Merge pull request #331 from supereagle/insecure-tls
configurable for TLS check when pulling layers
This commit is contained in:
Jimmy Zelinskie
GitHub
commit
9ef4db26d4
@ -30,6 +30,7 @@ import (
|
||||
"github.com/coreos/clair"
|
||||
"github.com/coreos/clair/api"
|
||||
"github.com/coreos/clair/database"
|
||||
"github.com/coreos/clair/ext/imagefmt"
|
||||
"github.com/coreos/clair/pkg/stopper"
|
||||
|
||||
// Register database driver.
|
||||
@ -123,6 +124,7 @@ func main() {
|
||||
flagConfigPath := flag.String("config", "/etc/clair/config.yaml", "Load configuration from the specified file.")
|
||||
flagCPUProfilePath := flag.String("cpu-profile", "", "Write a CPU profile to the specified file before exiting.")
|
||||
flagLogLevel := flag.String("log-level", "info", "Define the logging level.")
|
||||
flagInsecureTLS := flag.Bool("insecure-tls", false, "Disable TLS server's certificate chain and hostname verification when pulling layers.")
|
||||
flag.Parse()
|
||||
|
||||
// Check for dependencies.
|
||||
@ -149,5 +151,11 @@ func main() {
|
||||
defer stopCPUProfiling(startCPUProfiling(*flagCPUProfilePath))
|
||||
}
|
||||
|
||||
// Enable TLS server's certificate chain and hostname verification
|
||||
// when pulling layers if specified
|
||||
if *flagInsecureTLS {
|
||||
imagefmt.SetInsecureTLS(*flagInsecureTLS)
|
||||
}
|
||||
|
||||
Boot(config)
|
||||
}
|
||||
|
||||
@ -21,6 +21,7 @@
|
||||
package imagefmt
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"fmt"
|
||||
"io"
|
||||
"math"
|
||||
@ -38,6 +39,10 @@ var (
|
||||
// ErrCouldNotFindLayer is returned when we could not download or open the layer file.
|
||||
ErrCouldNotFindLayer = commonerr.NewBadRequestError("could not find layer")
|
||||
|
||||
// insecureTLS controls whether TLS server's certificate chain and hostname are verified
|
||||
// when pulling layers, verified in default.
|
||||
insecureTLS = false
|
||||
|
||||
log = capnslog.NewPackageLogger("github.com/coreos/clair", "ext/imagefmt")
|
||||
|
||||
extractorsM sync.RWMutex
|
||||
@ -116,7 +121,11 @@ func Extract(format, path string, headers map[string]string, toExtract []string)
|
||||
}
|
||||
|
||||
// Send the request and handle the response.
|
||||
r, err := http.DefaultClient.Do(request)
|
||||
tr := &http.Transport{
|
||||
TLSClientConfig: &tls.Config{InsecureSkipVerify: insecureTLS},
|
||||
}
|
||||
client := &http.Client{Transport: tr}
|
||||
r, err := client.Do(request)
|
||||
if err != nil {
|
||||
log.Warningf("could not download layer: %s", err)
|
||||
return nil, ErrCouldNotFindLayer
|
||||
@ -148,3 +157,9 @@ func Extract(format, path string, headers map[string]string, toExtract []string)
|
||||
|
||||
return nil, commonerr.NewBadRequestError(fmt.Sprintf("unsupported image format '%s'", format))
|
||||
}
|
||||
|
||||
// SetInsecureTLS sets the insecureTLS to control whether TLS server's certificate chain
|
||||
// and hostname are verified when pulling layers.
|
||||
func SetInsecureTLS(insecure bool) {
|
||||
insecureTLS = insecure
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user