search

zarf-dev / zarf

DevSecOps for Air Gap & Limited-Connection Systems. https://zarf.dev/
Apache License 2.0
1.34k stars 163 forks source link

Break apart `--insecure` #2860

Open Noxsios opened 1 month ago

Noxsios commented 1 month ago

Is your feature request related to a problem? Please describe.

Currently the --insecure flag is overloaded to be both --http-only and --tls-skip-verify. This means that if you have a resource w/ a self-signed cert (like a OCI/Docker registry) Zarf will be unable to access that resource because it only requests over HTTP.

For 1.0 it would be beneficial if these flags were separated similar to other tools helm, oras.

Not sure if you want Helm's full blown CA support though:

      --ca-file string             verify certificates of HTTPS-enabled servers using this CA bundle
      --cert-file string           identify HTTPS client using this SSL certificate file
      --insecure-skip-tls-verify   skip tls certificate checks for the repository
      --key-file string            identify HTTPS client using this SSL key file
AustinAbro321 commented 4 weeks ago

Agree with this and added a good first issue label. We can deprecate and hide the --insecure flag and have it set --http-only to true and --insecure-tls-skip-verify to true for any legacy users of --insecure.