Skip to content

Commit 3cfde73

Browse files
IceberIceber
committed
remotes/docker/config: Skipping TLS verification for localhost
Signed-off-by: Iceber Gu <[email protected]>
1 parent 99ee82d commit 3cfde73

3 files changed

Lines changed: 28 additions & 16 deletions

File tree

pkg/cri/server/image_pull.go

Lines changed: 2 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -400,7 +400,7 @@ func (c *criService) registryHosts(ctx context.Context, auth *runtime.AuthConfig
400400
if err != nil {
401401
return nil, fmt.Errorf("get TLSConfig for registry %q: %w", e, err)
402402
}
403-
} else if isLocalHost(host) && u.Scheme == "http" {
403+
} else if docker.IsLocalhost(host) && u.Scheme == "http" {
404404
// Skipping TLS verification for localhost
405405
transport.TLSClientConfig = &tls.Config{
406406
InsecureSkipVerify: true,
@@ -445,26 +445,12 @@ func (c *criService) registryHosts(ctx context.Context, auth *runtime.AuthConfig
445445

446446
// defaultScheme returns the default scheme for a registry host.
447447
func defaultScheme(host string) string {
448-
if isLocalHost(host) {
448+
if docker.IsLocalhost(host) {
449449
return "http"
450450
}
451451
return "https"
452452
}
453453

454-
// isLocalHost checks if the registry host is local.
455-
func isLocalHost(host string) bool {
456-
if h, _, err := net.SplitHostPort(host); err == nil {
457-
host = h
458-
}
459-
460-
if host == "localhost" {
461-
return true
462-
}
463-
464-
ip := net.ParseIP(host)
465-
return ip.IsLoopback()
466-
}
467-
468454
// addDefaultScheme returns the endpoint with default scheme
469455
func addDefaultScheme(endpoint string) (string, error) {
470456
if strings.Contains(endpoint, "://") {

remotes/docker/config/hosts.go

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,17 @@ func ConfigureHosts(ctx context.Context, options HostOptions) docker.RegistryHos
9999
if host == "docker.io" {
100100
hosts[len(hosts)-1].scheme = "https"
101101
hosts[len(hosts)-1].host = "registry-1.docker.io"
102+
} else if docker.IsLocalhost(host) {
103+
hosts[len(hosts)-1].host = host
104+
if options.DefaultScheme == "" || options.DefaultScheme == "http" {
105+
hosts[len(hosts)-1].scheme = "http"
106+
107+
// Skipping TLS verification for localhost
108+
var skipVerify = true
109+
hosts[len(hosts)-1].skipVerify = &skipVerify
110+
} else {
111+
hosts[len(hosts)-1].scheme = options.DefaultScheme
112+
}
102113
} else {
103114
hosts[len(hosts)-1].host = host
104115
if options.DefaultScheme != "" {

remotes/docker/resolver.go

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ import (
2121
"errors"
2222
"fmt"
2323
"io"
24+
"net"
2425
"net/http"
2526
"net/url"
2627
"path"
@@ -667,3 +668,17 @@ func responseFields(resp *http.Response) logrus.Fields {
667668

668669
return logrus.Fields(fields)
669670
}
671+
672+
// IsLocalhost checks if the registry host is local.
673+
func IsLocalhost(host string) bool {
674+
if h, _, err := net.SplitHostPort(host); err == nil {
675+
host = h
676+
}
677+
678+
if host == "localhost" {
679+
return true
680+
}
681+
682+
ip := net.ParseIP(host)
683+
return ip.IsLoopback()
684+
}

0 commit comments

Comments
 (0)