Adapting setupRegistryServer to be able to use https with the docker

registryClient

Signed-off-by: Soule BA <soule@weave.works>

api/v1beta2/helmrepository_types.go

@@ -87,11 +87,6 @@ type HelmRepositorySpec struct {
 	// +optional
 	Timeout *metav1.Duration `json:"timeout,omitempty"`
 
-	// InsecureSkipTLSVerify skips the validation of the TLS certificate of the
-	// OCI registry endpoint.
-	// +optional
-	InsecureSkipTLSVerify bool `json:"insecureSkipTLSverify,omitempty"`
-
 	// Suspend tells the controller to suspend the reconciliation of this
 	// HelmRepository.
 	// +optional

docs/api/v1beta2/source.md

@@ -861,19 +861,6 @@ Its default value is 60s.</p>
 </tr>
 <tr>
 <td>
-<code>insecureSkipTLSverify</code><br>
-<em>
-bool
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>InsecureSkipTLSverify skips the validation of the TLS certificate of the
-OCI registry endpoint.</p>
-</td>
-</tr>
-<tr>
-<td>
 <code>suspend</code><br>
 <em>
 bool
@@ -2558,19 +2545,6 @@ Its default value is 60s.</p>
 </tr>
 <tr>
 <td>
-<code>insecureSkipTLSverify</code><br>
-<em>
-bool
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>InsecureSkipTLSverify skips the validation of the TLS certificate of the
-OCI registry endpoint.</p>
-</td>
-</tr>
-<tr>
-<td>
 <code>suspend</code><br>
 <em>
 bool

go.mod

@@ -40,7 +40,12 @@ require (
 	github.com/fluxcd/pkg/tar v0.2.0
 	github.com/fluxcd/pkg/testserver v0.4.0
 	github.com/fluxcd/pkg/version v0.2.2
+<<<<<<< HEAD
 	github.com/fluxcd/source-controller/api v1.0.0
+=======
+	github.com/fluxcd/source-controller/api v1.0.0-rc.5
+	github.com/foxcpp/go-mockdns v1.0.0
+>>>>>>> 4e0d792 (Adapting setupRegistryServer to be able to use https with the docker)
 	github.com/go-git/go-billy/v5 v5.4.1
 	github.com/go-git/go-git/v5 v5.8.1
 	github.com/go-logr/logr v1.2.4
@@ -251,6 +256,7 @@ require (
 	github.com/mattn/go-isatty v0.0.17 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/miekg/dns v1.1.50 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
 	github.com/minio/sha256-simd v1.0.1 // indirect

go.sum

@@ -418,6 +418,7 @@ github.com/fluxcd/pkg/testserver v0.4.0/go.mod h1:gjOKX41okmrGYOa4oOF2fiLedDAfPo
 github.com/fluxcd/pkg/version v0.2.2 h1:ZpVXECeLA5hIQMft11iLp6gN3cKcz6UNuVTQPw/bRdI=
 github.com/fluxcd/pkg/version v0.2.2/go.mod h1:NGnh/no8S6PyfCDxRFrPY3T5BUnqP48MxfxNRU0z8C0=
 github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI=
+github.com/foxcpp/go-mockdns v1.0.0/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps=
 github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY=
@@ -862,7 +863,9 @@ github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
+github.com/miekg/dns v1.1.25/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
 github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
+github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
 github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU=
 github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
@@ -1261,6 +1264,7 @@ golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191219195013-becbf705a915/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -1341,6 +1345,7 @@ golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -1367,6 +1372,7 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
+golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
@@ -1431,6 +1437,8 @@ golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1549,6 +1557,7 @@ golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgw
 golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -1591,6 +1600,7 @@ golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=

internal/controller/helmchart_controller_test.go

@@ -2201,16 +2201,15 @@ func TestHelmChartReconciler_reconcileSourceFromOCI_authStrategy(t *testing.T) {
 	}
 
 	tests := []struct {
-		name                  string
-		url                   string
-		registryOpts          registryOptions
-		secretOpts            secretOptions
-		insecureSkipTLSVerify bool
-		provider              string
-		providerImg           string
-		want                  sreconcile.Result
-		wantErr               bool
-		assertConditions      []metav1.Condition
+		name             string
+		url              string
+		registryOpts     registryOptions
+		secretOpts       secretOptions
+		provider         string
+		providerImg      string
+		want             sreconcile.Result
+		wantErr          bool
+		assertConditions []metav1.Condition
 	}{
 		{
 			name: "HTTP without basic auth",
@@ -2306,22 +2305,6 @@ func TestHelmChartReconciler_reconcileSourceFromOCI_authStrategy(t *testing.T) {
 				*conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "building artifact: pulled 'helmchart' chart with version '0.1.0'"),
 			},
 		},
-		{
-			name: "HTTPS With InsecureSkipTLSVerify",
-			want: sreconcile.ResultSuccess,
-			registryOpts: registryOptions{
-				withBasicAuth: true,
-			},
-			secretOpts: secretOptions{
-				username: testRegistryUsername,
-				password: testRegistryPassword,
-			},
-			insecureSkipTLSVerify: true,
-			assertConditions: []metav1.Condition{
-				*conditions.TrueCondition(meta.ReconcilingCondition, meta.ProgressingReason, "building artifact: pulled 'helmchart' chart with version '0.1.0'"),
-				*conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "building artifact: pulled 'helmchart' chart with version '0.1.0'"),
-			},
-		},
 	}
 
 	for _, tt := range tests {
@@ -2368,8 +2351,6 @@ func TestHelmChartReconciler_reconcileSourceFromOCI_authStrategy(t *testing.T) {
 				repo.Spec.URL = tt.providerImg
 			}
 
-			repo.Spec.InsecureSkipTLSVerify = tt.insecureSkipTLSVerify
-
 			var secret *corev1.Secret
 			if tt.secretOpts.username != "" && tt.secretOpts.password != "" {
 				secret = &corev1.Secret{

internal/controller/helmrepository_controller.go

@@ -413,10 +413,6 @@ func (r *HelmRepositoryReconciler) reconcileSource(ctx context.Context, sp *patc
 		}
 	}
 
-	if obj.Spec.InsecureSkipTLSVerify {
-		tlsConfig.InsecureSkipVerify = true
-	}
-
 	// Construct Helm chart repository with options and download index
 	newChartRepo, err := repository.NewChartRepository(obj.Spec.URL, "", r.Getters, clientOpts.TlsConfig, clientOpts.GetterOpts...)
 	if err != nil {

internal/controller/helmrepository_controller_oci.go

@@ -350,12 +350,6 @@ func (r *HelmRepositoryOCIReconciler) reconcile(ctx context.Context, sp *patch.S
 		}
 	}
 
-	if tlsConfig == nil {
-		tlsConfig = &tls.Config{}
-	}
-
-	tlsConfig.InsecureSkipVerify = obj.Spec.InsecureSkipTLSVerify
-
 	loginOpt, err := makeLoginOption(authenticator, keychain, obj.Spec.URL)
 	if err != nil {
 		conditions.MarkFalse(obj, meta.ReadyCondition, sourcev1.AuthenticationFailedReason, err.Error())

internal/controller/helmrepository_controller_oci_test.go

@@ -172,7 +172,6 @@ func TestHelmRepositoryOCIReconciler_authStrategy(t *testing.T) {
 		url                   string
 		registryOpts          registryOptions
 		secretOpts            secretOptions
-		insecureSkipTLSVerify bool
 		provider              string
 		providerImg           string
 		want                  ctrl.Result
@@ -272,21 +271,6 @@ func TestHelmRepositoryOCIReconciler_authStrategy(t *testing.T) {
 				*conditions.TrueCondition(meta.ReadyCondition, meta.SucceededReason, "Helm repository is ready"),
 			},
 		},
-		{
-			name: "HTTPS With InsecureSkipTLSVerify",
-			want: ctrl.Result{RequeueAfter: interval},
-			registryOpts: registryOptions{
-				withBasicAuth: true,
-			},
-			secretOpts: secretOptions{
-				username: testRegistryUsername,
-				password: testRegistryPassword,
-			},
-			insecureSkipTLSVerify: true,
-			assertConditions: []metav1.Condition{
-				*conditions.TrueCondition(meta.ReadyCondition, meta.SucceededReason, "Helm repository is ready"),
-			},
-		},
 	}
 
 	for _, tt := range tests {
@@ -325,8 +309,6 @@ func TestHelmRepositoryOCIReconciler_authStrategy(t *testing.T) {
 				obj.Spec.URL = tt.providerImg
 			}
 
-			obj.Spec.InsecureSkipTLSVerify = tt.insecureSkipTLSVerify
-
 			var secret *corev1.Secret
 			if tt.secretOpts.username != "" && tt.secretOpts.password != "" {
 				secret = &corev1.Secret{

internal/controller/suite_test.go

@@ -22,11 +22,13 @@ import (
 	"fmt"
 	"io"
 	"math/rand"
+	"net"
 	"os"
 	"path/filepath"
 	"testing"
 	"time"
 
+	"github.com/foxcpp/go-mockdns"
 	"github.com/phayes/freeport"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/crypto/bcrypt"
@@ -114,6 +116,8 @@ type registryClientTestServer struct {
 	registryHost   string
 	workspaceDir   string
 	registryClient *helmreg.Client
+	// A mock DNS server needed for TLS connection testing.
+	srv *mockdns.Server
 }
 
 type registryOptions struct {
@@ -148,8 +152,25 @@ func setupRegistryServer(ctx context.Context, workspaceDir string, opts registry
 	if err != nil {
 		return nil, fmt.Errorf("failed to get free port: %s", err)
 	}
-
 	server.registryHost = fmt.Sprintf("localhost:%d", port)
+	if opts.withTLS {
+		// docker `MatchLocalhost` is a host match function which returns true for
+		// localhost, and is used to enforce http for localhost requests."
+		// That function does not handle matching of ip addresses in octal,
+		// decimal or hex form.
+		server.registryHost = fmt.Sprintf("0x7f000001:%d", port)
+		// As of Go 1.20, Go may lookup "0x7f000001" as a DNS entry and fail.
+		// Using a mock DNS server to handle the address.
+		server.srv, err = mockdns.NewServer(map[string]mockdns.Zone{
+			"0x7f000001.": {
+				A: []string{"127.0.0.1"},
+			},
+		}, false)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create mock DNS server: %s", err)
+		}
+		server.srv.PatchNet(net.DefaultResolver)
+	}
 	config.HTTP.Addr = fmt.Sprintf("127.0.0.1:%d", port)
 	config.HTTP.DrainTimeout = time.Duration(10) * time.Second
 	config.Storage = map[string]configuration.Parameters{"inmemory": map[string]interface{}{}}
@@ -178,6 +199,7 @@ func setupRegistryServer(ctx context.Context, workspaceDir string, opts registry
 	if opts.withTLS {
 		config.HTTP.TLS.Certificate = "testdata/certs/server.pem"
 		config.HTTP.TLS.Key = "testdata/certs/server-key.pem"
+		config.HTTP.TLS.ClientCAs = []string{"testdata/certs/ca.pem"}
 	}
 
 	// setup logger options
@@ -198,6 +220,13 @@ func setupRegistryServer(ctx context.Context, workspaceDir string, opts registry
 	return server, nil
 }
 
+func (s *registryClientTestServer) stopSrv() {
+	if s.srv != nil {
+		mockdns.UnpatchNet(net.DefaultResolver)
+		s.srv.Close()
+	}
+}
+
 func TestMain(m *testing.M) {
 	initTestTLS()
 
@@ -234,6 +263,7 @@ func TestMain(m *testing.M) {
 	if err != nil {
 		panic(fmt.Sprintf("Failed to create a test registry server: %v", err))
 	}
+	defer testRegistryServer.stopSrv()
 
 	if err := (&GitRepositoryReconciler{
 		Client:        testEnv,