Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Retries registry call with HTTP if HTTPS fails. #407

Closed
wants to merge 8 commits into from
Closed

Retries registry call with HTTP if HTTPS fails. #407

wants to merge 8 commits into from

Conversation

coollog
Copy link
Contributor

@coollog coollog commented Jun 15, 2018
edited
Loading

Should first merge #430.

Fixes #388

TadCordle
TadCordle reviewed Jun 15, 2018
View reviewed changes
jib-core/src/main/java/com/google/cloud/tools/jib/registry/RegistryEndpointCaller.java Outdated
@@ -161,14 +205,16 @@ private T call(RequestState requestState) throws IOException, RegistryException
}
}

} catch (HttpHostConnectException | SSLPeerUnverifiedException ex) {
// Tries to call with HTTP protocol if HTTPS failed to connect.
if (DEFAULT_PROTOCOL.equals(requestState.url.getProtocol())) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like we should explicitly compare against "https" instead of DEFAULT_PROTOCOL for readability (and also to avoid problems on the off chance we change the default), or rename the constant. Since we're assuming DEFAULT_PROTOCOL is https here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, will change to that.

@coollog coollog mentioned this pull request Jun 15, 2018
Merged
patflynn
patflynn reviewed Jun 18, 2018
View reviewed changes
jib-core/src/main/java/com/google/cloud/tools/jib/registry/RegistryEndpointCaller.java
* @param requestState the state of the request - determines how to make the request and how to
* process the response
* @return an object representing the response, or {@code null}
* @throws IOException for most I/O exceptions when making the request
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should these be @link?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you mean like @throws IOException for most {@link IOException}s when making the request?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nope. Please ignore. I shouldn't make review comments so early in the morning.

jib-core/src/main/java/com/google/cloud/tools/jib/registry/RegistryEndpointCaller.java
@@ -161,14 +205,16 @@ private T call(RequestState requestState) throws IOException, RegistryException
}
}

} catch (HttpHostConnectException | SSLPeerUnverifiedException ex) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about this, but is it possible users might not want this insecure fallback mechanism? What if they always want to use https or fail?

Copy link
Contributor Author

@coollog coollog Jun 18, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, yea it seems that we might want to have the user enable the fallback to HTTP with a configuration option, since Docker only seems to allow insecure registries with a flag.

https://docs.docker.com/registry/insecure/

@elharo
Copy link
Contributor

elharo commented Jun 18, 2018

I agree with @patflynn I'm not sure of the background here, but this one is setting off alarm bells in my head. Are you really sure you want to allow non-https at all? Have you consulted the internal security team?

@coollog coollog mentioned this pull request Jun 20, 2018
Merged
@coollog
Copy link
Contributor Author

coollog commented Jun 21, 2018

Closing in favor of adding a specific configuration parameter to allow insecure allowInsecureRegistries. If not set, should not redirect to HTTP.

@coollog coollog closed this Jun 21, 2018
@coollog coollog mentioned this pull request Jun 21, 2018
Merged
@coollog coollog deleted the retry-with-http branch July 10, 2018 19:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TadCordle TadCordle TadCordle left review comments

@patflynn patflynn patflynn left review comments

@loosebazooka loosebazooka Awaiting requested review from loosebazooka

Assignees
No one assigned
Labels
PR: Not Ready
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@coollog @elharo @TadCordle @patflynn