Closed sherine-k closed 2 months ago
@sherine-k: This pull request references CLID-101 which is a valid jira issue.
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: sherine-k
The full list of commands accepted by this bot can be found here.
The pull request process is described here
@sherine-k: all tests passed!
Full PR test history. Your PR dashboard.
/lgtm
[ART PR BUILD NOTIFIER]
This PR has been included in build oc-mirror-plugin-container-v4.17.0-202404241149.p0.g7352815.assembly.stream.el9 for distgit oc-mirror-plugin. All builds following this will include this PR.
Description
This PR removes the field
TlsVerify
from theCopyOptions.Global
which was bypassing TLS handshake completely for all registries involved. This field was added there when some code was copied from the skopeo code base, where it was already marked deprecated.Fixes # CLID-101
Type of change
Please delete options that are not relevant.
Implementation details
Instead of a global
TlsVerify
, one should set tls verification under eitherCopyOptions.SrcImage
orCopyOptions.DestImage
. The exact field can be found under typedockerImageOptions
, and its type iscommonFlag.OptionalBool
.This makes it impossible to set the field directly. Instead, we use the flags associated with the options to set the value. Example:
Fixing unit tests
Most unit tests don't really call a registry. The fix here is easy: simply remove field
TlsVerify
when initializing the Global structure. For some unit tests, where a HTTPMock is used as the registry (image-blob-gatherer_test.go for instance), the flags need to be set. This is because the containers/image code is by default now going to make a TLS handshake, unless we set --src-tls-verify and --dest-tls-verify to false.Fixing executor.go + delete.go
Here we use the same technique (using the flagSet.Set) to force the value of the flags as follows:
src-tls-verify
should be setdest-tls-verify
should be setThe problem here is that the Mode (m2d, d2m or m2m) is determined at the
Complete
method. At this point, the flagsets are unreachable (flags and options were initialized in funcNewMirrorCmd
. That is why I had to declare, in theExecutorSchema
type, a privatesrcFlagSet
anddestFlagSet
, in order to be able to later use them.Fixing image-blob-gatherer.go
ImageBlobGatherer is used during delete and MirrorToDisk, where:
From the ImageBlobGatherer's perspective though, the local cache is considered a source registry. In order not to disturb TLS handshake for the mirroring, but still be able to gather blobs from cache during archive generation, I added this extra method
imageOptions.NewSystemContextWithTLSVerificationOverride
: calling it with tlsVerify=false as an input, creates a source system context specific for this use case that bypasses TLS.How Has This Been Tested?
All Unit and E2E tests pass. With an imageSetConfig containing just an additional image, I tested workflows:
Expected Outcome
No errors related to HTTP such as