Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure jib.allowInsecureRegistries as required #2674

Merged
merged 4 commits into from
Aug 26, 2019
Merged

Configure jib.allowInsecureRegistries as required #2674

merged 4 commits into from
Aug 26, 2019

Conversation

briandealwis
Copy link
Member

@briandealwis briandealwis commented Aug 16, 2019
edited
Loading

Exposes docker.isInsecuredocker.IsInsecure and adds some tests (wasn't actually testing the value from insecureRegistries).

Fixes #2664

@chanseokoh
Copy link
Member

Even with -Djib.allowInsecureRegistries=true, Jib will not send credentials if HTTP (insecure HTTPS will work), unless setting -DsendCredentialsOverHttp=true. Should we set it too?

@briandealwis
Copy link
Member Author

briandealwis commented Aug 20, 2019
edited by chanseokoh
Loading

I've been thinking this over and I don't think we should unless we change allowInsecureRegistries to specify a set of registries rather than a blanket true/false. I might be ok for my password to be sent in the clear to my.corp.registry.local, but not to registry-1.docker.io.

@chanseokoh
Copy link
Member

I think it's OK to not set -DsendCredentialsOverHttp=true. No need at least for now.

BTW, registry-1.docker.io is a secure registry, so I guess allowInsecureRegistries has no effect on it?

@briandealwis
Copy link
Member Author

I only meant registry-1.docker.io as an hypothetical example — like a corporate firewall that prevented HTTPS connections to *.docker.io but inadvertently allowed HTTP connections. If we included sendCredentialsOverHttp then Jib would cascade and send the password in the clear.

@chanseokoh
Copy link
Member

That's a fair point. So, I guess this PR is good and final as it stands now?

@briandealwis briandealwis mentioned this pull request Aug 21, 2019
Closed
@chanseokoh chanseokoh mentioned this pull request Aug 21, 2019
Closed
@briandealwis
Copy link
Member Author

I think it's good to go.

chanseokoh
chanseokoh approved these changes Aug 21, 2019
View reviewed changes
@nkubala
Copy link
Contributor

nkubala commented Aug 26, 2019

LGTM, but looks like some of the unit tests need to be updated?

@briandealwis
Copy link
Member Author

Oh jeepers, I can't believe I inverted the test condition 😊

@nkubala nkubala merged commit 19fbddf into GoogleContainerTools:master Aug 26, 2019
@briandealwis briandealwis deleted the insecure branch August 30, 2019 20:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nkubala nkubala nkubala approved these changes

@chanseokoh chanseokoh chanseokoh approved these changes

@balopat balopat Awaiting requested review from balopat

@dgageot dgageot Awaiting requested review from dgageot

@loosebazooka loosebazooka Awaiting requested review from loosebazooka

@priyawadhwa priyawadhwa Awaiting requested review from priyawadhwa

@TadCordle TadCordle Awaiting requested review from TadCordle

@tejal29 tejal29 Awaiting requested review from tejal29

Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Skaffold-Jib should propagate insecure-registries setting to Jib
4 participants
@briandealwis @chanseokoh @nkubala @googlebot