Support self-signed certificates docker registry

If you want to run a docker registry for development purposes with
self-signed certificates, and use this registry to push your
requirements wheel, the loci build process would fail at fetching the
wheels.

This brings support for self-signed certificates registries by:
- Allowing to skip protocol_detection: If protocol_detection happens on
  a https registry, urllib2 would not throw an HTTPError or URLError,
  and protocol returned by default would be HTTP, which would then cause
  issues by not using SSL to fetch data. There is no point to "detect"
  things if we provide an argument to the users.
- If the protocol is correctly given as HTTPs, no certificate is passed
  into the urllib ssl contexts by default, which would only work with
  globally valid certificates. This patch also adds an option to bypass
  the verification of certificates when the user provides
  `REGISTRY_SSL_NOVERIFY`.

Change-Id: Ib00bbc9cc63d70a88dbf8b23a518553d6134d332
This commit is contained in:
Jean-Philippe Evrard 2019-02-19 19:30:16 +01:00
parent 64de1b3869
commit cc50c3048b
3 changed files with 32 additions and 5 deletions

View File

@ -16,6 +16,8 @@ ARG PLUGIN=no
ARG PYTHON3=no ARG PYTHON3=no
ARG EXTRA_BINDEP="" ARG EXTRA_BINDEP=""
ARG EXTRA_PYDEP="" ARG EXTRA_PYDEP=""
ARG REGISTRY_PROTOCOL="detect"
ARG REGISTRY_INSECURE="False"
ARG UID=42424 ARG UID=42424
ARG GID=42424 ARG GID=42424

View File

@ -100,6 +100,12 @@ For more advanced building you can use docker build arguments to define:
be considered next to the default bindep.txt. be considered next to the default bindep.txt.
* `EXTRA_PYDEP` Specify a pydep-* file to add in the container. It would * `EXTRA_PYDEP` Specify a pydep-* file to add in the container. It would
be considered next to the default pydep.txt. be considered next to the default pydep.txt.
* `REGISTRY_PROTOCOL` Set this to `https` if you are running your own
registry on https, `http` if you are running on http, or leave it as
`detect` if you want to re-use existing protocol detection.
* `REGISTRY_INSECURE` Set this to `True` if your image registry is
running on HTTPS with self-signed certificates to ignore SSL verification.
(defaults to False)
This makes it really easy to integrate LOCI images into your development or This makes it really easy to integrate LOCI images into your development or
CI/CD workflow, for example, if you wanted to build an image from [this CI/CD workflow, for example, if you wanted to build an image from [this

View File

@ -3,6 +3,8 @@
import json import json
import os import os
import re import re
import ssl
from distutils.util import strtobool
try: try:
import urllib2 import urllib2
@ -24,7 +26,10 @@ def get_token(protocol, registry, repo):
print(url) print(url)
try: try:
r = urllib2.Request(url=url) r = urllib2.Request(url=url)
resp = urllib2.urlopen(r) if strtobool(os.environ.get('REGISTRY_INSECURE', "False")):
resp = urllib2.urlopen(r, context=ssl._create_unverified_context())
else:
resp = urllib2.urlopen(r)
resp_text = resp.read().decode('utf-8').strip() resp_text = resp.read().decode('utf-8').strip()
return json.loads(resp_text)['token'] return json.loads(resp_text)['token']
except urllib2.HTTPError as err: except urllib2.HTTPError as err:
@ -37,7 +42,10 @@ def get_sha(repo, tag, registry, protocol, token):
r = urllib2.Request(url=url) r = urllib2.Request(url=url)
if token: if token:
r.add_header('Authorization', 'Bearer {}'.format(token)) r.add_header('Authorization', 'Bearer {}'.format(token))
resp = urllib2.urlopen(r) if strtobool(os.environ.get('REGISTRY_INSECURE', "False")):
resp = urllib2.urlopen(r, context=ssl._create_unverified_context())
else:
resp = urllib2.urlopen(r)
resp_text = resp.read().decode('utf-8').strip() resp_text = resp.read().decode('utf-8').strip()
return json.loads(resp_text)['fsLayers'][0]['blobSum'] return json.loads(resp_text)['fsLayers'][0]['blobSum']
@ -49,7 +57,10 @@ def get_blob(repo, tag, protocol, registry=DOCKER_REGISTRY, token=None):
r = urllib2.Request(url=url) r = urllib2.Request(url=url)
if token: if token:
r.add_header('Authorization', 'Bearer {}'.format(token)) r.add_header('Authorization', 'Bearer {}'.format(token))
resp = urllib2.urlopen(r) if strtobool(os.environ.get('REGISTRY_INSECURE', "False")):
resp = urllib2.urlopen(r, context=ssl._create_unverified_context())
else:
resp = urllib2.urlopen(r)
return resp.read() return resp.read()
def protocol_detection(registry, protocol='http'): def protocol_detection(registry, protocol='http'):
@ -73,7 +84,10 @@ def protocol_detection(registry, protocol='http'):
def get_wheels(url): def get_wheels(url):
r = urllib2.Request(url=url) r = urllib2.Request(url=url)
resp = urllib2.urlopen(r) if strtobool(os.environ.get('REGISTRY_INSECURE', "False")):
resp = urllib2.urlopen(r, context=ssl._create_unverified_context())
else:
resp = urllib2.urlopen(r)
return resp.read() return resp.read()
def parse_image(full_image): def parse_image(full_image):
@ -106,7 +120,12 @@ def main():
data = get_wheels(wheels) data = get_wheels(wheels)
else: else:
registry, image, tag = parse_image(wheels) registry, image, tag = parse_image(wheels)
protocol = protocol_detection(registry) if os.environ.get('REGISTRY_PROTOCOL') in ['http','https']:
protocol = os.environ.get('REGISTRY_PROTOCOL')
elif os.environ.get('REGISTRY_PROTOCOL') == 'detect':
protocol = protocol_detection(registry)
else:
raise ValueError("Unknown protocol given in argument")
kwargs = dict() kwargs = dict()
if registry: if registry:
kwargs.update({'registry': registry}) kwargs.update({'registry': registry})