Login refactor (small breakout): add support for explicitly setting --insecure-registry=false #3411
Conversation
apostasie
changed the title
pkg/config/config.go
Outdated
| @@ -39,6 +39,8 @@ type Config struct { | |||
| HostsDir []string `toml:"hosts_dir"` | |||
| Experimental bool `toml:"experimental"` | |||
| HostGatewayIP string `toml:"host_gateway_ip"` | |||
|
|
|||
| ExplicitInsecureRegistry bool `toml:"-"` | |||
There was a problem hiding this comment.
Not sure about this. The struct is dedicated for TOML properties.
There was a problem hiding this comment.
Yeah, I was thinking about that.
We could use a different struct instead (or just an extra param) - but then we would have to modify the signature of a lot of functions in the path of pull, push, login.
Let me know what you prefer.
There was a problem hiding this comment.
Ok. Alternative proposal (overloading globalconfig) with the latest push.
LMK your thoughts.
apostasie
force-pushed
the
dev-login-insecure-localhost
branch
from
1a8fc78
to
00a4ba5
Compare
As described in containerd#3046 it is not currently possible to communicate with localhost using TLS, as insecure-registry is forcefully set for localhost-ish addresses. This PR does introduce support to differenciate between the default value of --insecure-registry when it is NOT specified (which is false), and the fact that the user has explicitly passed the flag as `--insecure-registry=false`. Being able to differenciate these two cases will enable us to treat differently: `docker login localhost` (usual behavior, insecure set to true) and `docker login --insecure-regitry=false localhost` (new behavior, NOT setting insecure to true) Implementation will follow in a subsequent PR that will rewrite login.go. Signed-off-by: apostasie <[email protected]>
apostasie
force-pushed
the
dev-login-insecure-localhost
branch
from
00a4ba5
to
d135e0b
Compare
The struct looks good, but I expect the implementation to be accompanied in the same PR |
The implementation does require rather large modifications to dockerconfigresolver and login code which are difficult to breakdown. What about I close this PR then - and just land this as part of the (larger) PR to come? I will try my best to have as many separate commits as possible to ease review. |
This is the ground work for fixing #3046.
See commit message for details.
TL;DR:
docker login --insecure-registry false localhostshould NOT treat localhost as insecure.