Use InsecureSkipVerify only with https upstreams

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2024-12-16 21:56:37 -05:00 · 2022-01-27 14:45:46 +02:00 · 2022-01-27 14:45:46 +02:00 · b9250a783a
commit b9250a783a
parent e0a1a82890
2 changed files with 24 additions and 2 deletions
--- a/pkg/extensions/sync/sync_internal_test.go
+++ b/pkg/extensions/sync/sync_internal_test.go
@ -143,13 +143,17 @@ func TestSyncInternal(t *testing.T) {

 		var tlsVerify bool
 		updateDuration := time.Microsecond
+		port := GetFreePort()
+		baseURL := GetBaseURL(port)
+		baseSecureURL := GetSecureBaseURL(port)
+
 		syncRegistryConfig := RegistryConfig{
 			Content: []Content{
 				{
 					Prefix: testImage,
 				},
 			},
-			URL:          BaseURL,
+			URL:          baseURL,
 			PollInterval: updateDuration,
 			TLSVerify:    &tlsVerify,
 			CertDir:      badCertsDir,
@ -158,6 +162,17 @@ func TestSyncInternal(t *testing.T) {
 		_, err = getHTTPClient(&syncRegistryConfig, Credentials{}, log.NewLogger("debug", ""))
 		So(err, ShouldNotBeNil)
 		syncRegistryConfig.CertDir = "/path/to/invalid/cert"
+
+		_, err = getHTTPClient(&syncRegistryConfig, Credentials{}, log.NewLogger("debug", ""))
+		So(err, ShouldNotBeNil)
+
+		syncRegistryConfig.CertDir = ""
+		syncRegistryConfig.URL = baseSecureURL
+
+		_, err = getHTTPClient(&syncRegistryConfig, Credentials{}, log.NewLogger("debug", ""))
+		So(err, ShouldBeNil)
+
+		syncRegistryConfig.URL = BaseURL
 		_, err = getHTTPClient(&syncRegistryConfig, Credentials{}, log.NewLogger("debug", ""))
 		So(err, ShouldNotBeNil)
 	})
--- a/pkg/extensions/sync/utils.go
+++ b/pkg/extensions/sync/utils.go
@ -104,6 +104,13 @@ func getFileCredentials(filepath string) (CredentialsFile, error) {
 func getHTTPClient(regCfg *RegistryConfig, credentials Credentials, log log.Logger) (*resty.Client, error) {
 	client := resty.New()

+	registryURL, err := url.Parse(regCfg.URL)
+	if err != nil {
+		log.Error().Err(err).Str("url", regCfg.URL).Msg("couldn't parse url")
+
+		return nil, err
+	}
+
 	if regCfg.CertDir != "" {
 		log.Debug().Msgf("sync: using certs directory: %s", regCfg.CertDir)
 		clientCert := path.Join(regCfg.CertDir, "client.cert")
@ -133,7 +140,7 @@ func getHTTPClient(regCfg *RegistryConfig, credentials Credentials, log log.Logg
 	}

 	// nolint: gosec
-	if regCfg.TLSVerify != nil && !*regCfg.TLSVerify {
+	if regCfg.TLSVerify != nil && !*regCfg.TLSVerify && registryURL.Scheme == "https" {
 		client.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true})
 	}