Closed baronfel closed 1 month ago
@baronfel when configuring a registry as insecure, both podman and docker allow the connection to be either unencrypted HTTP or HTTPS with an untrusted certificate.
The implementation added in https://github.com/dotnet/sdk/pull/39840 is only supporting the first.
Thanks! Logged an issue to expand our support - are you noting the gap or did you try to use the new support and got blocked by this in your workflow?
are you noting the gap or did you try to use the new support and got blocked by this in your workflow?
I know from using it with podman that it enables both scenarios.
I was looking whether the SDK already has some support for configuring insecure registries, and I noticed the difference in behavior implemented in the PR.
The registry I need it for is HTTP, so I'm not blocked. It would be easier if I can use an envvar. I may look into contributing SDK_CONTAINER_INSECURE_REGISTRIES to enable that.
Effectively if we wanted to support HTTPS we'd have to override the cert validation callback to check the domain against the list of known-insecure domains before accepting the cert, right?
Yes, we'd override the callback to allow cert issues when the hostname is an insecure one.
We also don't know if the endpoint is http/https so we need to switch when needed.
Once https://github.com/dotnet/sdk/pull/39840 lands we will support writing to insecure registries following the existing container engine mechanisms (insecure-registries in docker daemon.json config, podman registries.conf configuration).
We should document this support and point to the official resources for configuring these kinds of registries.