Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ko publish --insecure-registry falls back to HTTP for communication #488

Closed
adambkaplan opened this issue Oct 28, 2021 · 4 comments
Closed

ko publish --insecure-registry falls back to HTTP for communication #488

adambkaplan opened this issue Oct 28, 2021 · 4 comments
Labels
lifecycle/stale

Comments

@adambkaplan
Copy link

When the --insecure-registry option is passed to ko publish, ko falls back to using HTTP for image registry communication. This is problematic because some container registries (notably, OpenShift's internal registry) only publish HTTPS endpoints. Technically these image registries are secured - however they may be using untrusted/self-signed certificates.

Based on the work in #369 and #396, this behavior appears intentional to work with a local docker/distribution instance (ex - using KinD). Would it make sense to add a second --tls-verify flag, which defaults to true, but when false will ignore X.509 certificate errors?
@imjasonh
Copy link
Member

imjasonh commented Nov 4, 2021

Just to make sure I understand the issue, --insecure-registry toggles both InsecureSkipVerify (which you want), and name.Insecure (skip TLS entirely and fallback to http; which you don't want). Is that correct?

This is a bit unfortunate, since it will be thorny to change the semantics of the existing --insecure-registry flag that people might be using. Adding a new flag, --tls-skip-verify (or --tls-verify(=true)) might also be confusing, and we'd have to be careful to document how the two interact.

Let me think about it some more and see if anything comes out of it.

cc @jonjohnsonjr

@adambkaplan
Copy link
Author

Just to make sure I understand the issue, --insecure-registry toggles both InsecureSkipVerify (which you want), and name.Insecure (skip TLS entirely and fallback to http; which you don't want). Is that correct?

That is correct.

Adding a new flag, --tls-skip-verify (or --tls-verify(=true)) might also be confusing, and we'd have to be careful to document how the two interact.

Indeed, that will be a challenge. My initial thought is to provide the following:

  • New flag --tls-skip-verify, which toggles InsecureSkipVerify, we document this as "Use HTTPS, but skip verifying TLS certificates."
  • Update the documentation for --insecure-registry to state --tls-skip-verify is effectively set to true (and will override any setting that is otherwise provided). Document as "Use HTTP and bypass any use of TLS encryption."

@adambkaplan
Copy link
Author

Played around with this today, unfortunately we have a collision with a deprecated kubectl flag --insecure-skip-tls-verify.

We could go past deprecation and remove the flag, at the risk of breaking users who have untrusted kube apiservers 😱.

@github-actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.

@SaschaSchwarze0 SaschaSchwarze0 mentioned this issue Apr 25, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@imjasonh @adambkaplan