github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #1345 from Random-Liu/insecure-skip-verify

Browse Source 
Add insecure_skip_verify option.
This commit is contained in:
Lantao Liu 2019-11-26 14:34:55 -08:00 committed by GitHub
commit ae3c28c4d7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 42 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
docs/registry.md
View File

@ -9,13 +9,13 @@ To configure image registries create/modify the `/etc/containerd/config.toml` as
[plugins.cri.registry.mirrors] [plugins.cri.registry.mirrors]
[plugins.cri.registry.mirrors."docker.io"] [plugins.cri.registry.mirrors."docker.io"]
endpoint = ["https://registry-1.docker.io"] endpoint = ["https://registry-1.docker.io"]
[plugins.cri.registry.mirrors."test.secure-registry.io"] [plugins.cri.registry.mirrors."test.https-registry.io"]
endpoint = ["https://HostIP1:Port1"] endpoint = ["https://HostIP1:Port1"]
[plugins.cri.registry.mirrors."test.insecure-registry.io"] [plugins.cri.registry.mirrors."test.http-registry.io"]
endpoint = ["http://HostIP2:Port2"] endpoint = ["http://HostIP2:Port2"]
# wildcard matching is supported but not required. # wildcard matching is supported but not required.
[plugins.cri.registry.mirrors."*"] [plugins.cri.registry.mirrors."*"]
endpoint = ["http://HostIP3:Port3"] endpoint = ["https://HostIP3:Port3"]
``` ```
The default configuration can be generated by `containerd config default > /etc/containerd/config.toml`. The default configuration can be generated by `containerd config default > /etc/containerd/config.toml`.
@ -38,7 +38,8 @@ After modify this config, you need restart the `containerd` service.
To configure the TLS settings for a specific registry, create/modify the `/etc/containerd/config.toml` as follows: To configure the TLS settings for a specific registry, create/modify the `/etc/containerd/config.toml` as follows:
```toml ```toml
# The registry host has to be an domain name or IP. # The registry host has to be an domain name or IP. Port number is also
# needed if the default HTTPS or HTTP port is not used.
[plugins.cri.registry.configs."my.custom.registry".tls] [plugins.cri.registry.configs."my.custom.registry".tls]
ca_file = "ca.pem" ca_file = "ca.pem"
cert_file = "cert.pem" cert_file = "cert.pem"
@ -51,11 +52,16 @@ In the config example shown above, TLS mutual authentication will be used for co
`cert_file` and `key_file` are not needed when TLS mutual authentication is unused. `cert_file` and `key_file` are not needed when TLS mutual authentication is unused.
```toml ```toml
# The registry host has to be an domain name or IP.
[plugins.cri.registry.configs."my.custom.registry".tls] [plugins.cri.registry.configs."my.custom.registry".tls]
ca_file = "ca.pem" ca_file = "ca.pem"
``` ```
To skip the registry certificate verification:
```
[plugins.cri.registry.configs."my.custom.registry".tls]
insecure_skip_verify = true
```
## Configure Registry Credentials ## Configure Registry Credentials
`cri` plugin also supports docker like registry credential config. `cri` plugin also supports docker like registry credential config.
@ -63,7 +69,8 @@ In the config example shown above, TLS mutual authentication will be used for co
To configure a credential for a specific registry, create/modify the To configure a credential for a specific registry, create/modify the
`/etc/containerd/config.toml` as follows: `/etc/containerd/config.toml` as follows:
```toml ```toml
# The registry host has to be an domain name or IP. # The registry host has to be an domain name or IP. Port number is also
# needed if the default HTTPS or HTTP port is not used.
[plugins.cri.registry.configs."gcr.io".auth] [plugins.cri.registry.configs."gcr.io".auth]
username = "" username = ""
password = "" password = ""

1
pkg/config/config.go
View File

@ -124,6 +124,7 @@ type AuthConfig struct {
// TLSConfig contains the CA/Cert/Key used for a registry // TLSConfig contains the CA/Cert/Key used for a registry
type TLSConfig struct { type TLSConfig struct {
InsecureSkipVerify bool `toml:"insecure_skip_verify" json:"insecure_skip_verify"`
CAFile string `toml:"ca_file" json:"caFile"` CAFile string `toml:"ca_file" json:"caFile"`
CertFile string `toml:"cert_file" json:"certFile"` CertFile string `toml:"cert_file" json:"certFile"`
KeyFile string `toml:"key_file" json:"keyFile"` KeyFile string `toml:"key_file" json:"keyFile"`

28
pkg/server/image_pull.go
View File

@ -253,22 +253,28 @@ func (c *criService) updateImage(ctx context.Context, r string) error {
// getTLSConfig returns a TLSConfig configured with a CA/Cert/Key specified by registryTLSConfig // getTLSConfig returns a TLSConfig configured with a CA/Cert/Key specified by registryTLSConfig
func (c *criService) getTLSConfig(registryTLSConfig criconfig.TLSConfig) (*tls.Config, error) { func (c *criService) getTLSConfig(registryTLSConfig criconfig.TLSConfig) (*tls.Config, error) {
var ( var (
tlsConfig = &tls.Config{}
cert tls.Certificate cert tls.Certificate
err error err error
) )
if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile != "" {
cert, err = tls.LoadX509KeyPair(registryTLSConfig.CertFile, registryTLSConfig.KeyFile)
if err != nil {
return nil, errors.Wrap(err, "failed to load cert file")
}
}
if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile == "" { if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile == "" {
return nil, errors.Errorf("cert file %q was specified, but no corresponding key file was specified", registryTLSConfig.CertFile) return nil, errors.Errorf("cert file %q was specified, but no corresponding key file was specified", registryTLSConfig.CertFile)
} }
if registryTLSConfig.CertFile == "" && registryTLSConfig.KeyFile != "" { if registryTLSConfig.CertFile == "" && registryTLSConfig.KeyFile != "" {
return nil, errors.Errorf("key file %q was specified, but no corresponding cert file was specified", registryTLSConfig.KeyFile) return nil, errors.Errorf("key file %q was specified, but no corresponding cert file was specified", registryTLSConfig.KeyFile)
} }
if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile != "" {
cert, err = tls.LoadX509KeyPair(registryTLSConfig.CertFile, registryTLSConfig.KeyFile)
if err != nil {
return nil, errors.Wrap(err, "failed to load cert file")
}
if len(cert.Certificate) != 0 {
tlsConfig.Certificates = []tls.Certificate{cert}
}
tlsConfig.BuildNameToCertificate()
}
if registryTLSConfig.CAFile != "" {
caCertPool, err := x509.SystemCertPool() caCertPool, err := x509.SystemCertPool()
if err != nil { if err != nil {
return nil, errors.Wrap(err, "failed to get system cert pool") return nil, errors.Wrap(err, "failed to get system cert pool")
@ -278,14 +284,10 @@ func (c *criService) getTLSConfig(registryTLSConfig criconfig.TLSConfig) (*tls.C
return nil, errors.Wrap(err, "failed to load CA file") return nil, errors.Wrap(err, "failed to load CA file")
} }
caCertPool.AppendCertsFromPEM(caCert) caCertPool.AppendCertsFromPEM(caCert)
tlsConfig.RootCAs = caCertPool
}
tlsConfig := &tls.Config{ tlsConfig.InsecureSkipVerify = registryTLSConfig.InsecureSkipVerify
RootCAs: caCertPool,
}
if len(cert.Certificate) != 0 {
tlsConfig.Certificates = []tls.Certificate{cert}
}
tlsConfig.BuildNameToCertificate()
return tlsConfig, nil return tlsConfig, nil
} }