morri-son
commented
2 months ago Hi @ccwienk, @fabianburth last week added the ability to use http registries: https://github.com/open-component-model/ocm/pull/676. It's not an explicit option, but implicitly set by using http as scheme instead of https (which is also the default when omitting the scheme). The latest version https://github.com/open-component-model/ocm/releases/tag/v0.9.0 contains this functionality. I didn't find this enhancement in the documentation, though. @fabianburth, is this part maybe still pending or was I just not able to find it? :-)
ccwienk
hilmarf
What would you like to be added
Add a (global) flag to disable TLS validation for OCM-CLI's commands. Inspired by
curl, the flag might be named--insecure, but any name will do.Why is this needed
For development purposes, there may be cases where no valid certificate is available in a testing environment (e.g. if using a self-signed certificate). Having the option to disable TLS validation will be handy in such cases.
One might also consider productive scenarios, where, through a misconfiguration, TLS validation fails, and OCM-CLI is needed to perform urgent tasks that would otherwise be blocked by TLS validation issues.
Admittedly, those are exceptional and corner-cases. However, most other tooling supports explicit disabling of TLS validation, including e.g. package-managers (apt, apk, pacman), HTTP-APIs for all programming languages, HTTP-tools, such as
curlorwget, ... - even security-aware tools such assshoffer disabling of checks / unsafe mode of operation.