Support for self signed certificates

[Hi-Fi]

Description of the issue:
When (internal) Docker registry is using self signed certificates (or certificates signed with corporation's own root certificate, that's not trusted by Java), jib tries immediately http-connection (according https://github.com/GoogleContainerTools/jib/blob/master/jib-core/src/main/java/com/google/cloud/tools/jib/registry/RegistryEndpointCaller.java#L219), that's not available in registry.

Current implementation throws error:

[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:0.9.2:build (default-cli) on project jib-test-project: Build image failed, perhaps you should use a registry that supports HTTPS or set the configuration parameter 'allowInsecureRegistries': Only secure connections are allowed, but tried to reach URL http://openshift-redhat-registry/v2/testProject/test-container/manifests/latest -> [Help 1]

Expected behavior:
allowInsecureRegistries -parameter should allow also https connections with self signed certificates, and not directly drop to http.

Steps to reproduce:
mvn compile jib:build with configuration set to point to registry using self signed certificates.

Environment:
Apache Maven 3.5.0 (ff8f5e7444045639af65f6095c62210b5713f426; 2017-04-03T22:39:06+03:00)
Java version: 1.8.0_131, vendor: Oracle Corporation
Default locale: en_US, platform encoding: Cp1252
OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows"

jib-maven-plugin Configuration:

<configuration>
	<from>
		<image>openshift-redhat-registry/testProject/test-container</image>
	</from>
	<to>
		<image>openshift-redhat-registry/testProject/${project.artifactId}:${project.version}</image>
	</to>
	<container>
		<jvmFlags>
			<jvmFlag>-Xms512m</jvmFlag>
		</jvmFlags>
	</container>
</configuration>

Log output:

[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:0.9.2:build (default-cli) on project jib-test-project: Build image failed, perhaps you should use a registry that supports HTTPS or set the configuration parameter 'allowInsecureRegistries': Only secure connections are allowed, but tried to reach URL http://openshift-redhat-registry/v2/testProject/test-container/manifests/latest -> [Help 1]

Additional Information:
The actual error causing change to http is:

[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:0.9.4-SNAPSHOT:build (default-cli) on project jib-test-project: Build image failed: peer not authenticated -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal com.google.cloud.tools:jib-maven-plugin:0.9.4-SNAPSHOT:build (default-cli) on project jib-test-project: Build image failed
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:212)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
	at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
	at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:193)
	at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:106)
	at org.apache.maven.cli.MavenCli.execute(MavenCli.java:863)
	at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
	at org.apache.maven.cli.MavenCli.main(MavenCli.java:199)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
	at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
	at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: org.apache.maven.plugin.MojoExecutionException: Build image failed
	at com.google.cloud.tools.jib.maven.BuildImageMojo.execute(BuildImageMojo.java:132)
	at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:207)
	... 20 more
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
	at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431)
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)
	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)
	at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147)
	at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:108)
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
	at com.google.api.client.http.apache.ApacheHttpRequest.execute(ApacheHttpRequest.java:65)
	at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:981)
	at com.google.cloud.tools.jib.http.Connection.send(Connection.java:124)
	at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call(RegistryEndpointCaller.java:169)
	at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call(RegistryEndpointCaller.java:139)
	at com.google.cloud.tools.jib.registry.RegistryClient.callRegistryEndpoint(RegistryClient.java:321)
	at com.google.cloud.tools.jib.registry.RegistryClient.pullManifest(RegistryClient.java:196)
	at com.google.cloud.tools.jib.registry.RegistryClient.pullManifest(RegistryClient.java:204)
	at com.google.cloud.tools.jib.builder.steps.PullBaseImageStep.pullBaseImage(PullBaseImageStep.java:146)
	at com.google.cloud.tools.jib.builder.steps.PullBaseImageStep.call(PullBaseImageStep.java:105)
	at com.google.cloud.tools.jib.builder.steps.PullBaseImageStep.call(PullBaseImageStep.java:51)
	at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:127)
	at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:57)
	at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:80)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

[coollog]

@Hi-Fi , thanks for reporting this issue! We will investigate and see what the best solution here is to support self-signed certificates.

[coollog]

We should probably have the Jib experience for self-signed certificates be similar to Docker's, as outlined in https://docs.docker.com/registry/insecure/#use-self-signed-certificates - and possibly using Docker's certs if available (from /etc/docker/certs.d/... for Linux, for eg.).

[velo]

Workaround: use http://keystore-explorer.org to add self signed cert to java cacerts, remove allowInsecureRegistries and enjoy.

[Hi-Fi]

I think that relying on Docker certs is not necessarily the good thing, as at least our use case is to use JIB on the env that are not so easy to make to build docker containers (e.g. Jenkins slaves running on Openhift and developer computers with Windows without admin rights). So best would be some maven configuration parameter, that goes all the way down to used httpClient and ignores the incorrect and also insecure certificates (e.g. SHA-1 using).

@velo That seems to work (tried that yesterday with keytool and it wasn't working for some reason). This helps checking of things more, but still requires that custom cacerts injection to slave. Thank you for that tool, it's nicer to use than CLI one.

[coollog]

@velo Thanks for the workaround! This sounds like something we could add to our documentation or as a guide to help anyone else using a self-signed certificate.

@Hi-Fi Glad it works well now!

[velo]

@coollog could you point me to the right README file?

[coollog]

@velo I'd recommend writing a new page (page_name.md) in the docs/ directory, which generates pages like https://googlecontainertools.github.io/jib/configure-gcp-credentials. We can then link to generated page whereever applicable.

[velo]

@coollog #618 created a PR with detailed instructions.

@Hi-Fi if you could double check if the steps I described matched what you did.
#618

[coollog]

Instructions doc for self-signed certificates is merged! Thanks @velo and other contributors to the PR #618

[Hi-Fi]

Is it so, that there's not going to be any Maven side configuration for trusting the self-signed certificates? Documentation is OK, when user really has access to cacerts, but if e.g. builds are running on Jenkins (or Jenkins slaves) without access to host itself, only way to make things work with self signed certs is some Maven configuration (or keeping keystore within each repo and injecting that at the start).

[briandealwis]

You should be able to set the javax.net.ssl.trustStore property to point to your own cacerts file.

[chanseokoh]

You should be able to set the javax.net.ssl.trustStore property to point to your own cacerts file.

Ah, yeah, this will be nice to document too, along with javax.net.ssl.trustStorePassword. Must not be confused with the keystore (javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword).

[briandealwis]

Will do.

[chanseokoh]

FTR, #643 will fix this.

@Hi-Fi