Add ability to configure registry-specific proxy in registries.conf
#650
Conversation
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
https://github.com/containers/container-libs/blob/main/CONTRIBUTING.md#sign-your-prs please, we can’t really even look at code with unclear copyright status.
Sorry about that. Was planning to do an interactive rebase when things are ready, so I didn't bother. Will fix tomorrow. |
cyqsimon
force-pushed
the
registries-proxy-config
branch
from
27a5643 to
f82f918
Compare
|
Packit jobs failed. @containers/packit-build please check. |
1 similar comment
|
Packit jobs failed. @containers/packit-build please check. |
Signed-off-by: cyqsimon <[email protected]>
Signed-off-by: cyqsimon <[email protected]>
cyqsimon
force-pushed
the
registries-proxy-config
branch
from
f82f918 to
bc60b07
Compare
|
Still missing a test in |
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
Thanks!
I agree this makes sense to do for Podman accessed through the remote API, and the config file addition looks good.
|
|
||
| // ParseProxy parses the input string for a proxy configuration. | ||
| // Errors if a scheme is unsupported or unspecified, or if the input is not a valid URL. | ||
| func ParseProxy(input string) (*url.URL, error) { |
There was a problem hiding this comment.
After other changes, this can be package-private — we probably don’t want to commit to this as a public API.
|
|
||
| var hasSupportedScheme bool | ||
| for _, scheme := range []string{"http://", "https://", "socks5://", "socks5h://"} { | ||
| if strings.HasPrefix(input, scheme) { |
There was a problem hiding this comment.
It seems more accurate to first do the url.Parse and then consult the schema in the parsed output.
| return err | ||
| } | ||
|
|
||
| if _, err = ParseProxy(reg.Proxy); err != nil { |
There was a problem hiding this comment.
It is a bit wasteful to parse the value into a full URL, and discard it only to re-parse later.
Adding a ProxyURL *net.URL field with a toml:"-" annotation to Endpoint could avoid that.
| return err | ||
| } | ||
|
|
||
| if _, err = ParseProxy(reg.Proxy); err != nil { |
There was a problem hiding this comment.
Please keep the validation somewhat in field order; in particular, do not add this into the middle of the part that deals with Prefix/Location.
Also elsewhere.
| // Check if TLS verification shall be skipped (default=false) which can | ||
| // be specified in the sysregistriesv2 configuration. | ||
| skipVerify := false | ||
| // Fetch and load sysregistriesv2 configurations. |
There was a problem hiding this comment.
Please avoid comments that add nothing of value (compare WIP #636 )
| testProxyForRegistry(t, ctx, sys, "registry-1.com", "") | ||
| testProxyForRegistry(t, ctx, sys, "registry-2.com", "https://proxy-2.example.com") |
There was a problem hiding this comment.
Unit tests contacting random public URLs is rather undesirable.
One option would be to start a few httptest servers and differentiate them via URLs.
At the very least, there is RFC 2606.
| tlsClientConfig *tls.Config | ||
| // registryProxy is the proxy URL from the registry configuration, if any. | ||
| // It has the lowest priority and can be overridden by either DockerProxyURL or environment variables. | ||
| // When pulling, this value could be overwritten by a mirror-specific proxy. See docker_client_src.go. |
There was a problem hiding this comment.
When pulling, this value could be overwritten by a mirror-specific proxy. See docker_client_src.go.
That’s true but a knowledge this lower layer doesn’t really need to have, and the comment doesn’t really say how this is intended to work.
I rather prefer the form above, which explicitly lists newDockerClient/detectProperties and when the callers are allowed to edit the value.
|
|
||
| registries, err := GetRegistries(sys) | ||
| require.NoError(t, err) | ||
| require.Equal(t, 2, len(registries)) |
There was a problem hiding this comment.
(Non-blocking: I suspect right now all of this could be a single assert.Equal against a literal, instead of 10 individual checks. But add the *net.URL field first before trying that transformation.)
| } | ||
|
|
||
| // Helper function to test that the selected proxy for a registry matches expected. | ||
| func testProxyForRegistry(t *testing.T, ctx context.Context, sys *types.SystemContext, registry string, expectedProxy string) { |
There was a problem hiding this comment.
(Non-blocking: This can be inlined into the caller, using a table-driven test.)
| // connections will be allowed. | ||
| Insecure bool `toml:"insecure,omitempty"` | ||
| // The forwarding proxy to be used for accessing this endpoint. | ||
| Proxy string `toml:"proxy,omitempty"` |
There was a problem hiding this comment.
This will need documentation in image/docs/containers-registries.conf.5.md.
2 participants
Closes #624.
Checklist