remotes/docker/config: Skipping TLS verification for localhost

Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
Iceber · Sep 13, 2022 · 3cfde73 · 3cfde73
1 parent 99ee82d
commit 3cfde73
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 16 deletions.
diff --git a/pkg/cri/server/image_pull.go b/pkg/cri/server/image_pull.go
@@ -400,7 +400,7 @@ func (c *criService) registryHosts(ctx context.Context, auth *runtime.AuthConfig
 				if err != nil {
 					return nil, fmt.Errorf("get TLSConfig for registry %q: %w", e, err)
 				}
-			} else if isLocalHost(host) && u.Scheme == "http" {
+			} else if docker.IsLocalhost(host) && u.Scheme == "http" {
 				// Skipping TLS verification for localhost
 				transport.TLSClientConfig = &tls.Config{
 					InsecureSkipVerify: true,
@@ -445,26 +445,12 @@ func (c *criService) registryHosts(ctx context.Context, auth *runtime.AuthConfig
 
 // defaultScheme returns the default scheme for a registry host.
 func defaultScheme(host string) string {
-	if isLocalHost(host) {
+	if docker.IsLocalhost(host) {
 		return "http"
 	}
 	return "https"
 }
 
-// isLocalHost checks if the registry host is local.
-func isLocalHost(host string) bool {
-	if h, _, err := net.SplitHostPort(host); err == nil {
-		host = h
-	}
-
-	if host == "localhost" {
-		return true
-	}
-
-	ip := net.ParseIP(host)
-	return ip.IsLoopback()
-}
-
 // addDefaultScheme returns the endpoint with default scheme
 func addDefaultScheme(endpoint string) (string, error) {
 	if strings.Contains(endpoint, "://") {

diff --git a/remotes/docker/config/hosts.go b/remotes/docker/config/hosts.go
@@ -99,6 +99,17 @@ func ConfigureHosts(ctx context.Context, options HostOptions) docker.RegistryHos
 			if host == "docker.io" {
 				hosts[len(hosts)-1].scheme = "https"
 				hosts[len(hosts)-1].host = "registry-1.docker.io"
+			} else if docker.IsLocalhost(host) {
+				hosts[len(hosts)-1].host = host
+				if options.DefaultScheme == "" || options.DefaultScheme == "http" {
+					hosts[len(hosts)-1].scheme = "http"
+
+					// Skipping TLS verification for localhost
+					var skipVerify = true
+					hosts[len(hosts)-1].skipVerify = &skipVerify
+				} else {
+					hosts[len(hosts)-1].scheme = options.DefaultScheme
+				}
 			} else {
 				hosts[len(hosts)-1].host = host
 				if options.DefaultScheme != "" {

diff --git a/remotes/docker/resolver.go b/remotes/docker/resolver.go
@@ -21,6 +21,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"net/url"
 	"path"
@@ -667,3 +668,17 @@ func responseFields(resp *http.Response) logrus.Fields {
 
 	return logrus.Fields(fields)
 }
+
+// IsLocalhost checks if the registry host is local.
+func IsLocalhost(host string) bool {
+	if h, _, err := net.SplitHostPort(host); err == nil {
+		host = h
+	}
+
+	if host == "localhost" {
+		return true
+	}
+
+	ip := net.ParseIP(host)
+	return ip.IsLoopback()
+}