Browse Source

Support self-signed certificates docker registry

If you want to run a docker registry for development purposes with
self-signed certificates, and use this registry to push your
requirements wheel, the loci build process would fail at fetching the
wheels.

This brings support for self-signed certificates registries by:
- Allowing to skip protocol_detection: If protocol_detection happens on
  a https registry, urllib2 would not throw an HTTPError or URLError,
  and protocol returned by default would be HTTP, which would then cause
  issues by not using SSL to fetch data. There is no point to "detect"
  things if we provide an argument to the users.
- If the protocol is correctly given as HTTPs, no certificate is passed
  into the urllib ssl contexts by default, which would only work with
  globally valid certificates. This patch also adds an option to bypass
  the verification of certificates when the user provides
  `REGISTRY_SSL_NOVERIFY`.

Change-Id: Ib00bbc9cc63d70a88dbf8b23a518553d6134d332
changes/63/637963/4
Jean-Philippe Evrard 3 months ago
parent
commit
cc50c3048b
3 changed files with 32 additions and 5 deletions
  1. 2
    0
      Dockerfile
  2. 6
    0
      README.md
  3. 24
    5
      scripts/fetch_wheels.py

+ 2
- 0
Dockerfile View File

@@ -16,6 +16,8 @@ ARG PLUGIN=no
16 16
 ARG PYTHON3=no
17 17
 ARG EXTRA_BINDEP=""
18 18
 ARG EXTRA_PYDEP=""
19
+ARG REGISTRY_PROTOCOL="detect"
20
+ARG REGISTRY_INSECURE="False"
19 21
 
20 22
 ARG UID=42424
21 23
 ARG GID=42424

+ 6
- 0
README.md View File

@@ -100,6 +100,12 @@ For more advanced building you can use docker build arguments to define:
100 100
      be considered next to the default bindep.txt.
101 101
   * `EXTRA_PYDEP` Specify a pydep-* file to add in the container. It would
102 102
      be considered next to the default pydep.txt.
103
+  * `REGISTRY_PROTOCOL` Set this to `https` if you are running your own
104
+    registry on https, `http` if you are running on http, or leave it as
105
+    `detect` if you want to re-use existing protocol detection.
106
+  * `REGISTRY_INSECURE` Set this to `True` if your image registry is
107
+    running on HTTPS with self-signed certificates to ignore SSL verification.
108
+    (defaults to False)
103 109
 
104 110
 This makes it really easy to integrate LOCI images into your development or
105 111
 CI/CD workflow, for example, if you wanted to build an image from [this

+ 24
- 5
scripts/fetch_wheels.py View File

@@ -3,6 +3,8 @@
3 3
 import json
4 4
 import os
5 5
 import re
6
+import ssl
7
+from distutils.util import strtobool
6 8
 
7 9
 try:
8 10
     import urllib2
@@ -24,7 +26,10 @@ def get_token(protocol, registry, repo):
24 26
     print(url)
25 27
     try:
26 28
         r = urllib2.Request(url=url)
27
-        resp = urllib2.urlopen(r)
29
+        if strtobool(os.environ.get('REGISTRY_INSECURE', "False")):
30
+            resp = urllib2.urlopen(r, context=ssl._create_unverified_context())
31
+        else:
32
+            resp = urllib2.urlopen(r)
28 33
         resp_text = resp.read().decode('utf-8').strip()
29 34
         return json.loads(resp_text)['token']
30 35
     except urllib2.HTTPError as err:
@@ -37,7 +42,10 @@ def get_sha(repo, tag, registry, protocol, token):
37 42
     r = urllib2.Request(url=url)
38 43
     if token:
39 44
         r.add_header('Authorization', 'Bearer {}'.format(token))
40
-    resp = urllib2.urlopen(r)
45
+    if strtobool(os.environ.get('REGISTRY_INSECURE', "False")):
46
+        resp = urllib2.urlopen(r, context=ssl._create_unverified_context())
47
+    else:
48
+        resp = urllib2.urlopen(r)
41 49
     resp_text = resp.read().decode('utf-8').strip()
42 50
     return json.loads(resp_text)['fsLayers'][0]['blobSum']
43 51
 
@@ -49,7 +57,10 @@ def get_blob(repo, tag, protocol, registry=DOCKER_REGISTRY, token=None):
49 57
     r = urllib2.Request(url=url)
50 58
     if token:
51 59
         r.add_header('Authorization', 'Bearer {}'.format(token))
52
-    resp = urllib2.urlopen(r)
60
+    if strtobool(os.environ.get('REGISTRY_INSECURE', "False")):
61
+        resp = urllib2.urlopen(r, context=ssl._create_unverified_context())
62
+    else:
63
+        resp = urllib2.urlopen(r)
53 64
     return resp.read()
54 65
 
55 66
 def protocol_detection(registry, protocol='http'):
@@ -73,7 +84,10 @@ def protocol_detection(registry, protocol='http'):
73 84
 
74 85
 def get_wheels(url):
75 86
     r = urllib2.Request(url=url)
76
-    resp = urllib2.urlopen(r)
87
+    if strtobool(os.environ.get('REGISTRY_INSECURE', "False")):
88
+        resp = urllib2.urlopen(r, context=ssl._create_unverified_context())
89
+    else:
90
+        resp = urllib2.urlopen(r)
77 91
     return resp.read()
78 92
 
79 93
 def parse_image(full_image):
@@ -106,7 +120,12 @@ def main():
106 120
         data = get_wheels(wheels)
107 121
     else:
108 122
         registry, image, tag = parse_image(wheels)
109
-        protocol = protocol_detection(registry)
123
+        if os.environ.get('REGISTRY_PROTOCOL') in ['http','https']:
124
+            protocol = os.environ.get('REGISTRY_PROTOCOL')
125
+        elif os.environ.get('REGISTRY_PROTOCOL') == 'detect':
126
+            protocol = protocol_detection(registry)
127
+        else:
128
+            raise ValueError("Unknown protocol given in argument")
110 129
         kwargs = dict()
111 130
         if registry:
112 131
             kwargs.update({'registry': registry})

Loading…
Cancel
Save