Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release/1.6] remotes/docker/config: Skipping TLS verification for localhost #7438

Merged
merged 1 commit into from Sep 27, 2022
+28 −16
Merged

[release/1.6] remotes/docker/config: Skipping TLS verification for localhost #7438

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
18 changes: 2 additions & 16 deletions pkg/cri/server/image_pull.go
View file
Open in desktop
Expand Up @@ -375,7 +375,7 @@ func (c *criService) registryHosts(ctx context.Context, auth *runtime.AuthConfig
if err != nil {
return nil, fmt.Errorf("get TLSConfig for registry %q: %w", e, err)
}
} else if isLocalHost(host) && u.Scheme == "http" {
} else if docker.IsLocalhost(host) && u.Scheme == "http" {
// Skipping TLS verification for localhost
transport.TLSClientConfig = &tls.Config{
InsecureSkipVerify: true,
Expand Down Expand Up @@ -413,26 +413,12 @@ func (c *criService) registryHosts(ctx context.Context, auth *runtime.AuthConfig

// defaultScheme returns the default scheme for a registry host.
func defaultScheme(host string) string {
if isLocalHost(host) {
if docker.IsLocalhost(host) {
return "http"
}
return "https"
}

// isLocalHost checks if the registry host is local.
func isLocalHost(host string) bool {
if h, _, err := net.SplitHostPort(host); err == nil {
host = h
}

if host == "localhost" {
return true
}

ip := net.ParseIP(host)
return ip.IsLoopback()
}

// addDefaultScheme returns the endpoint with default scheme
func addDefaultScheme(endpoint string) (string, error) {
if strings.Contains(endpoint, "://") {
Expand Down
11 changes: 11 additions & 0 deletions remotes/docker/config/hosts.go
View file
Open in desktop
Expand Up @@ -99,6 +99,17 @@ func ConfigureHosts(ctx context.Context, options HostOptions) docker.RegistryHos
if host == "docker.io" {
hosts[len(hosts)-1].scheme = "https"
hosts[len(hosts)-1].host = "registry-1.docker.io"
} else if docker.IsLocalhost(host) {
hosts[len(hosts)-1].host = host
if options.DefaultScheme == "" || options.DefaultScheme == "http" {
hosts[len(hosts)-1].scheme = "http"

// Skipping TLS verification for localhost
var skipVerify = true
hosts[len(hosts)-1].skipVerify = &skipVerify
} else {
hosts[len(hosts)-1].scheme = options.DefaultScheme
}
} else {
hosts[len(hosts)-1].host = host
if options.DefaultScheme != "" {
Expand Down
15 changes: 15 additions & 0 deletions remotes/docker/resolver.go
View file
Open in desktop
Expand Up @@ -21,6 +21,7 @@ import (
"errors"
"fmt"
"io"
"net"
"net/http"
"net/url"
"path"
Expand Down Expand Up @@ -667,3 +668,17 @@ func responseFields(resp *http.Response) logrus.Fields {

return logrus.Fields(fields)
}

// IsLocalhost checks if the registry host is local.
func IsLocalhost(host string) bool {
if h, _, err := net.SplitHostPort(host); err == nil {
host = h
}

if host == "localhost" {
return true
}

ip := net.ParseIP(host)
return ip.IsLoopback()
}