Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Distinguish between insecure and tis-verify #98

Merged
merged 6 commits into from
Jul 22, 2023
Merged

Distinguish between insecure and tis-verify #98

merged 6 commits into from
Jul 22, 2023

Conversation

mariusbertram
Copy link
Contributor

The insecure option for oras.registry sets the transport protocol. The default behaviour of other projects which interact with registries (ores-cli, podman,....), differenciate between transport protocol and trust for connections to registries.
To avoid breaking changes, the parameter insecure sets the transport protocol ans the new parameter tls_verify sets verification on CA Trust.

vsoch
vsoch reviewed Jul 16, 2023
View reviewed changes
Copy link
Contributor

@vsoch vsoch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be exposed from the oras/client.py as well? And don't forget to add a note to the CHANGELOG.md and bump the version in oras/version.py

@mariusbertram
Copy link
Contributor Author

Yes, there is a different between a registry listening with plain http and listening on https with https but not a valid Crt.
I don't append the port for plain http the client try to connect to port 80 and on https on port 443. Best practice configuration for the registry/loadbalancer/webserver is to redirect from port 80 to 443 with a rewrite from http to https.
But if you only expose Port 443 and you want to connect to an insecure registry you will not be able to connect with the current behaviour. I will extend the changelog and bump the Version.

@vsoch
Copy link
Contributor

vsoch commented Jul 16, 2023

I think you missed my question about the client - could we please expose the parameter here along with insecure?

oras-py/oras/client.py

Line 32 in 0f331fb

insecure: bool = False,

@mariusbertram
Copy link
Contributor Author

The docker client will skip the tis verification if tis_verify is set. On Plain http registries tis_verify has no effect.

vsoch
vsoch reviewed Jul 22, 2023
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
@mariusbertram @vsoch
Update CHANGELOG.md
159d1ac 
Co-authored-by: Vanessasaurus <[email protected]>
Signed-off-by: Marius Bertram <[email protected]>
@vsoch vsoch merged commit db32c98 into oras-project:main Jul 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vsoch vsoch vsoch approved these changes

@SteveLasker SteveLasker Awaiting requested review from SteveLasker SteveLasker is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mariusbertram @vsoch