Skip to content

Commit a0f2ffa

Browse files
faiqfaiq
committed
fix: allow http registries by disabling TLS check
1 parent f26818b commit a0f2ffa

File tree

2 files changed

+94
-6
lines changed

2 files changed

+94
-6
lines changed

pkg/webhook/preflight/generic/registry.go

Lines changed: 20 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -86,9 +86,23 @@ func (r *registryCheck) checkRegistry(
8686
)
8787
return result
8888
}
89-
mirrorHost := config.Host{
89+
registryHost := config.Host{
9090
Name: registryURLParsed.Host,
9191
}
92+
if registryURLParsed.Scheme != "http" && registryURLParsed.Scheme != "https" {
93+
result.Allowed = false
94+
result.Causes = append(result.Causes,
95+
preflight.Cause{
96+
Message: fmt.Sprintf("failed to parse registry url must be http or https %s", registryURL),
97+
Field: r.field + ".url",
98+
},
99+
)
100+
return result
101+
}
102+
if registryURLParsed.Scheme == "http" {
103+
registryHost.TLS = config.TLSDisabled
104+
}
105+
92106
if credentials != nil && credentials.SecretRef != nil {
93107
mirrorCredentialsSecret := &corev1.Secret{}
94108
err := r.kclient.Get(
@@ -123,19 +137,19 @@ func (r *registryCheck) checkRegistry(
123137
}
124138
username, ok := mirrorCredentialsSecret.Data["username"]
125139
if ok {
126-
mirrorHost.User = string(username)
140+
registryHost.User = string(username)
127141
}
128142
password, ok := mirrorCredentialsSecret.Data["password"]
129143
if ok {
130-
mirrorHost.Pass = string(password)
144+
registryHost.Pass = string(password)
131145
}
132146
if caCert, ok := mirrorCredentialsSecret.Data["ca.crt"]; ok {
133-
mirrorHost.RegCert = string(caCert)
147+
registryHost.RegCert = string(caCert)
134148
}
135149
}
136150
rc := regClientGetter(
137-
regclient.WithConfigHost(mirrorHost),
138-
regclient.WithUserAgent("regclient/example"),
151+
regclient.WithConfigHost(registryHost),
152+
regclient.WithUserAgent("regclient/caren"),
139153
)
140154
_, err = rc.Ping(ctx,
141155
ref.Ref{

pkg/webhook/preflight/generic/registry_test.go

Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -232,6 +232,38 @@ func TestRegistryCheck(t *testing.T) {
232232
Allowed: true,
233233
},
234234
},
235+
{
236+
name: "image registry with valid configuration using http",
237+
imageRegistry: &carenv1.ImageRegistry{
238+
URL: "http://registry.example.com",
239+
Credentials: &carenv1.RegistryCredentials{
240+
SecretRef: &carenv1.LocalObjectReference{
241+
Name: "test-secret",
242+
},
243+
},
244+
},
245+
kclient: &mockK8sClient{
246+
getSecretFunc: func(ctx context.Context,
247+
key types.NamespacedName,
248+
obj ctrlclient.Object,
249+
opts ...ctrlclient.GetOption,
250+
) error {
251+
secret := obj.(*corev1.Secret)
252+
secret.Data = map[string][]byte{
253+
"username": []byte("testuser"),
254+
}
255+
return nil
256+
},
257+
},
258+
mockRegClientPingerFactory: func(...regclient.Opt) regClientPinger {
259+
return &mockRegClient{
260+
pingFunc: func(ref.Ref) error { return nil },
261+
}
262+
},
263+
want: preflight.CheckResult{
264+
Allowed: true,
265+
},
266+
},
235267
{
236268
name: "image registry with invalid URL",
237269
field: "cluster.spec.topology.variables[.name=clusterConfig].value.imageRegistries[0]",
@@ -275,6 +307,48 @@ func TestRegistryCheck(t *testing.T) {
275307
},
276308
},
277309
},
310+
{
311+
name: "image registry with invalid URL scheme",
312+
field: "cluster.spec.topology.variables[.name=clusterConfig].value.imageRegistries[0]",
313+
imageRegistry: &carenv1.ImageRegistry{
314+
URL: "tcp://some-registry.lol",
315+
Credentials: &carenv1.RegistryCredentials{
316+
SecretRef: &carenv1.LocalObjectReference{
317+
Name: "test-secret",
318+
},
319+
},
320+
},
321+
kclient: &mockK8sClient{
322+
getSecretFunc: func(ctx context.Context,
323+
key types.NamespacedName,
324+
obj ctrlclient.Object,
325+
opts ...ctrlclient.GetOption,
326+
) error {
327+
secret := obj.(*corev1.Secret)
328+
secret.Data = map[string][]byte{
329+
"username": []byte("testuser"),
330+
"password": []byte("testpass"),
331+
"ca.crt": []byte("test-ca-cert"),
332+
}
333+
return nil
334+
},
335+
},
336+
mockRegClientPingerFactory: func(...regclient.Opt) regClientPinger {
337+
return &mockRegClient{
338+
pingFunc: func(ref.Ref) error { return nil },
339+
}
340+
},
341+
want: preflight.CheckResult{
342+
Allowed: false,
343+
InternalError: false,
344+
Causes: []preflight.Cause{
345+
{
346+
Message: fmt.Sprintf("failed to parse registry url must be http or https tcp://some-registry.lol"),
347+
Field: "cluster.spec.topology.variables[.name=clusterConfig].value.imageRegistries[0].url",
348+
},
349+
},
350+
},
351+
},
278352
}
279353

280354
for _, tc := range testCases {

0 commit comments

Comments
 (0)