From 0ef24ff2bbf01766c1e6427928cabf16c7050ade Mon Sep 17 00:00:00 2001 From: Omer Tuchfeld Date: Fri, 26 Nov 2021 15:20:01 +0100 Subject: [PATCH] The `--skip-tls` flag shouldn't use the http protocol When using the `operator-sdk run bundle`'s `--skip-tls` flag which is described as: > skip authentication of image registry TLS certificate when pulling a bundle image in-cluster It tries to access the image registry (given in the positional argument) using HTTP rather than HTTPS. This behavior is unexpected and fails when the image registry only speaks the HTTPS protocol. This commit fixes it so that the `https` scheme is still used even when the `--skip-tls` flag is specified The commit (a16399f05c380ba432691d2e1d99a69aa5a269e2) which seems to have introduced this behavior doesn't mention this behavior anywhere, so I'm assuming it's unintentional and therefore a bug that needs fixing. Signed-off-by: Omer Tuchfeld --- pkg/image/containerdregistry/resolver.go | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/pkg/image/containerdregistry/resolver.go b/pkg/image/containerdregistry/resolver.go index 9ac771dde..f7520b5cb 100644 --- a/pkg/image/containerdregistry/resolver.go +++ b/pkg/image/containerdregistry/resolver.go @@ -27,16 +27,11 @@ func NewResolver(configDir string, insecure bool, roots *x509.CertPool) (remotes TLSHandshakeTimeout: 10 * time.Second, ExpectContinueTimeout: 5 * time.Second, TLSClientConfig: &tls.Config{ - InsecureSkipVerify: false, + InsecureSkipVerify: insecure, RootCAs: roots, }, } - if insecure { - transport.TLSClientConfig = &tls.Config{ - InsecureSkipVerify: insecure, - } - } headers := http.Header{} headers.Set("User-Agent", "opm/alpha") @@ -55,9 +50,6 @@ func NewResolver(configDir string, insecure bool, roots *x509.CertPool) (remotes )), docker.WithClient(client), } - if insecure { - regopts = append(regopts, docker.WithPlainHTTP(docker.MatchAllHosts)) - } opts := docker.ResolverOptions{ Hosts: docker.ConfigureDefaultRegistries(regopts...),