fix: adding insecure flag for image pulls to allow http#4495
fix: adding insecure flag for image pulls to allow http#4495JaydipGabani wants to merge 6 commits into
Conversation
Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
There was a problem hiding this comment.
Pull request overview
This PR makes OCI image pulls default to HTTPS and adds an explicit --insecure flag to allow pulling from plain HTTP registries (e.g., localhost:5000).
Changes:
- Add
--insecureCLI flag togator test,gator expand,gator sync test, andgator benchand plumb it through to the OCI pull implementation. - Change OCI pulling behavior to only use plain HTTP when explicitly enabled (removing the prior loopback auto-HTTP behavior).
- Update docs and Bats integration tests to reflect/validate the new default + flag behavior.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| website/docs/gator.md | Documents HTTPS-by-default behavior and the new --insecure flag; updates examples. |
| test/gator/test/test.bats | Updates OCI image tests to pass --insecure; adds coverage that plain HTTP is rejected by default. |
| test/gator/expand/test.bats | Updates OCI image expand test to pass --insecure. |
| pkg/oci/oci.go | Adds allowPlainHTTP parameter and only enables repo.PlainHTTP when explicitly requested. |
| pkg/oci/oci_test.go | Removes unit test for the deleted loopback auto-HTTP heuristic. |
| pkg/gator/reader/filereader.go | Threads allowPlainHTTP through image-reading code paths into oci.PullImage. |
| pkg/gator/bench/types.go | Adds AllowPlainHTTP to benchmark options. |
| pkg/gator/bench/bench.go | Passes AllowPlainHTTP into source reading. |
| cmd/gator/test/test.go | Adds --insecure flag and passes it to reader.ReadSources. |
| cmd/gator/sync/test/test.go | Adds --insecure flag and passes it to reader.ReadSources. |
| cmd/gator/expand/expand.go | Adds --insecure flag and passes it to reader.ReadSources. |
| cmd/gator/bench/bench.go | Adds --insecure flag and maps it to bench.Opts.AllowPlainHTTP. |
| ``` | ||
|
|
||
| Because `localhost:5000` is a plain HTTP registry in this example, add | ||
| `--insecure` to the `gator` pull command when consuming the artifact. |
There was a problem hiding this comment.
The docs refer to a gator "pull command", but there isn't a gator pull subcommand. Please reword this to reference the actual subcommands that pull OCI artifacts (e.g., gator test, gator expand, gator sync test, gator bench) or say "add --insecure to the gator command when consuming the artifact".
| `--insecure` to the `gator` pull command when consuming the artifact. | |
| `--insecure` to the `gator` command when consuming the artifact. |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #4495 +/- ##
===========================================
- Coverage 54.49% 44.24% -10.25%
===========================================
Files 134 282 +148
Lines 12329 20649 +8320
===========================================
+ Hits 6719 9137 +2418
- Misses 5116 10728 +5612
- Partials 494 784 +290
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| Cmd.Flags().StringVarP(&flagFormat, flagNameFormat, "f", "", fmt.Sprintf("Output format. One of: %s|%s.", stringJSON, stringYAML)) | ||
| Cmd.Flags().StringVarP(&flagOutput, flagNameOutput, "o", "", "Output file path. If the file already exists, it will be overwritten.") | ||
| Cmd.Flags().StringArrayVarP(&flagImages, flagNameImage, "i", []string{}, "a URL to an OCI image containing policies. Can be specified multiple times.") | ||
| Cmd.Flags().BoolVarP(&flagInsecure, flagNameInsecure, "", false, "use plain HTTP for OCI image pulls (not recommended)") |
There was a problem hiding this comment.
BoolVarP with an empty shorthand string should just be BoolVar. Same thing in sync/test/test.go and cmd/gator/test/test.go. The bench command already does this correctly.
There was a problem hiding this comment.
fixed this to update BoolVar.
| const ( | ||
| flagNameFilename = "filename" | ||
| flagNameImage = "image" | ||
| flagNameInsecure = "insecure" |
There was a problem hiding this comment.
I think --insecure is the wrong name for this. In the OCI ecosystem, --insecure conventionally means "skip TLS certificate verification." That's what oras --insecure and crane --insecure do. What this flag actually
controls is downgrading the transport from HTTPS to plain HTTP, which oras calls --plain-http.
If we ship --insecure meaning "use HTTP" and later need a "skip TLS verify" flag, we've already taken the obvious name with the wrong semantics. Let's call it --plain-http to match oras conventions and say exactly what it
does.
There was a problem hiding this comment.
Updated to plain-http flag name.
| // Preserve the oras v1 behavior for local test registries on loopback hosts. | ||
| repo.PlainHTTP = shouldUsePlainHTTP(ref.Registry) | ||
|
|
||
| repo.PlainHTTP = allowPlainHTTP |
There was a problem hiding this comment.
When this is enabled, it'd be worth logging a warning to stderr:
fmt.Fprintf(os.Stderr, "WARNING: pulling %q over plain HTTP\n", imgURL)There was a problem hiding this comment.
added the warning.
…-http Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
aramase
left a comment
There was a problem hiding this comment.
variable renames and doc update.
There was a problem hiding this comment.
docs need to be updated from --insecure to --plain-http.
There was a problem hiding this comment.
Updated the docs and changed variables to flagPlainHTTP.
Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
pkg/oci/oci.go:69
- When
allowPlainHTTPis enabled, the ORAS repo client is still configured with Docker credential lookup (credentials.Credential(credStore)), which can result in auth tokens/basic creds being sent over plaintext HTTP. Consider disabling auth/credentials whenallowPlainHTTPis true (anonymous pulls only), or at least make the warning explicitly call out potential credential disclosure risk over HTTP.
repo.PlainHTTP = allowPlainHTTP
if allowPlainHTTP {
fmt.Fprintf(os.Stderr, "WARNING: pulling %q over plain HTTP\n", imgURL)
}
repo.Client = &auth.Client{
Client: http.DefaultClient,
Cache: auth.NewCache(),
Credential: credentials.Credential(credStore),
}
| ``` | ||
|
|
||
| Because `localhost:5000` is a plain HTTP registry in this example, add | ||
| `--plain-http` to the `gator` pull command when consuming the artifact. |
There was a problem hiding this comment.
There's no gator pull subcommand? Maybe something like "add --plain-http to the gator command when consuming the artifact" would be accurate.
There was a problem hiding this comment.
Updated to add --plain-httpto thegator command when consuming the artifact.
Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
| oras push $img ./templates/$media_type ./constraints/$media_type | ||
| popd | ||
|
|
||
| run bin/gator test --image=$img --filename="$violating_ns" -o=yaml | ||
| [ "$status" -eq 1 ] | ||
| match_substring "${output[*]}" "pulling artifact" |
There was a problem hiding this comment.
In this new test, oras push is invoked without checking its exit status. If the push fails (registry not up, auth issues, etc.), the subsequent gator test will also fail and the assertion match_substring ... "pulling artifact" will still pass, which can make the test a false positive. Use run oras push ... + [$status -eq 0] (as done earlier in this file) and/or assert on a more specific error indicating HTTPS was attempted against an HTTP registry.
| oras push $img ./templates/$media_type ./constraints/$media_type | |
| popd | |
| run bin/gator test --image=$img --filename="$violating_ns" -o=yaml | |
| [ "$status" -eq 1 ] | |
| match_substring "${output[*]}" "pulling artifact" | |
| run oras push $img ./templates/$media_type ./constraints/$media_type | |
| [ "$status" -eq 0 ] | |
| popd | |
| run bin/gator test --image=$img --filename="$violating_ns" -o=yaml | |
| [ "$status" -eq 1 ] | |
| match_substring "${output[*]}" "pulling artifact" | |
| match_substring "${output[*]}" "http: server gave HTTP response to HTTPS client" |
|
This PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when the PR gets merged):Fixes #
Special notes for your reviewer: