry: insecureRegistries, | ||
} | ||
} | ||
|
||
func (rv *DefaultRegistryHandler) EnsureReadAccess(imageRefs ...string) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This check makes difficult to test the insecure-registry
feature properly so for now I'm skipping it.
We are doing this check in the analyzer only (and used also in the creator of course making the acceptance test difficult to create)
bd87e2b
to
cd42518
Compare
Some update on the refactoringI wanted to use the I tried to start creating a test for it but then I realised that the Refactoring this part would require lots of time and effort, so I decided to leave it there, trying to minimize the duplication as much as possible and then open a new issue to address this problem as a future improvement. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Amazing work @dlion! I left a few comments. Overall this is looking really great.
7f72959
to
2457621
Compare
2457621
to
ef27044
Compare
I am a bit confused. There are 2 distinct insecure paths that seemingly are tied to a single setting. The first path is accessing http only registries, which seems to work in imgutil with destinationImageName := "myregistry.domain.com:6443/test/test:latest"
remoteImage, err := remote.NewImage(destinationImageName,
authn.DefaultKeychain,
remote.FromBaseImage(baseImageName),
remote.WithRegistrySetting("myregistry.domain.com:6443", true),
) However, if |
Here the PR I opened to simplify those parameters into a single one trying to emulate what Google did: buildpacks/imgutil#218 Do you think we should change this implementation giving that scenario? I also /cc @natalieparellano since we had this conversation a few weeks ago (and from that the PR) |
Hmm, maybe we need to use the |
Ok - I think I found part of the problem. The I do wonder if there are other operations that need the I do believe we still need to be able to have multiple |
Signed-off-by: Domenico Luciani <[email protected]>
Signed-off-by: Domenico Luciani <[email protected]>
Signed-off-by: Domenico Luciani <[email protected]>
Signed-off-by: Domenico Luciani <[email protected]>
Signed-off-by: Domenico Luciani <[email protected]>
Signed-off-by: Domenico Luciani <[email protected]>
Signed-off-by: Domenico Luciani <[email protected]>
Signed-off-by: Domenico Luciani <[email protected]>
Signed-off-by: Domenico Luciani <[email protected]>
…and renamed the getInsecureRegistryOptions function Signed-off-by: Domenico Luciani <[email protected]>
…o remove duplications Signed-off-by: Domenico Luciani <[email protected]>
Signed-off-by: Domenico Luciani <[email protected]>
… fix Signed-off-by: Domenico Luciani <[email protected]>
Signed-off-by: Domenico Luciani <[email protected]>
ab417b7
to
22114fc
Compare
Signed-off-by: Domenico Luciani <[email protected]>
…tions Signed-off-by: Domenico Luciani <[email protected]>
Signed-off-by: Domenico Luciani <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks pretty good to me! I'll let @natalieparellano take a peek as well.
Signed-off-by: Domenico Luciani <[email protected]>
@natalieparellano is this PR fixing #524 ? |
@jjbustamante I believe so... it's worth noting that while this has been merged, it only applies for Platform APIs later than 0.12, for which we don't have anything released yet in the spec. |
This PR Implements the support for insecure registries.
Sample command
creator --run-image=develoment-registry.com/run-java:v16 --insecure-registry=develoment-registry.com --insecure-registry=testing-registry.com testing-registry.com/java-sample:latest
Others
Tracking issue: buildpacks/rfcs#246