Add explicit flag for TLS insecure skip verify

We accept a list of image registry hosts for which to use HTTP; in some cases, people also want to switch off TLS host certificate verification, e.g., they have a setup in which the image manifests are on a host using TLS but with a self-signed cert. This extra flag allows people to switch TLS host cert verification off (it's a bad idea to do that by default) explicitly, when the registry is listed as an insecure host.
fluxcd · Dec 11, 2018 · ad833b9 · ad833b9
1 parent c0cac76
commit ad833b9
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 16 deletions.
diff --git a/cmd/fluxd/main.go b/cmd/fluxd/main.go
@@ -97,14 +97,16 @@ func main() {
 		// syncing
 		syncInterval = fs.Duration("sync-interval", 5*time.Minute, "apply config in git to cluster at least this often, even if there are no new commits")
 		// registry
-		memcachedHostname    = fs.String("memcached-hostname", "memcached", "Hostname for memcached service.")
-		memcachedTimeout     = fs.Duration("memcached-timeout", time.Second, "Maximum time to wait before giving up on memcached requests.")
-		memcachedService     = fs.String("memcached-service", "memcached", "SRV service used to discover memcache servers.")
-		registryPollInterval = fs.Duration("registry-poll-interval", 5*time.Minute, "period at which to check for updated images")
-		registryRPS          = fs.Float64("registry-rps", 50, "maximum registry requests per second per host")
-		registryBurst        = fs.Int("registry-burst", defaultRemoteConnections, "maximum number of warmer connections to remote and memcache")
-		registryTrace        = fs.Bool("registry-trace", false, "output trace of image registry requests to log")
-		registryInsecure     = fs.StringSlice("registry-insecure-host", []string{}, "use HTTP for this image registry domain (e.g., registry.cluster.local), instead of HTTPS")
+		memcachedHostname = fs.String("memcached-hostname", "memcached", "Hostname for memcached service.")
+		memcachedTimeout  = fs.Duration("memcached-timeout", time.Second, "Maximum time to wait before giving up on memcached requests.")
+		memcachedService  = fs.String("memcached-service", "memcached", "SRV service used to discover memcache servers.")
+
+		registryPollInterval       = fs.Duration("registry-poll-interval", 5*time.Minute, "period at which to check for updated images")
+		registryRPS                = fs.Float64("registry-rps", 50, "maximum registry requests per second per host")
+		registryBurst              = fs.Int("registry-burst", defaultRemoteConnections, "maximum number of warmer connections to remote and memcache")
+		registryTrace              = fs.Bool("registry-trace", false, "output trace of image registry requests to log")
+		registryInsecure           = fs.StringSlice("registry-insecure-host", []string{}, "use HTTP for this image registry domain (e.g., registry.cluster.local), instead of HTTPS")
+		registryInsecureSkipVerify = fs.Bool("registry-tls-insecure-skip-verify", false, "skip TLS host certificate verification when the registry is listed as an insecure host")
 
 		// k8s-secret backed ssh keyring configuration
 		k8sSecretName            = fs.String("k8s-secret-name", "flux-git-deploy", "Name of the k8s secret used to store the private SSH key")
@@ -306,10 +308,11 @@ func main() {
 			Logger: log.With(logger, "component", "ratelimiter"),
 		}
 		remoteFactory := &registry.RemoteClientFactory{
-			Logger:        registryLogger,
-			Limiters:      registryLimits,
-			Trace:         *registryTrace,
-			InsecureHosts: *registryInsecure,
+			Logger:                 registryLogger,
+			Limiters:               registryLimits,
+			Trace:                  *registryTrace,
+			InsecureHosts:          *registryInsecure,
+			InsecureHostSkipVerify: *registryInsecureSkipVerify,
 		}
 
 		// Warmer

diff --git a/registry/client_factory.go b/registry/client_factory.go
@@ -16,10 +16,19 @@ import (
 )
 
 type RemoteClientFactory struct {
-	Logger        log.Logger
-	Limiters      *middleware.RateLimiters
-	Trace         bool
+	Logger   log.Logger
+	Limiters *middleware.RateLimiters
+	Trace    bool
+
+	// hosts with which to use HTTP rather than HTTPS
 	InsecureHosts []string
+	// if `true`, skip TLS verify when the registry host is
+	// insecure. This bears a bit of explanation: in some cases,
+	// private image repos may be set up to redirect or proxy requests
+	// to other servers. In other words, even though the registry API
+	// uses HTTP, manifests or image layers may be stored on a host
+	// using TLS.
+	InsecureHostSkipVerify bool
 
 	mu               sync.Mutex
 	challengeManager challenge.Manager
@@ -52,7 +61,7 @@ func (f *RemoteClientFactory) ClientFor(repo image.CanonicalName, creds Credenti
 	var tr http.RoundTripper
 	if scheme == "http" {
 		tr = &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: f.InsecureHostSkipVerify},
 		}
 	} else {
 		tr = http.DefaultTransport