Image uploader: use HTTPS for "no verify" registries

Registries with an invalid SSL certificate are insecure, but still
need to be accessed via HTTPS. This patch updates the URL builder
to take this into consideration.

Closes-Bug: #1858672
Change-Id: I71436313098f513c200ecc3f862a2b851fb1060a
This commit is contained in:
Alan Bishop 2020-01-07 08:54:18 -08:00 committed by Alex Schultz
parent 95c68e6d9b
commit dcf99e7167
2 changed files with 12 additions and 3 deletions

View File

@ -590,10 +590,11 @@ class BaseImageUploader(object):
mirror = cls.mirrors[netloc]
return '%sv2%s' % (mirror, path)
else:
if not cls.is_insecure_registry(registry_host=netloc):
scheme = 'https'
else:
if (cls.is_insecure_registry(registry_host=netloc) and
netloc not in cls.no_verify_registries):
scheme = 'http'
else:
scheme = 'https'
if netloc == 'docker.io':
netloc = 'registry-1.docker.io'
return '%s://%s/v2%s' % (scheme, netloc, path)

View File

@ -587,6 +587,7 @@ class TestBaseImageUploader(base.TestCase):
build = image_uploader.BaseImageUploader._build_url
insecure_reg = image_uploader.BaseImageUploader.insecure_registries
secure_reg = image_uploader.BaseImageUploader.secure_registries
no_verify_reg = image_uploader.BaseImageUploader.no_verify_registries
mirrors = image_uploader.BaseImageUploader.mirrors
# fix urls
self.assertEqual(
@ -605,6 +606,13 @@ class TestBaseImageUploader(base.TestCase):
'https://192.0.2.1:8787/v2/t/nova-api/tags/list',
build(url3, '/t/nova-api/tags/list')
)
# "no verify" registries are insecure but still use https
secure_reg.remove('192.0.2.1:8787')
no_verify_reg.add('192.0.2.1:8787')
self.assertEqual(
'https://192.0.2.1:8787/v2/t/nova-api/tags/list',
build(url3, '/t/nova-api/tags/list')
)
# test mirrors
mirrors['docker.io'] = 'http://192.0.2.2:8081/registry-1.docker/'