Open ccwienk opened 3 months ago
Hi @ccwienk, @fabianburth last week added the ability to use http registries: https://github.com/open-component-model/ocm/pull/676. It's not an explicit option, but implicitly set by using http as scheme instead of https (which is also the default when omitting the scheme). The latest version https://github.com/open-component-model/ocm/releases/tag/v0.9.0 contains this functionality. I didn't find this enhancement in the documentation, though. @fabianburth, is this part maybe still pending or was I just not able to find it? :-)
@morri-son : I cannot quite understand how that relates to my issue.
dev-note: during implementation, we should also unify the usage of http-client and its settings by creating a dedicated factory
bump. any news?
@ccwienk , we checked and discussed the issue already and it is also placed in the "next-up" column: https://github.com/orgs/open-component-model/projects/10. For this sprint we have nearly zero capacity, as several colleagues are on vacation and Fabian acts as mentor for new colleagues. I assume that we can pick the issue up in the sprint starting 17th July.
What would you like to be added
Add a (global) flag to disable TLS validation for OCM-CLI's commands. Inspired by
curl
, the flag might be named--insecure
, but any name will do.Why is this needed
For development purposes, there may be cases where no valid certificate is available in a testing environment (e.g. if using a self-signed certificate). Having the option to disable TLS validation will be handy in such cases.
One might also consider productive scenarios, where, through a misconfiguration, TLS validation fails, and OCM-CLI is needed to perform urgent tasks that would otherwise be blocked by TLS validation issues.
Admittedly, those are exceptional and corner-cases. However, most other tooling supports explicit disabling of TLS validation, including e.g. package-managers (apt, apk, pacman), HTTP-APIs for all programming languages, HTTP-tools, such as
curl
orwget
, ... - even security-aware tools such asssh
offer disabling of checks / unsafe mode of operation.