christian-korneck / docker-pushrm

"Docker Push Readme" - a Docker CLI plugin to update container repo docs
MIT License
138 stars 4 forks source link

flag to allow insecure tls (ignore untrusted server cert) #21

Open ravensorb opened 2 years ago

ravensorb commented 2 years ago

Describe the problem or bug I have an installation of harbor with a self-signed certificate. When trying to use pushrm I am getting an invalid cert (note: push works for the image as i have configured docker to ignore). Is there a way to tell pushrm to ignore the error as well?

docker-pushrm version pushrm* Push Readme to container registry (Christian Korneck, 1.9.0)

Docker CLI version and platform Client: Docker Engine - Community Version: 20.10.17 API version: 1.41 Go version: go1.17.11 Git commit: 100c701 Built: Mon Jun 6 23:02:57 2022 OS/Arch: linux/amd64 Context: default Experimental: true

Server: Docker Engine - Community Engine: Version: 20.10.17 API version: 1.41 (minimum version 1.12) Go version: go1.17.11 Git commit: a89b842 Built: Mon Jun 6 23:01:03 2022 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.6.8 GitCommit: 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6 runc: Version: 1.1.4 GitCommit: v1.1.4-0-g5fd4c4d docker-init: Version: 0.19.0 GitCommit: de40ad0

if possible: registry server version self-hosted harbor version 2.0.0

exact command that you're running docker pushrm --debug myimage:latest --providerharbor2

debug output

Publishing Image Readme
DEBU root cmd init config                         
DEBU home dir: /home/ravenwolf.org/sanderson      
DEBU subcommand "pushrm" called                   
DEBU Using target: harbor.internal-sites.org/images/traefik:latest 
DEBU using README file: README.MD                 
DEBU server: harbor.internal-sites.org                 
DEBU namespace: images                         
DEBU repo: traefik                                
DEBU tag: latest                                  
DEBU repo provider: harbor2                       
DEBU Harbor2.GetAuthident called                  
DEBU no credentials found in env vars. Trying Docker credentials store 
DEBU Using config file: /home/localuser/.docker/config.json 
DEBU util.GetDockerCreds called                   
DEBU tried candidate harbor.internal-sites.org: found credentials for user localuser 
DEBU Using Docker creds: localuser ********       
DEBU Harbor2.Pushrm called                        
DEBU Put "https://harbor.internal-sites.org/api/v2.0/projects/images/repositories/traefik": x509: certificate is valid for 4e001b526386b34480ab04d1538a8d04.3026041018f2cef38123353136fd9210.traefik.default, not harbor.internal-sites.org 
DEBU error pushing README, error creating http request 
ERRO error pushing readme to repo server. See error message below. Run with "--debug" for more details. 

error pushing README, error creating http request 
christian-korneck commented 2 years ago

There are currently no docker-pushrm flags that you could set to trust a custom server certificate or allow insecure connections. You could however add the public cert of your server to your OS'es trusted CA certs and it should just work.

This is in line with how several other tools in this space behave: https://github.com/genuinetools/img#using-self-signed-certs-with-a-registry

Please let me know if this doesn't work for you for some reason or if you need more infos.

ravensorb commented 2 years ago

Understood - maybe this could be a feature request?

christian-korneck commented 2 years ago

maybe this could be a feature request?

Sure. Are there any particular reasons why making the self-signed cert trusted on the machine where you want to run docker-pushrm isn’t practical?

And are you looking to pass the cert to the cli or are you just looking for a convenience --allow-insecure flag?

ravensorb commented 2 years ago

A simple --allow-insecure would be perfect. The other option could be to pull from the global docker daemon.json file "insecure-registries" property?

christian-korneck commented 2 years ago

thanks, these are good thoughts, I will keep this open as a feature request