distribution / distribution

The toolkit to pack, ship, store, and deliver container content
https://distribution.github.io/distribution
Apache License 2.0
8.97k stars 2.49k forks source link

Enhanced use of proxy mode to authenticate insecure registry #4289

Open kubecto opened 8 months ago

kubecto commented 8 months ago

Description

I use proxy cache mode, and an x509 error is reported when the connection to the primary registry is an insecure mirror repository

Mar 01 16:23:37 k8s1 registry[75313]: time="2024-03-01T16:23:37.717561411+08:00" level=debug msg="using "text" logging formatter"
Mar 01 16:23:37 k8s1 registry[75313]: time="2024-03-01T16:23:37.718556619+08:00" level=warning msg="No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill
Mar 01 16:23:37 k8s1 registry[75313]: time="2024-03-01T16:23:37.718605852+08:00" level=info msg="redis not configured" environment=staging go.version=go1.20.8 instance.id=9911d63e-11a9-4a5e-8460-47634d98c94b service=registry version=2.8.3
Mar 01 16:23:37 k8s1 registry[75313]: time="2024-03-01T16:23:37.718709589+08:00" level=info msg="Starting upload purge in 58m0s" environment=staging go.version=go1.20.8 instance.id=9911d63e-11a9-4a5e-8460-47634d98c94b service=registry version=2.8.3
Mar 01 16:23:37 k8s1 registry[75313]: time="2024-03-01T16:23:37.718859314+08:00" level=info msg="using inmemory blob descriptor cache" environment=staging go.version=go1.20.8 instance.id=9911d63e-11a9-4a5e-8460-47634d98c94b service=registry version=2.8.3
Mar 01 16:23:37 k8s1 registry[75313]: time="2024-03-01T16:23:37.718970301+08:00" level=debug msg="filesystem.Stat("/scheduler-state.json")" environment=staging go.version=go1.20.8 instance.id=9911d63e-11a9-4a5e-8460-47634d98c94b service=registry trace.duration=44.144µs tr
Mar 01 16:23:37 k8s1 registry[75313]: time="2024-03-01T16:23:37.718986659+08:00" level=info msg="Starting cached object TTL expiration scheduler..." environment=staging go.version=go1.20.8 instance.id=9911d63e-11a9-4a5e-8460-47634d98c94b service=registry version=2.8.3
Mar 01 16:23:37 k8s1 registry[75313]: panic: Get "https://10.102.28.8/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority
tls: failed to verify certificate: x509: certificate signed by unknown authority

Should support

proxy:
  remoteurl: https://10.102.28.8
  username: demoadmin
  password: 123ewqasd
  insecureskipverify: true
nouxf commented 6 months ago

add the root certificate to the image and rebuild it

FROM registry:2
ADD my-ca.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates