Description
/kind user-story
User Story
As an odo user, I want odo to allow me to use a registry with a self-signed or even invalid TLS certificate, So that I can purposely use odo with my registry, regardless of the security issues.
This can be the case for example for local registries or even a registry behind some reverse proxy doing TLS termination using a self-signed certificate.
Acceptance Criteria
- Remove
--tokenflag fromodo preference add registry - Ignore
securefield in preferences file - Add
--skip-tls-verifyflag toodo preference add registry - Add new
SkipTLSVerifyfield to preferences file - Add new
skipTLSVerifyfield toodo preference viewJSON and human-readable output - Remove
Securecolumn fromodo preference viewhuman-readable output - Handle mapping of
skipTLSVerifyfield from DevfileRegistriesList and ClusterDevfileRegistriesList custom resources - Pass
skipTLSVerifywhen calling the registry
Unable to force-use Devfile registries with self-signed or untrusted certificates + confusing Secure property
What versions of software are you using?
Operating System:
Fedora 37
Output of odo version:
odo v3.7.0 (26c90d7)
How did you run odo exactly?
Let's say that I have a registry exposed using a self-signed or untrusted certificate, and I intentionally want to use it. It might be a local non-production registry for example.
$ odo preference add registry my-local-devfile-registry https://my-local-devfile-registry.172.17.0.1.nip.io
$ odo registry --devfile-registry my-local-devfile-registry --details --devfile go
Actual behavior
$ odo registry --devfile-registry my-local-devfile-registry --details --devfile go
⚠ Registry my-local-devfile-registry is not set up properly with error:
Get "https://my-local-devfile-registry.172.17.0.1.nip.io":
x509: certificate is valid for ingress.local, not https://my-local-devfile-registry.172.17.0.1.nip.io,
please check the registry URL, and credential and remove add the registry again
(refer to `odo preference add registry --help`)
✗ no deployable components found
Expected behavior
I think it is okay to enforce TLS checks by default, but users should be allowed to bypass those checks if needed, just like it is doable with curl --insecure or wget --no-check-certificate.
They might want to use a local registry or even a registry behind some reverse proxy doing TLS termination using a self-signed certificate.
I thought that would be the purpose of the Secure property on Registries, but it looks like this is set to True only if users pass a token when adding their registries. The token value seems to be stored and deleted, but never read, so not sure how this token is being used to interact with the corresponding Devfile registry.
Looking at the code, the Registry Library provides a SkipTLSVerify field, but it is always set to false by odo:
odo/pkg/segment/integrations.go
Line 63 in ef6489c
So maybe we should provide a way for users to explicitly skip TLS checks when registering a registry.
Any logs, error output, etc?
Also, in #6622 (PR for #5128), we translated the skipTLSVerify field in the {Cluster,}DevfileRegistriesList Custom Resource into a Secure property, but it would probably make more sense to use a dedicated property for this.
Metadata
Metadata
Assignees
Labels
Type
Projects
Status
No status