spin does not allow login to http-only registry

fermyon / spin

Spin is the open source developer tool for building and running serverless applications powered by WebAssembly.

https://developer.fermyon.com/spin

Apache License 2.0

5.19k stars 247 forks source link

spin does not allow login to http-only registry #1211

Open rajatjindal opened 1 year ago

rajatjindal commented 1 year ago

env:

spin 0.9.0 (e2f4fac 2023-02-21) Apple arm

started a registry on my laptop

docker run --rm -p 5000:5000 -e REGISTRY_HTTP_SECRET=secret --name registry arm64v8/registry:2

docker login -u rjindal -p secret http://127.0.0.1:5000/   
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded


spin registry login --username rjindal --password secret http://127.0.0.1:5000/
Error: cannot log in to the registry

Caused by: cannot authenticate as rjindal to registry 127.0.0.1: http transport error: error sending request for url (https://127.0.0.1/v2/): error trying to connect: tcp connect error: Connection refused (os error 61)

rajatjindal commented 1 year ago

on local registry (for testing) we are able to proceed without auth and for real registries, it is recommended not to run with http only registry. so i am ok with this ticket getting closed as won't do

radu-matei commented 1 year ago

You can trace that back to the line below.

I think you should be able to conditionally make that insecure based on whether it's HTTP or HTTPS. Alternatively, we could add the --insecure flag to login as well? https://github.com/fermyon/spin/blob/492e50921f44086e2c9e2a0efdb074fce991eccf/crates/oci/src/client.rs#L294

kate-goldenring commented 1 year ago

I also ran into this

# Create user and pass pair using docker (could also just use htpasswb locally)
mkdir auth && docker run --entrypoint htpasswd registry:2.7.0 -Bbn kate pw > auth/htpasswd

docker container stop registry

# restart container
docker run -d \
  -p 5000:5000 \
  --restart=always \
  --name registry \
  -v `pwd`/auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
  registry:2.7.0

docker login localhost:5000 -u kate -p pw

#test local registry
docker pull ubuntu:16.04
docker tag ubuntu:16.04 localhost:5000/my-ubuntu
docker push localhost:5000/my-ubuntu

# try to get it to work with spin
RUST_LOG=spin=trace spin registry push localhost:5000                                                                                                                                                       
2023-03-30T22:01:19.363125Z DEBUG spin_loader::cache: using cache root directory /Users/kagold/Library/Caches/spin/registry                                                                                                                 
2023-03-30T22:01:19.503882Z TRACE spin_oci::client: Cannot retrieve credentials from Docker, attempting to use anonymous auth: Credential helper returned non-zero response code                                                            
2023-03-30T22:01:19.504054Z TRACE spin_oci::client: Reading wasm module from "/Users/kagold/Programs/temp/test/target/wasm32-wasi/release/test.wasm"                                                                                        
Error: cannot push Spin application

kate-goldenring commented 1 year ago

I realized what was going wrong on my side. Pushing to the base of the registry localhost:5000 was unauthorized. spin registry push localhost:5000/spin-apps --insecure succeeds.

kate-goldenring commented 1 year ago

@rajatjindal @radu-matei should we add --insecure to login as well or close this as wont-fix? For now, you could use docker to login instead.