Merge pull request #5100 from adisky/skip-tls-localHost

Skip TLS verification for localhost
2021-05-12 14:56:53 -04:00 · 2021-05-12 14:56:53 -04:00 · e47400cbd2
commit e47400cbd2
parent 28e29af62d 8014d9fee0
1 changed files with 18 additions and 4 deletions
--- a/pkg/cri/server/image_pull.go
+++ b/pkg/cri/server/image_pull.go
@ -373,6 +373,9 @@ func (c *criService) registryHosts(ctx context.Context, auth *runtime.AuthConfig
 				if err != nil {
 					return nil, errors.Wrapf(err, "get TLSConfig for registry %q", e)
 				}
+			} else if isLocalHost(host) && u.Scheme == "http" {
+				// Skipping TLS verification for localhost
+				transport.TLSClientConfig.InsecureSkipVerify = true
 			}

 			// Make a copy of `auth`, so that different authorizers would not reference
@ -406,15 +409,26 @@ func (c *criService) registryHosts(ctx context.Context, auth *runtime.AuthConfig

 // defaultScheme returns the default scheme for a registry host.
 func defaultScheme(host string) string {
-	if h, _, err := net.SplitHostPort(host); err == nil {
-		host = h
-	}
-	if host == "localhost" || host == "127.0.0.1" || host == "::1" {
+	if isLocalHost(host) {
 		return "http"
 	}
 	return "https"
 }

+// isLocalHost checks if the registry host is local.
+func isLocalHost(host string) bool {
+	if h, _, err := net.SplitHostPort(host); err == nil {
+		host = h
+	}
+
+	if host == "localhost" {
+		return true
+	}
+
+	ip := net.ParseIP(host)
+	return ip.IsLoopback()
+}
+
 // addDefaultScheme returns the endpoint with default scheme
 func addDefaultScheme(endpoint string) (string, error) {
 	if strings.Contains(endpoint, "://") {