From ab6701bd1139cc3cb8d0ca35ba2bfb92e8ad7f74 Mon Sep 17 00:00:00 2001 From: Lantao Liu Date: Tue, 26 Nov 2019 13:25:52 -0800 Subject: [PATCH] Add insecure_skip_verify option. Signed-off-by: Lantao Liu --- docs/registry.md | 19 +++++++++++----- pkg/config/config.go | 7 +++--- pkg/server/image_pull.go | 48 +++++++++++++++++++++------------------- 3 files changed, 42 insertions(+), 32 deletions(-) diff --git a/docs/registry.md b/docs/registry.md index a0cf5a3c4..fe51637fb 100644 --- a/docs/registry.md +++ b/docs/registry.md @@ -9,13 +9,13 @@ To configure image registries create/modify the `/etc/containerd/config.toml` as [plugins.cri.registry.mirrors] [plugins.cri.registry.mirrors."docker.io"] endpoint = ["https://registry-1.docker.io"] - [plugins.cri.registry.mirrors."test.secure-registry.io"] + [plugins.cri.registry.mirrors."test.https-registry.io"] endpoint = ["https://HostIP1:Port1"] - [plugins.cri.registry.mirrors."test.insecure-registry.io"] + [plugins.cri.registry.mirrors."test.http-registry.io"] endpoint = ["http://HostIP2:Port2"] # wildcard matching is supported but not required. [plugins.cri.registry.mirrors."*"] - endpoint = ["http://HostIP3:Port3"] + endpoint = ["https://HostIP3:Port3"] ``` The default configuration can be generated by `containerd config default > /etc/containerd/config.toml`. @@ -38,7 +38,8 @@ After modify this config, you need restart the `containerd` service. To configure the TLS settings for a specific registry, create/modify the `/etc/containerd/config.toml` as follows: ```toml -# The registry host has to be an domain name or IP. +# The registry host has to be an domain name or IP. Port number is also +# needed if the default HTTPS or HTTP port is not used. [plugins.cri.registry.configs."my.custom.registry".tls] ca_file = "ca.pem" cert_file = "cert.pem" @@ -51,11 +52,16 @@ In the config example shown above, TLS mutual authentication will be used for co `cert_file` and `key_file` are not needed when TLS mutual authentication is unused. ```toml -# The registry host has to be an domain name or IP. [plugins.cri.registry.configs."my.custom.registry".tls] ca_file = "ca.pem" ``` +To skip the registry certificate verification: +``` +[plugins.cri.registry.configs."my.custom.registry".tls] + insecure_skip_verify = true +``` + ## Configure Registry Credentials `cri` plugin also supports docker like registry credential config. @@ -63,7 +69,8 @@ In the config example shown above, TLS mutual authentication will be used for co To configure a credential for a specific registry, create/modify the `/etc/containerd/config.toml` as follows: ```toml -# The registry host has to be an domain name or IP. +# The registry host has to be an domain name or IP. Port number is also +# needed if the default HTTPS or HTTP port is not used. [plugins.cri.registry.configs."gcr.io".auth] username = "" password = "" diff --git a/pkg/config/config.go b/pkg/config/config.go index fabcdf35f..7a5ccc2af 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -124,9 +124,10 @@ type AuthConfig struct { // TLSConfig contains the CA/Cert/Key used for a registry type TLSConfig struct { - CAFile string `toml:"ca_file" json:"caFile"` - CertFile string `toml:"cert_file" json:"certFile"` - KeyFile string `toml:"key_file" json:"keyFile"` + InsecureSkipVerify bool `toml:"insecure_skip_verify" json:"insecure_skip_verify"` + CAFile string `toml:"ca_file" json:"caFile"` + CertFile string `toml:"cert_file" json:"certFile"` + KeyFile string `toml:"key_file" json:"keyFile"` } // Registry is registry settings configured diff --git a/pkg/server/image_pull.go b/pkg/server/image_pull.go index 196bfbf37..d12caf567 100644 --- a/pkg/server/image_pull.go +++ b/pkg/server/image_pull.go @@ -253,39 +253,41 @@ func (c *criService) updateImage(ctx context.Context, r string) error { // getTLSConfig returns a TLSConfig configured with a CA/Cert/Key specified by registryTLSConfig func (c *criService) getTLSConfig(registryTLSConfig criconfig.TLSConfig) (*tls.Config, error) { var ( - cert tls.Certificate - err error + tlsConfig = &tls.Config{} + cert tls.Certificate + err error ) - if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile != "" { - cert, err = tls.LoadX509KeyPair(registryTLSConfig.CertFile, registryTLSConfig.KeyFile) - if err != nil { - return nil, errors.Wrap(err, "failed to load cert file") - } - } if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile == "" { return nil, errors.Errorf("cert file %q was specified, but no corresponding key file was specified", registryTLSConfig.CertFile) } if registryTLSConfig.CertFile == "" && registryTLSConfig.KeyFile != "" { return nil, errors.Errorf("key file %q was specified, but no corresponding cert file was specified", registryTLSConfig.KeyFile) } + if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile != "" { + cert, err = tls.LoadX509KeyPair(registryTLSConfig.CertFile, registryTLSConfig.KeyFile) + if err != nil { + return nil, errors.Wrap(err, "failed to load cert file") + } + if len(cert.Certificate) != 0 { + tlsConfig.Certificates = []tls.Certificate{cert} + } + tlsConfig.BuildNameToCertificate() + } - caCertPool, err := x509.SystemCertPool() - if err != nil { - return nil, errors.Wrap(err, "failed to get system cert pool") + if registryTLSConfig.CAFile != "" { + caCertPool, err := x509.SystemCertPool() + if err != nil { + return nil, errors.Wrap(err, "failed to get system cert pool") + } + caCert, err := ioutil.ReadFile(registryTLSConfig.CAFile) + if err != nil { + return nil, errors.Wrap(err, "failed to load CA file") + } + caCertPool.AppendCertsFromPEM(caCert) + tlsConfig.RootCAs = caCertPool } - caCert, err := ioutil.ReadFile(registryTLSConfig.CAFile) - if err != nil { - return nil, errors.Wrap(err, "failed to load CA file") - } - caCertPool.AppendCertsFromPEM(caCert) - tlsConfig := &tls.Config{ - RootCAs: caCertPool, - } - if len(cert.Certificate) != 0 { - tlsConfig.Certificates = []tls.Certificate{cert} - } - tlsConfig.BuildNameToCertificate() + tlsConfig.InsecureSkipVerify = registryTLSConfig.InsecureSkipVerify return tlsConfig, nil }