tink-agent-setup fixes#71
Open
jacobbmay wants to merge 3 commits into
Open
Conversation
Signed-off-by: jacobbmay <134300709+jacobbmay@users.noreply.github.com>
…stries Signed-off-by: jacobbmay <134300709+jacobbmay@users.noreply.github.com>
1c6dbe9 to
453644f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
example.your.domainwould still be configured as an http registry, but explicitly setting https on the registry likehttps://example.your.domainwill now configure it as an https registry that skips TLS verificationFixes:
Currently tink-agent-setup doesn't authenticate with credentials provided so it doesn't work with registries requiring auth.
Also noticed that the current handling of insecure registries being passed in assumes they are all http registries but also sets skip_verify which is only relevant to https registries. nerdctl seems to see the tls related setting and attempts to use https first when pulling an image, but not when authenticating. So after adding the login command, authentication still wasn't working since I am testing with an https registry configured as insecure.
How Has This Been Tested?
Built with
uv run ./build.pyand then tested with QEMU using the following command:Validated that all 3 insecure registries were configured correctly to ensure both http and https insecure registries are handled as expected:
Also verified that the login to
baz.localwas attempted using https (expected auth failure since the registry doesn't exist. Just validating it is using the correct scheme):Next to validate auth to an http registry still uses the correct scheme, I tested with this command:
And verified in journalctl the login related logs show the correct scheme for
foo.local(again, expected failure but wanted to validated the scheme used for login):How are existing users impacted? What migration steps/scripts do we need?
The tink-agent image can now be pulled from a registry requiring authentication and insecure TLS registries can be configured correctly.
Existing users configuring insecure http registries are unaffected since this change keeps the existing behavior of insecure registries not specifying a scheme defaulting to http.
Existing users configuring insecure https registries that don't require authentication will need to add the
https://scheme to the beginning of their insecure registry hostnames since this is no longer relying on nerdctl auto attempting https for image pulling.Checklist:
I have: