fix: validate empty TLS config for registries

Validate empty TLS config for registries Fixes: #5262 Signed-off-by: Noel Georgi <[email protected]>
siderolabs · Mar 31, 2022 · 37f868e · 37f868e
1 parent ca8b9c0
commit 37f868e
Show file tree

Hide file tree

Showing 2 changed files with 90 additions and 42 deletions.
diff --git a/internal/pkg/containers/cri/containerd/hosts.go b/internal/pkg/containers/cri/containerd/hosts.go
@@ -53,46 +53,48 @@ func GenerateHosts(cfg config.Registries, basePath string) (*HostsConfig, error)
 			return
 		}
 
-		if tlsConfig.TLS().InsecureSkipVerify() {
-			hostToml.SkipVerify = true
-		}
+		if tlsConfig.TLS() != nil {
+			if tlsConfig.TLS().InsecureSkipVerify() {
+				hostToml.SkipVerify = true
+			}
 
-		if tlsConfig.TLS().CA() != nil {
-			relPath := fmt.Sprintf("%s-ca.crt", host)
+			if tlsConfig.TLS().CA() != nil {
+				relPath := fmt.Sprintf("%s-ca.crt", host)
 
-			directory.Files = append(directory.Files,
-				&HostsFile{
-					Name:     relPath,
-					Contents: tlsConfig.TLS().CA(),
-					Mode:     0o600,
-				},
-			)
+				directory.Files = append(directory.Files,
+					&HostsFile{
+						Name:     relPath,
+						Contents: tlsConfig.TLS().CA(),
+						Mode:     0o600,
+					},
+				)
 
-			hostToml.CACert = filepath.Join(basePath, directoryName, relPath)
-		}
+				hostToml.CACert = filepath.Join(basePath, directoryName, relPath)
+			}
 
-		if tlsConfig.TLS().ClientIdentity() != nil {
-			relPathCrt := fmt.Sprintf("%s-client.crt", host)
-			relPathKey := fmt.Sprintf("%s-client.key", host)
-
-			directory.Files = append(directory.Files,
-				&HostsFile{
-					Name:     relPathCrt,
-					Contents: tlsConfig.TLS().ClientIdentity().Crt,
-					Mode:     0o600,
-				},
-				&HostsFile{
-					Name:     relPathKey,
-					Contents: tlsConfig.TLS().ClientIdentity().Key,
-					Mode:     0o600,
-				},
-			)
-
-			hostToml.Client = [][2]string{
-				{
-					filepath.Join(basePath, directoryName, relPathCrt),
-					filepath.Join(basePath, directoryName, relPathKey),
-				},
+			if tlsConfig.TLS().ClientIdentity() != nil {
+				relPathCrt := fmt.Sprintf("%s-client.crt", host)
+				relPathKey := fmt.Sprintf("%s-client.key", host)
+
+				directory.Files = append(directory.Files,
+					&HostsFile{
+						Name:     relPathCrt,
+						Contents: tlsConfig.TLS().ClientIdentity().Crt,
+						Mode:     0o600,
+					},
+					&HostsFile{
+						Name:     relPathKey,
+						Contents: tlsConfig.TLS().ClientIdentity().Key,
+						Mode:     0o600,
+					},
+				)
+
+				hostToml.Client = [][2]string{
+					{
+						filepath.Join(basePath, directoryName, relPathCrt),
+						filepath.Join(basePath, directoryName, relPathKey),
+					},
+				}
 			}
 		}
 	}
@@ -151,9 +153,11 @@ func GenerateHosts(cfg config.Registries, basePath string) (*HostsConfig, error)
 			continue
 		}
 
-		if tlsConfig.TLS().CA() == nil && tlsConfig.TLS().ClientIdentity() == nil && !tlsConfig.TLS().InsecureSkipVerify() {
-			// skip, no specific config
-			continue
+		if tlsConfig.TLS() != nil {
+			if tlsConfig.TLS().CA() == nil && tlsConfig.TLS().ClientIdentity() == nil && !tlsConfig.TLS().InsecureSkipVerify() {
+				// skip, no specific config
+				continue
+			}
 		}
 
 		directory := &HostsDirectory{}

diff --git a/internal/pkg/containers/cri/containerd/hosts_test.go b/internal/pkg/containers/cri/containerd/hosts_test.go
@@ -17,7 +17,7 @@ import (
 )
 
 func TestGenerateHosts(t *testing.T) {
-	cfg := &mockConfig{
+	cfgWithTLS := &mockConfig{
 		mirrors: map[string]*v1alpha1.RegistryMirrorConfig{
 			"docker.io": {
 				MirrorEndpoints: []string{"https://registry-1.docker.io", "https://registry-2.docker.io"},
@@ -48,7 +48,7 @@ func TestGenerateHosts(t *testing.T) {
 		},
 	}
 
-	result, err := containerd.GenerateHosts(cfg, "/etc/cri/conf.d/hosts")
+	resultWithTLS, err := containerd.GenerateHosts(cfgWithTLS, "/etc/cri/conf.d/hosts")
 	require.NoError(t, err)
 
 	assert.Equal(t, &containerd.HostsConfig{
@@ -96,5 +96,49 @@ func TestGenerateHosts(t *testing.T) {
 				},
 			},
 		},
-	}, result)
+	}, resultWithTLS)
+
+	cfgWithoutTLS := &mockConfig{
+		mirrors: map[string]*v1alpha1.RegistryMirrorConfig{
+			"docker.io": {
+				MirrorEndpoints: []string{"https://registry-1.docker.io", "https://registry-2.docker.io"},
+			},
+		},
+		config: map[string]*v1alpha1.RegistryConfig{
+			"some.host:123": {
+				RegistryAuth: &v1alpha1.RegistryAuthConfig{
+					RegistryUsername:      "root",
+					RegistryPassword:      "secret",
+					RegistryAuth:          "auth",
+					RegistryIdentityToken: "token",
+				},
+			},
+		},
+	}
+
+	resultWithoutTLS, err := containerd.GenerateHosts(cfgWithoutTLS, "/etc/cri/conf.d/hosts")
+	require.NoError(t, err)
+
+	assert.Equal(t, &containerd.HostsConfig{
+		Directories: map[string]*containerd.HostsDirectory{
+			"docker.io": {
+				Files: []*containerd.HostsFile{
+					{
+						Name:     "hosts.toml",
+						Mode:     0o600,
+						Contents: []byte("\n[host]\n\n  [host.\"https://registry-1.docker.io\"]\n    capabilities = [\"pull\", \"resolve\"]\n\n[host]\n\n  [host.\"https://registry-2.docker.io\"]\n    capabilities = [\"pull\", \"resolve\"]\n"), //nolint:lll
+					},
+				},
+			},
+			"some.host_123_": {
+				Files: []*containerd.HostsFile{
+					{
+						Name:     "hosts.toml",
+						Mode:     0o600,
+						Contents: []byte("server = \"https://some.host:123\"\n\n[host]\n\n  [host.\"https://some.host:123\"]\n"),
+					},
+				},
+			},
+		},
+	}, resultWithoutTLS)
 }