From f46c713f89898c6d5b781923c509c04c805f6133 Mon Sep 17 00:00:00 2001
From: Christy Norman <christy@linux.vnet.ibm.com>
Date: Tue, 18 Sep 2018 15:58:41 -0500
Subject: [PATCH] fix insecure manifest inspect with restrictive certs perms

If, for some reason, the certs directory has permissions that are
inaccessible by docker, we should still be able to fetch manifests using
the `insecure` flag.

Since the cli doesn't access the engine's list of insecure registries,
the registry client should make a singleton list of the registry being queried with the
`insecure` flag.

Fixes #1358

Signed-off-by: Christy Norman <christy@linux.vnet.ibm.com>
---
 cli/registry/client/fetcher.go | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/cli/registry/client/fetcher.go b/cli/registry/client/fetcher.go
index 66c11ce2207d..749a110eac60 100644
--- a/cli/registry/client/fetcher.go
+++ b/cli/registry/client/fetcher.go
@@ -97,6 +97,7 @@ func pullManifestSchemaV2(ctx context.Context, ref reference.Named, repo distrib
 
 func pullManifestSchemaV2ImageConfig(ctx context.Context, dgst digest.Digest, repo distribution.Repository) ([]byte, error) {
 	blobs := repo.Blobs(ctx)
+	logrus.Debug("getting blobs in pullManifestSchemaV2imageConfig")
 	configJSON, err := blobs.Get(ctx, dgst)
 	if err != nil {
 		return nil, err
@@ -200,7 +201,7 @@ func continueOnError(err error) bool {
 }
 
 func (c *client) iterateEndpoints(ctx context.Context, namedRef reference.Named, each func(context.Context, distribution.Repository, reference.Named) (bool, error)) error {
-	endpoints, err := allEndpoints(namedRef)
+	endpoints, err := allEndpoints(namedRef, c.insecureRegistry)
 	if err != nil {
 		return err
 	}
@@ -262,12 +263,18 @@ func (c *client) iterateEndpoints(ctx context.Context, namedRef reference.Named,
 }
 
 // allEndpoints returns a list of endpoints ordered by priority (v2, https, v1).
-func allEndpoints(namedRef reference.Named) ([]registry.APIEndpoint, error) {
+func allEndpoints(namedRef reference.Named, insecure bool) ([]registry.APIEndpoint, error) {
 	repoInfo, err := registry.ParseRepositoryInfo(namedRef)
 	if err != nil {
 		return nil, err
 	}
-	registryService, err := registry.NewService(registry.ServiceOptions{})
+
+	serviceOpts := registry.ServiceOptions{}
+	if insecure {
+		logrus.Debugf("allowing insecure registry for: %s", reference.Domain(namedRef))
+		serviceOpts.InsecureRegistries = []string{reference.Domain(namedRef)}
+	}
+	registryService, err := registry.NewService(serviceOpts)
 	if err != nil {
 		return []registry.APIEndpoint{}, err
 	}