-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
http and insecure are mutually exclusive, when used on a registry with a non-standard port #3382
Conversation
I'm not entirely sure if raising this error via a solve is appropriate; perhaps buildkit should just fail to start in such a case where invalid configs are given? |
Hey @alexcb thanks for the PR 🎉 I'm not actually sure if this is the right route - to me, it looks like this commit 6704487 seems to imply that it should be possible to supply both |
perhaps raising an error should only occur when both If no port is configured, then we should end up with two entries: Thanks for taking a look. |
@alexcb you mean we should not configure http and insecure as true at same time?
I finally figure out that the x509 error is caused by harbor.
now with only http = true, buildx can push successfully |
4a1309a
to
c67c509
Compare
I backed out my initial change to return an error, and wrote a few unit-tests to better illustrate what I was confused by. In particular the case where a non-standard port is used and both Please take a look at My suggestion is such a case should raise an error instead of attempting both a |
c67c509
to
e57efb8
Compare
Signed-off-by: Alex Couture-Beil <alex@mofo.ca>
e57efb8
to
d6c815d
Compare
@alexcb massive apologies for not getting to look at this sooner - I was reminded of this by docker/buildx#1642, which seems similar. So I've discovered where I do think there is a possible underlying issue though here. The discrepancy seen in docker/buildx#1642 looks to be due to differences in how the legacy builder vs buildkit pull images: while buildkit uses containerd, the legacy builder doesn't (yet?)
Moby does some clever magic to avoid requesting HTTPS on endpoints that are known to be HTTP - we might want to upstream something similar to containerd? cc @thaJeztah you might have some better background context here. |
Would have to do some digging, as I don't have all the logic in mind immediately. |
No worries at all -- this PR isn't really in a mergable state, it devolved into a combinatorics-question 😆
this is exactly how I hit this -- while debugging why buildkit was attempting to hit a http server with a https client. Feel free to close this PR since it's being tracked in docker/buildx#1642 now. |
The insecure option only applies when connecting to a https server. If both http and insecure options are set, the resolver will ignore the isHTTP option and will create an additional https host entry (which will ignore certs)
For example, consider a self-hosted registry which incorrectly had both http and insecure set:
When interacting with this registry, one gets the error:
Which is unexpected since the http=true setting was applied.
Now we get:
Signed-off-by: Alex Couture-Beil alex@mofo.ca