Handle registries with incorrect certs correctly

We actually end up allowing registries with incorrect certificates in the upload code so they get treated the same as inscure registries. This change updates the return code of the is_insecure_registry to match how we handle these registries in the image uploader. Additionally, this means that when the container image prepare code runs, we will correctly include these registries that have ssl enabled but incorrect certificates will correctly be included in the DockerInsecureRegistryAddress setting. Change-Id: I7fba881645ec2ea167c064be07ed6d4281b7ed3d Closes-Bug: #1833751
2019-06-21 14:07:34 -06:00 · 2019-06-21 14:07:34 -06:00 · 51d723a9ff
commit 51d723a9ff
parent 89989711e4
2 changed files with 20 additions and 2 deletions
--- a/tripleo_common/image/image_uploader.py
+++ b/tripleo_common/image/image_uploader.py
@ -668,7 +668,8 @@ class BaseImageUploader(object):
    def is_insecure_registry(self, registry_host):
        if registry_host in self.secure_registries:
            return False
-        if registry_host in self.insecure_registries:
+        if (registry_host in self.insecure_registries or
+                registry_host in self.no_verify_registries):
            return True
        try:
            requests.get('https://%s/v2' % registry_host, timeout=30)
@ -679,7 +680,12 @@ class BaseImageUploader(object):
                requests.get('https://%s/v2' % registry_host, timeout=30,
                             verify=False)
                self.no_verify_registries.add(registry_host)
-                return False
+                # Techinically these type of registries are insecure when
+                # the container engine tries to do a pull. The python uploader
+                # ignores the certificate problem, but they are still inscure
+                # so we return True here while we'll still use https when we
+                # access the registry. LP#1833751
+                return True
            except requests.exceptions.SSLError:
                # So nope, it's really not a certificate verification issue
                self.insecure_registries.add(registry_host)
--- a/tripleo_common/tests/image/test_image_uploader.py
+++ b/tripleo_common/tests/image/test_image_uploader.py
@ -241,6 +241,18 @@ class TestBaseImageUploader(base.TestCase):
            self.requests.request_history[0].url
        )

+    @mock.patch('requests.get')
+    def test_is_insecure_registry_bad_cert(self, mock_get):
+        mock_get.side_effect = [requests.exceptions.SSLError('ouch'), True]
+        self.assertTrue(
+            self.uploader.is_insecure_registry('bcert:8787'))
+        self.assertTrue(
+            self.uploader.is_insecure_registry('bcert:8787'))
+        calls = [mock.call('https://bcert:8787/v2', timeout=30),
+                 mock.call('https://bcert:8787/v2', timeout=30, verify=False)]
+        mock_get.assert_has_calls(calls)
+        self.assertEqual(mock_get.call_count, 2)
+
    def test_is_insecure_registry_timeout(self):
        self.requests.get(
            'https://192.0.2.0:8787/',