"Insecure" docker registry

[JF002]

Hi!

I'm currently experimenting with Woodpecker-ci and Gitea, and I'm really impressed by how easy it is to setup a CI for my personal project! Congrats!

Since I'm testing everything locally, I didn't setup any reverse proxy to handle HTTPS, I use plain HTTP everywhere. I know this is not secure, but it's easier for a completely local setup.

Right now, my workflow downloads the docker image from DockerHub, but I would like to use the Container repository from my local Gitea instance.

Here's my workflow:

steps:
  build:
    image: 192.168.1.152:3000/me/my-image:latest
    pull: true
    commands:
      - ...

The build step fails with the following error : Oh no, we got some errors! Error response from daemon: Get "https://192.168.1.152:3000/v2/": http: server gave HTTP response to HTTPS client

I had exactly the same error with docker push before I specified this registry as insecure in the docker configuration file.

Is it possible to do the same with Woodpecker? Ideally, I would like to pull the docker image and push the output of the build from and to my Gitea instance.

Thanks!

[lafriks]

Insecure registry means that it can have self signed (untrusted) certificate but it still have to be using https, docker registry supports http only on localhost

[JF002]

I somehow managed to push my docker image to my Gitea registry hosted on my LAN by passing a configuration file to the builder (using builx create --config <file>) :

[registry."192.168.1.152:3000"]
  http = true

But I guess I'll try to enable HTTPS on my Gitea instance, then :)

Thanks for your support!

[JF002]

Well, now, my Gitea instance is running in HTTPS using self-signed certificates, but woodpecker doesn't want to clone the code any more. Here's the logs

+ git init -b ci
Initialized empty Git repository in /woodpecker/src/192.168.1.152/user/repo/.git/
+ git config --global --replace-all safe.directory /woodpecker/src/192.168.1.152/user/repo
+ git remote add origin https://192.168.1.152:3000/user/repo.git
+ git fetch --no-tags --depth=1 --filter=tree:0 origin +b6e50cc4ab717e0c2b1de8b243f9841d70bc2182:
fatal: unable to access 'https://192.168.1.152:3000/user/repo.git/': SSL certificate problem: self-signed certificate
exit status 128

Is it possible to allow self signed certificates ?

[lafriks]

yes, you have to set skip-verify: true in clone settings:

clone:
  git:
    image: woodpeckerci/plugin-git
    settings:
      skip-verify: true

https://woodpecker-ci.org/plugins/Git%20Clone

[JF002]

Great, I'm making progress! Now, the checkout works as expected!

But now, the workflow fails during the build step: Error response from daemon: Get "https://192.168.1.152:3000/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority

Here's my workflow file:

clone:
  git:
    image: woodpeckerci/plugin-git
    settings:
      skip-verify: true
steps:
  build:
    image: 192.168.1.152:3000/user/image:latest
    pull: true
    commands:
      - [...]

192.168.1.152:3000/user/image:latest is the name of the Docker image that should be used for the build.
Is there such 'skip-verify' parameter for the docker pull command?

[lafriks]

you need to configure that for docker server where dockerwoodpekcer agent is deployed. By editing /etc/docker/daemon.json and adding:

{
    "insecure-registries" : [ "192.168.1.152:3000" ]
}

and restarting host docker service

[lafriks]

And if you are using docker buildx plugin to push to registry later on you can set in settings insecure: true
https://woodpecker-ci.org/plugins/Docker%20Buildx