Merge pull request #643 from eunomie/remove-insecure-registries-flag

Remove `--insecure-registries` flag

Author: silvin-lubecki

e2e/images_test.go

@@ -27,7 +27,7 @@ func TestImageList(t *testing.T) {
 		defer dir.Remove()
 
 		// Push an application so that we can later pull it by digest
-		cmd.Command = dockerCli.Command("app", "push", "--tag", info.registryAddress+"/c-myapp", "--insecure-registries="+info.registryAddress, filepath.Join("testdata", "push-pull", "push-pull.dockerapp"))
+		cmd.Command = dockerCli.Command("app", "push", "--tag", info.registryAddress+"/c-myapp", filepath.Join("testdata", "push-pull", "push-pull.dockerapp"))
 		r := icmd.RunCmd(cmd).Assert(t, icmd.Success)
 
 		// Get the digest from the output of the pull command
@@ -36,7 +36,7 @@ func TestImageList(t *testing.T) {
 		digest := matches[0][1]
 
 		// Pull the app by digest
-		cmd.Command = dockerCli.Command("app", "pull", "--insecure-registries="+info.registryAddress, info.registryAddress+"/c-myapp@"+digest)
+		cmd.Command = dockerCli.Command("app", "pull", info.registryAddress+"/c-myapp@"+digest)
 		icmd.RunCmd(cmd).Assert(t, icmd.Success)
 
 		cmd.Command = dockerCli.Command("app", "bundle", filepath.Join("testdata", "simple", "simple.dockerapp"), "--tag", "b-simple-app", "--output", dir.Join("simple-bundle.json"))

e2e/pushpull_test.go

@@ -95,7 +95,7 @@ func TestPushArchs(t *testing.T) {
 			t.Run(testCase.name, func(t *testing.T) {
 				cmd := info.configuredCmd
 				ref := info.registryAddress + "/test/push-pull:1"
-				args := []string{"app", "push", "--tag", ref, "--insecure-registries=" + info.registryAddress}
+				args := []string{"app", "push", "--tag", ref}
 				args = append(args, testCase.args...)
 				args = append(args, filepath.Join("testdata", "push-pull", "push-pull.dockerapp"))
 				cmd.Command = dockerCli.Command(args...)
@@ -121,14 +121,31 @@ func TestPushArchs(t *testing.T) {
 	})
 }
 
+func TestPushInsecureRegistry(t *testing.T) {
+	runWithDindSwarmAndRegistry(t, func(info dindSwarmAndRegistryInfo) {
+		ref := info.registryAddress + "/test/push-insecure"
+
+		// create a command outside of the dind context so without the insecure registry configured
+		cmd2, cleanup2 := dockerCli.createTestCmd()
+		defer cleanup2()
+		cmd2.Command = dockerCli.Command("app", "push", "--tag", ref, filepath.Join("testdata", "push-pull", "push-pull.dockerapp"))
+		icmd.RunCmd(cmd2).Assert(t, icmd.Expected{ExitCode: 1})
+
+		// run the push with the command inside dind context configured to allow access to the insecure registry
+		cmd := info.configuredCmd
+		cmd.Command = dockerCli.Command("app", "push", "--tag", ref, filepath.Join("testdata", "push-pull", "push-pull.dockerapp"))
+		icmd.RunCmd(cmd).Assert(t, icmd.Success)
+	})
+}
+
 func TestPushInstall(t *testing.T) {
 	runWithDindSwarmAndRegistry(t, func(info dindSwarmAndRegistryInfo) {
 		cmd := info.configuredCmd
 		ref := info.registryAddress + "/test/push-pull"
-		cmd.Command = dockerCli.Command("app", "push", "--tag", ref, "--insecure-registries="+info.registryAddress, filepath.Join("testdata", "push-pull", "push-pull.dockerapp"))
+		cmd.Command = dockerCli.Command("app", "push", "--tag", ref, filepath.Join("testdata", "push-pull", "push-pull.dockerapp"))
 		icmd.RunCmd(cmd).Assert(t, icmd.Success)
 
-		cmd.Command = dockerCli.Command("app", "install", "--insecure-registries="+info.registryAddress, ref, "--name", t.Name())
+		cmd.Command = dockerCli.Command("app", "install", ref, "--name", t.Name())
 		icmd.RunCmd(cmd).Assert(t, icmd.Success)
 		cmd.Command = dockerCli.Command("service", "ls")
 		assert.Check(t, cmp.Contains(icmd.RunCmd(cmd).Assert(t, icmd.Success).Combined(), ref))
@@ -140,16 +157,16 @@ func TestPushPullInstall(t *testing.T) {
 		cmd := info.configuredCmd
 		ref := info.registryAddress + "/test/push-pull"
 		tag := ":v.0.0.1"
-		cmd.Command = dockerCli.Command("app", "push", "--tag", ref+tag, "--insecure-registries="+info.registryAddress, filepath.Join("testdata", "push-pull", "push-pull.dockerapp"))
+		cmd.Command = dockerCli.Command("app", "push", "--tag", ref+tag, filepath.Join("testdata", "push-pull", "push-pull.dockerapp"))
 		icmd.RunCmd(cmd).Assert(t, icmd.Success)
-		cmd.Command = dockerCli.Command("app", "pull", ref+tag, "--insecure-registries="+info.registryAddress)
+		cmd.Command = dockerCli.Command("app", "pull", ref+tag)
 		icmd.RunCmd(cmd).Assert(t, icmd.Success)
 
 		// stop the registry
 		info.stopRegistry()
 
 		// install without --pull should succeed (rely on local store)
-		cmd.Command = dockerCli.Command("app", "install", "--insecure-registries="+info.registryAddress, ref+tag, "--name", t.Name())
+		cmd.Command = dockerCli.Command("app", "install", ref+tag, "--name", t.Name())
 		icmd.RunCmd(cmd).Assert(t, icmd.Success)
 		cmd.Command = dockerCli.Command("service", "ls")
 		assert.Check(t, cmp.Contains(icmd.RunCmd(cmd).Assert(t, icmd.Success).Combined(), ref))
@@ -162,7 +179,7 @@ func TestPushPullInstall(t *testing.T) {
 			})
 
 		// install with --pull should fail (registry is stopped)
-		cmd.Command = dockerCli.Command("app", "install", "--pull", "--insecure-registries="+info.registryAddress, ref, "--name", t.Name()+"2")
+		cmd.Command = dockerCli.Command("app", "install", "--pull", ref, "--name", t.Name()+"2")
 		assert.Check(t, cmp.Contains(icmd.RunCmd(cmd).Assert(t, icmd.Expected{ExitCode: 1}).Combined(), "failed to resolve bundle manifest"))
 	})
 }
@@ -183,10 +200,10 @@ func TestPushInstallBundle(t *testing.T) {
 		// push it and install to check it is available
 		t.Run("push-bundle", func(t *testing.T) {
 			name := strings.Replace(t.Name(), "/", "_", 1)
-			cmd.Command = dockerCli.Command("app", "push", "--insecure-registries="+info.registryAddress, "--tag", ref, bundleFile)
+			cmd.Command = dockerCli.Command("app", "push", "--tag", ref, bundleFile)
 			icmd.RunCmd(cmd).Assert(t, icmd.Success)
 
-			cmd.Command = dockerCli.Command("app", "install", "--insecure-registries="+info.registryAddress, ref, "--name", name)
+			cmd.Command = dockerCli.Command("app", "install", ref, "--name", name)
 			icmd.RunCmd(cmd).Assert(t, icmd.Success)
 			cmd.Command = dockerCli.Command("service", "ls")
 			assert.Check(t, cmp.Contains(icmd.RunCmd(cmd).Assert(t, icmd.Success).Combined(), ref))
@@ -203,10 +220,10 @@ func TestPushInstallBundle(t *testing.T) {
 		t.Run("push-ref", func(t *testing.T) {
 			name := strings.Replace(t.Name(), "/", "_", 1)
 			ref2 := info.registryAddress + "/test/push-ref"
-			cmd.Command = dockerCli.Command("app", "push", "--insecure-registries="+info.registryAddress, "--tag", ref2, ref+":latest")
+			cmd.Command = dockerCli.Command("app", "push", "--tag", ref2, ref+":latest")
 			icmd.RunCmd(cmd).Assert(t, icmd.Success)
 
-			cmd.Command = dockerCli.Command("app", "install", "--insecure-registries="+info.registryAddress, ref2, "--name", name)
+			cmd.Command = dockerCli.Command("app", "install", ref2, "--name", name)
 			icmd.RunCmd(cmd).Assert(t, icmd.Success)
 			cmd.Command = dockerCli.Command("service", "ls")
 			assert.Check(t, cmp.Contains(icmd.RunCmd(cmd).Assert(t, icmd.Success).Combined(), ref2))
@@ -218,16 +235,22 @@ func TestPushInstallBundle(t *testing.T) {
 			ref2 := ref + ":v0.42"
 			// Create a new command so the bundle store can be trashed before installing the app
 			cmd2, cleanup2 := dockerCli.createTestCmd()
+
+			// Enter the same context as `cmd` to run commands within the same environment
+			cmd2.Command = dockerCli.Command("context", "create", "swarm-context", "--docker", fmt.Sprintf(`"host=tcp://%s"`, info.swarmAddress))
+			icmd.RunCmd(cmd2).Assert(t, icmd.Success)
+			cmd2.Env = append(cmd2.Env, "DOCKER_CONTEXT=swarm-context")
+
 			// bundle the app again but this time with a tag to store it into the bundle store
 			cmd2.Command = dockerCli.Command("app", "bundle", "--tag", ref2, "-o", bundleFile, filepath.Join("testdata", "push-pull", "push-pull.dockerapp"))
 			icmd.RunCmd(cmd2).Assert(t, icmd.Success)
 			// Push the app without tagging it explicitly
-			cmd2.Command = dockerCli.Command("app", "push", "--insecure-registries="+info.registryAddress, ref2)
+			cmd2.Command = dockerCli.Command("app", "push", ref2)
 			icmd.RunCmd(cmd2).Assert(t, icmd.Success)
 			// remove the bundle from the bundle store to be sure it won't be used instead of registry
 			cleanup2()
 			// install from the registry
-			cmd.Command = dockerCli.Command("app", "install", "--insecure-registries="+info.registryAddress, ref2, "--name", name)
+			cmd.Command = dockerCli.Command("app", "install", ref2, "--name", name)
 			icmd.RunCmd(cmd).Assert(t, icmd.Success)
 			cmd.Command = dockerCli.Command("service", "ls")
 			assert.Check(t, cmp.Contains(icmd.RunCmd(cmd).Assert(t, icmd.Success).Combined(), ref))

internal/commands/cnab.go

@@ -255,7 +255,7 @@ func loadBundleFromFile(filename string) (*bundle.Bundle, error) {
 //resolveBundle looks for a CNAB bundle which can be in a Docker App Package format or
 // a bundle stored locally or in the bundle store. It returns a built or found bundle,
 // a reference to the bundle if it is found in the bundlestore, and an error.
-func resolveBundle(dockerCli command.Cli, bundleStore appstore.BundleStore, name string, pullRef bool, insecureRegistries []string) (*bundle.Bundle, string, error) {
+func resolveBundle(dockerCli command.Cli, bundleStore appstore.BundleStore, name string, pullRef bool) (*bundle.Bundle, string, error) {
 	// resolution logic:
 	// - if there is a docker-app package in working directory, or an http:// / https:// prefix, use packager.Extract result
 	// - the name has a .json or .cnab extension and refers to an existing file or web resource: load the bundle
@@ -286,6 +286,10 @@ func resolveBundle(dockerCli command.Cli, bundleStore appstore.BundleStore, name
 			return nil, "", errors.Wrap(err, name)
 		}
 		tagRef := reference.TagNameOnly(ref)
+		insecureRegistries, err := insecureRegistriesFromEngine(dockerCli)
+		if err != nil {
+			return nil, "", fmt.Errorf("could not retrieve insecure registries: %v", err)
+		}
 		bndl, err := bundleStore.LookupOrPullBundle(tagRef, pullRef, dockerCli.ConfigFile(), insecureRegistries)
 		return bndl, tagRef.String(), err
 	}
@@ -346,7 +350,7 @@ func isDockerHostLocal(host string) bool {
 }
 
 func prepareCustomAction(actionName string, dockerCli command.Cli, appname string, stdout io.Writer,
-	registryOpts registryOptions, pullOpts pullOptions, paramsOpts parametersOptions) (*action.RunCustom, *appstore.Installation, *bytes.Buffer, error) {
+	pullOpts pullOptions, paramsOpts parametersOptions) (*action.RunCustom, *appstore.Installation, *bytes.Buffer, error) {
 	s, err := appstore.NewApplicationStore(config.Dir())
 	if err != nil {
 		return nil, nil, nil, err
@@ -356,7 +360,7 @@ func prepareCustomAction(actionName string, dockerCli command.Cli, appname strin
 		return nil, nil, nil, err
 	}
 	driverImpl, errBuf := prepareDriver(dockerCli, bindMount{}, stdout)
-	bundle, ref, err := resolveBundle(dockerCli, bundleStore, appname, pullOpts.pull, registryOpts.insecureRegistries)
+	bundle, ref, err := resolveBundle(dockerCli, bundleStore, appname, pullOpts.pull)
 	if err != nil {
 		return nil, nil, nil, err
 	}

internal/commands/inspect.go

@@ -11,7 +11,6 @@ import (
 
 type inspectOptions struct {
 	parametersOptions
-	registryOptions
 	pullOptions
 }
 
@@ -27,14 +26,13 @@ func inspectCmd(dockerCli command.Cli) *cobra.Command {
 		},
 	}
 	opts.parametersOptions.addFlags(cmd.Flags())
-	opts.registryOptions.addFlags(cmd.Flags())
 	opts.pullOptions.addFlags(cmd.Flags())
 	return cmd
 }
 
 func runInspect(dockerCli command.Cli, appname string, opts inspectOptions) error {
 	defer muteDockerCli(dockerCli)()
-	action, installation, errBuf, err := prepareCustomAction(internal.ActionInspectName, dockerCli, appname, nil, opts.registryOptions, opts.pullOptions, opts.parametersOptions)
+	action, installation, errBuf, err := prepareCustomAction(internal.ActionInspectName, dockerCli, appname, nil, opts.pullOptions, opts.parametersOptions)
 	if err != nil {
 		return err
 	}

internal/commands/install.go

@@ -16,7 +16,6 @@ import (
 type installOptions struct {
 	parametersOptions
 	credentialOptions
-	registryOptions
 	pullOptions
 	orchestrator  string
 	kubeNamespace string
@@ -59,7 +58,6 @@ func installCmd(dockerCli command.Cli) *cobra.Command {
 	}
 	opts.parametersOptions.addFlags(cmd.Flags())
 	opts.credentialOptions.addFlags(cmd.Flags())
-	opts.registryOptions.addFlags(cmd.Flags())
 	opts.pullOptions.addFlags(cmd.Flags())
 	cmd.Flags().StringVar(&opts.orchestrator, "orchestrator", "", "Orchestrator to install on (swarm, kubernetes)")
 	cmd.Flags().StringVar(&opts.kubeNamespace, "namespace", "default", "Kubernetes namespace to install into")
@@ -81,7 +79,7 @@ func runInstall(dockerCli command.Cli, appname string, opts installOptions) erro
 		return err
 	}
 
-	bndl, ref, err := resolveBundle(dockerCli, bundleStore, appname, opts.pull, opts.insecureRegistries)
+	bndl, ref, err := resolveBundle(dockerCli, bundleStore, appname, opts.pull)
 	if err != nil {
 		return err
 	}

internal/commands/pull.go

@@ -14,21 +14,19 @@ import (
 )
 
 func pullCmd(dockerCli command.Cli) *cobra.Command {
-	var opts registryOptions
 	cmd := &cobra.Command{
 		Use:     "pull NAME:TAG [OPTIONS]",
 		Short:   "Pull an application package from a registry",
 		Example: `$ docker app pull docker/app-example:0.1.0`,
 		Args:    cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return runPull(dockerCli, args[0], opts)
+			return runPull(dockerCli, args[0])
 		},
 	}
-	opts.addFlags(cmd.Flags())
 	return cmd
 }
 
-func runPull(dockerCli command.Cli, name string, opts registryOptions) error {
+func runPull(dockerCli command.Cli, name string) error {
 	appstore, err := store.NewApplicationStore(config.Dir())
 	if err != nil {
 		return err
@@ -42,7 +40,11 @@ func runPull(dockerCli command.Cli, name string, opts registryOptions) error {
 	if err != nil {
 		return errors.Wrap(err, name)
 	}
-	bndl, err := bundleStore.LookupOrPullBundle(reference.TagNameOnly(ref), true, dockerCli.ConfigFile(), opts.insecureRegistries)
+	insecureRegistries, err := insecureRegistriesFromEngine(dockerCli)
+	if err != nil {
+		return errors.Wrap(err, "could not retrieve insecure registries")
+	}
+	bndl, err := bundleStore.LookupOrPullBundle(reference.TagNameOnly(ref), true, dockerCli.ConfigFile(), insecureRegistries)
 	if err != nil {
 		return errors.Wrap(err, name)
 	}

internal/commands/push.go

@@ -42,7 +42,6 @@ const ( // Docker specific annotations and values
 )
 
 type pushOptions struct {
-	registry     registryOptions
 	tag          string
 	platforms    []string
 	allPlatforms bool
@@ -66,7 +65,6 @@ func pushCmd(dockerCli command.Cli) *cobra.Command {
 	flags.StringVarP(&opts.tag, "tag", "t", "", "Target registry reference (default: <name>:<version> from metadata)")
 	flags.StringSliceVar(&opts.platforms, "platform", []string{"linux/amd64"}, "For multi-arch service images, push the specified platforms")
 	flags.BoolVar(&opts.allPlatforms, "all-platforms", false, "If present, push all platforms")
-	opts.registry.addFlags(flags)
 	return cmd
 }
 
@@ -102,7 +100,7 @@ func resolveReferenceAndBundle(dockerCli command.Cli, name string) (*bundle.Bund
 		return nil, "", err
 	}
 
-	bndl, ref, err := resolveBundle(dockerCli, bundleStore, name, false, nil)
+	bndl, ref, err := resolveBundle(dockerCli, bundleStore, name, false)
 	if err != nil {
 		return nil, "", err
 	}
@@ -136,7 +134,11 @@ func pushInvocationImage(dockerCli command.Cli, retag retagResult) error {
 }
 
 func pushBundle(dockerCli command.Cli, opts pushOptions, bndl *bundle.Bundle, retag retagResult) error {
-	resolver := remotes.CreateResolver(dockerCli.ConfigFile(), opts.registry.insecureRegistries...)
+	insecureRegistries, err := insecureRegistriesFromEngine(dockerCli)
+	if err != nil {
+		return errors.Wrap(err, "could not retrive insecure registries")
+	}
+	resolver := remotes.CreateResolver(dockerCli.ConfigFile(), insecureRegistries...)
 	var display fixupDisplay = &plainDisplay{out: os.Stdout}
 	if term.IsTerminal(os.Stdout.Fd()) {
 		display = &interactiveDisplay{out: os.Stdout}

internal/commands/render.go

@@ -13,7 +13,6 @@ import (
 
 type renderOptions struct {
 	parametersOptions
-	registryOptions
 	pullOptions
 
 	formatDriver string
@@ -32,7 +31,6 @@ func renderCmd(dockerCli command.Cli) *cobra.Command {
 		},
 	}
 	opts.parametersOptions.addFlags(cmd.Flags())
-	opts.registryOptions.addFlags(cmd.Flags())
 	opts.pullOptions.addFlags(cmd.Flags())
 	cmd.Flags().StringVarP(&opts.renderOutput, "output", "o", "-", "Output file")
 	cmd.Flags().StringVar(&opts.formatDriver, "formatter", "yaml", "Configure the output format (yaml|json)")
@@ -53,7 +51,7 @@ func runRender(dockerCli command.Cli, appname string, opts renderOptions) error
 		w = f
 	}
 
-	action, installation, errBuf, err := prepareCustomAction(internal.ActionRenderName, dockerCli, appname, w, opts.registryOptions, opts.pullOptions, opts.parametersOptions)
+	action, installation, errBuf, err := prepareCustomAction(internal.ActionRenderName, dockerCli, appname, w, opts.pullOptions, opts.parametersOptions)
 	if err != nil {
 		return err
 	}

internal/commands/root.go

@@ -1,6 +1,7 @@
 package commands
 
 import (
+	"context"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -10,6 +11,7 @@ import (
 	"github.com/docker/app/internal/store"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/config"
+	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 )
@@ -169,18 +171,31 @@ func (o *credentialOptions) CredentialSetOpts(dockerCli command.Cli, credentialS
 	}
 }
 
-type registryOptions struct {
-	insecureRegistries []string
-}
-
-func (o *registryOptions) addFlags(flags *pflag.FlagSet) {
-	flags.StringSliceVar(&o.insecureRegistries, "insecure-registries", nil, "Use HTTP instead of HTTPS when pulling from/pushing to those registries")
-}
-
 type pullOptions struct {
 	pull bool
 }
 
 func (o *pullOptions) addFlags(flags *pflag.FlagSet) {
 	flags.BoolVar(&o.pull, "pull", false, "Pull the bundle")
 }
+
+// insecureRegistriesFromEngine reads the registry configuration from the daemon and returns
+// a list of all insecure ones.
+func insecureRegistriesFromEngine(dockerCli command.Cli) ([]string, error) {
+	registries := []string{}
+
+	info, err := dockerCli.Client().Info(context.Background())
+	if err != nil {
+		return registries, fmt.Errorf("could not get docker info: %v", err)
+	}
+
+	for _, reg := range info.RegistryConfig.IndexConfigs {
+		if !reg.Secure {
+			registries = append(registries, reg.Name)
+		}
+	}
+
+	logrus.Debugf("insecure registries: %v", registries)
+
+	return registries, nil
+}