Handle registries with incorrect certs correctly

We actually end up allowing registries with incorrect certificates in
the upload code so they get treated the same as inscure registries.
This change updates the return code of the is_insecure_registry to match
how we handle these registries in the image uploader. Additionally, this
means that when the container image prepare code runs, we will correctly
include these registries that have ssl enabled but incorrect
certificates will correctly be included in the
DockerInsecureRegistryAddress setting.

Change-Id: I7fba881645ec2ea167c064be07ed6d4281b7ed3d
Closes-Bug: #1833751
This commit is contained in:
Alex Schultz 2019-06-21 14:07:34 -06:00
parent 89989711e4
commit 51d723a9ff
2 changed files with 20 additions and 2 deletions
tripleo_common

@ -668,7 +668,8 @@ class BaseImageUploader(object):
def is_insecure_registry(self, registry_host):
if registry_host in self.secure_registries:
return False
if registry_host in self.insecure_registries:
if (registry_host in self.insecure_registries or
registry_host in self.no_verify_registries):
return True
try:
requests.get('https://%s/v2' % registry_host, timeout=30)
@ -679,7 +680,12 @@ class BaseImageUploader(object):
requests.get('https://%s/v2' % registry_host, timeout=30,
verify=False)
self.no_verify_registries.add(registry_host)
return False
# Techinically these type of registries are insecure when
# the container engine tries to do a pull. The python uploader
# ignores the certificate problem, but they are still inscure
# so we return True here while we'll still use https when we
# access the registry. LP#1833751
return True
except requests.exceptions.SSLError:
# So nope, it's really not a certificate verification issue
self.insecure_registries.add(registry_host)

@ -241,6 +241,18 @@ class TestBaseImageUploader(base.TestCase):
self.requests.request_history[0].url
)
@mock.patch('requests.get')
def test_is_insecure_registry_bad_cert(self, mock_get):
mock_get.side_effect = [requests.exceptions.SSLError('ouch'), True]
self.assertTrue(
self.uploader.is_insecure_registry('bcert:8787'))
self.assertTrue(
self.uploader.is_insecure_registry('bcert:8787'))
calls = [mock.call('https://bcert:8787/v2', timeout=30),
mock.call('https://bcert:8787/v2', timeout=30, verify=False)]
mock_get.assert_has_calls(calls)
self.assertEqual(mock_get.call_count, 2)
def test_is_insecure_registry_timeout(self):
self.requests.get(
'https://192.0.2.0:8787/',