feat(oci): support insecure OCI registry #1374
Conversation
tekton-robot
added
the
size/L
l-qing
force-pushed
the
feat/support-insecure-oci-registry
branch
from
c115260 to
e23a70d
Compare
tekton-robot
added
the
needs-rebase
l-qing
force-pushed
the
feat/support-insecure-oci-registry
branch
from
e23a70d to
3706615
Compare
tekton-robot
removed
the
needs-rebase
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
l-qing
force-pushed
the
feat/support-insecure-oci-registry
branch
from
20a3458 to
1e3bf22
Compare
|
The following is the coverage report on the affected files.
|
|
/cc @PuneetPunamiya |
- Add support for connecting to insecure OCI registries with self-signed certificates - Refactor remote options building into a dedicated method - Add comprehensive test coverage for both secure and insecure modes
Add warning log when using insecure OCI registry configuration to alert users about potential security risks. This helps ensure the feature is only used in appropriate testing/development environments.
l-qing
force-pushed
the
feat/support-insecure-oci-registry
branch
from
1e3bf22 to
590d65d
Compare
|
@waveywaves I’ve adjusted the code based on your suggestions. Please take a look when you have a moment. ❤️ |
|
The following is the coverage report on the affected files.
|
|
/retest |
| var entityNotFoundError *ociremote.EntityNotFoundError | ||
| if errors.As(err, &entityNotFoundError) { | ||
| se = ociremote.SignedUnknown(req.Artifact) | ||
| se = ociremote.SignedUnknown(req.Artifact, ociremote.WithRemoteOptions(s.remoteOpts...)) |
There was a problem hiding this comment.
I understand that the method added in #1395 requires these opts to be passed.
|
The following is the coverage report on the affected files.
|
- Ensure SignedUnknown uses the same remote options as SignedEntity - Fix insecure registry support for unknown/missing images - Improve test coverage for secure vs insecure mode validation
l-qing
force-pushed
the
feat/support-insecure-oci-registry
branch
from
885b1ba to
ec9b775
Compare
|
The following is the coverage report on the affected files.
|
|
@l-qing really appreciate the extra test coverage 🤗 |
| // It verifies that: | ||
| // 1. In secure mode, the backend should reject connections to untrusted registries due to TLS certificate verification failure | ||
| // 2. In insecure mode, the backend should successfully connect and upload signatures, bypassing TLS verification | ||
| func TestBackend_StorePayload_Insecure(t *testing.T) { |
|
/approve |
|
@PuneetPunamiya can you help merge this ? |
|
cc @jkhelil |
|
/approve |
tekton-robot
added
the
approved
|
/hold |
tekton-robot
added
the
do-not-merge/hold
|
/approve cancel |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: waveywaves The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
tekton-robot
removed
the
approved
|
@l-qing @waveywaves - IMHO, Though this PR may value add to a dev/test environment, allowing this in chains might pave way for security compromise in production. Provenance could be tampered leading to violation of SLSA guarantees that chains promises. @vdemeester @jkhelil - Though the implementation quality of the feature if good, I feel this contradicts what chains aims to accomplish. Please share your views? |
|
@anithapriyanatarajan Thank you for raising these security concerns - they're absolutely valid and important. I'd like to address them with a few points: 1. Industry Standard PracticeThis pattern exists across mature CNCF projects:
All face the same security tradeoff but provide necessary flexibility for dev/test environments. 2. Built-in Safeguards
3. Real-World Use CaseIn dev/test environments, we often need to work with private registries using self-signed certificates:
Without this option, developers must configure CA certificates in every environment, which is impractical for rapid iteration. 4. Production Environment ConcernsYou're right that enabling this in production would violate SLSA guarantees. However, this responsibility lies with cluster administrators - just as they shouldn't configure Docker's Our role is to:
The feature doesn't compromise production security if admins follow best practices - which they must do anyway for Docker, Kubernetes, and other tools. Looking forward to your thoughts. Happy to discuss further improvements. |
|
@anithapriyanatarajan this flag will help the most when testing in a dev environment where setting up https might be cumbersome. As @l-qing here noted, the insecure flag is provided by multiple clients to ease developer overhead while testing as well. The attack vector related to insecure registries only gets activated if the admin of a registry in production makes the incorrect decision of enabling this flag. I believe the feature request as-is will help developers have a better chains dev env.
This is a configuration that the admin needs to make sure is only enabled for developers, this is the admins prerogative
Documentation regarding this would be good as well and this should be added in the docs as well that the insecure flag can cause these issues @l-qing |
4 participants
Changes
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
Release Notes