ggcr: library's crane.Pull behavior with crane.Insecure option does not match the CLI's --insecure flag behavior

[komish]

Describe the bug

The crane.Pull behavior appears to be inconsistent with the CLI when attempting to reach either a registry using HTTP, or a registry that uses HTTPS but with a self-signed certificate.

The crane CLI accepts the --insecure flag which seems to support either case transparently. To accomplish this with the library, you'd have to pass both the crane.Insecure[1] option and crane.WithTransport[2] to get the same behavior as observed in the crane CLI's code.

[1] https://github.com/google/go-containerregistry/blob/main/cmd/crane/cmd/root.go#L59
[2] https://github.com/google/go-containerregistry/blob/main/cmd/crane/cmd/root.go#L75-L78

To Reproduce

I just used caddy to throw up a quick reverse-proxy with "internal" certs, and modified my host file to point the --from domain to my own machine. Then targeted existing images from the origin registry.

caddy reverse-proxy --to https://quay.io --internal-certs --from https://registry.example.com:8443

A code snippet like the following works as I expect.

        // copied from crane's CLI
	rt := remote.DefaultTransport.(*http.Transport).Clone()
	rt.TLSClientConfig = &tls.Config{
		InsecureSkipVerify: true, //nolint: gosec
	}

	img, err := crane.Pull("registry.example.com:8443/fedora/fedora:38", crane.Insecure, crane.WithTransport(rt))
	if err != nil {
		panic(err)
	}
	fmt.Println(img.Layers())

If you pull out the Transport definition, it throws an error that I believe indicated that the client sent an HTTP request to an HTTPS server.

Expected behavior

I expected the Insecure flag to crane to behave like the CLI, in that the self-signed certificate is ignored when pulling the image, and the image downloads as expected. To that end, I would imagine that passing crane.Insecure would also set the crane.WithTransport option similar to how the CLI does it, or that the Pull logic would handle the transport definition internally using the insecure option's value as an input (if no transport option was passed in).

With the same reverse-proxy setup described above, you should be able to crane pull --insecure registry.example.com:8443/fedora/fedora:38 fedora38.tgz and have it succeed.

Additional context

I noticed that there's a Scheme handler https://github.com/google/go-containerregistry/blob/main/pkg/name/registry.go#L75 - Just looking at that, I'm actually unsure exactly what scheme is being used in cases where both crane.Insecure and crane.WithTransport are passed. I'm not sure if I'm missing something, or this particular block that derives the scheme is out of scope, but it seemed odd that a case where both options were passed seems to behave correctly. I would have thought for sure that we'd still be getting http given what I'm seeing there.

• Version of the module: v0.13.0
• Registry used (e.g., GCR, ECR, Quay): n/a

[jonjohnsonjr]

I expected the Insecure flag to crane to behave like the CLI, in that the self-signed certificate is ignored when pulling the image, and the image downloads as expected. To that end, I would imagine that passing crane.Insecure would also set the crane.WithTransport option similar to how the CLI does it, or that the Pull logic would handle the transport definition internally using the insecure option's value as an input (if no transport option was passed in).

Agree this is surprising, but it's not entirely clear what the best behavior would be here without potentially breaking existing stuff. I would guess we overloaded the --insecure flag because I dislike the aesthetics of having a bunch of flags to control different security properties of crane.

We (foolishly, probably) associated the scheme selection with the name package and options because determining the hostname is also there, and the scheme depends on both a heuristic for allowing "local" hostnames to be insecure or via the explicit "Insecure" option.

This gets projected up to crane options in an annoying way, but ignoring that...

In cases where you pass both crane.Insecure and crane.WithTransport, we don't actually have a way to wire in the InsecureSkipVerify option, unless the given http.RoundTripper happens to be an *http.Transport. I suppose in that case, we could attempt to modify it, but that seems rather confusing as well.

Another option would be to give crane options a default transport (cloned from remote.DefaultTransport) and have crane.Insecure modify that, but with crane.WithTransport overriding the default transport if passed.

Another option would be to just document this behavior, and probably better document how to get crane to respect custom certs instead of just ignoring them.

I'm not sure if I'm missing something, or this particular block that derives the scheme is out of scope, but it seemed odd that a case where both options were passed seems to behave correctly. I would have thought for sure that we'd still be getting http given what I'm seeing there.

You get both because name.Insecure just allows http as a fallback. This was to work around cases where people were using https with localhost, which our dumb heuristic broke. I recently updated this behavior a little bit to race both http and https so that we don't end up just waiting for https to timeout before trying http, but if your server responds to both and you want http, you'll probably be unhappy with the current behavior.

[komish]

I would guess we overloaded the --insecure flag because I dislike the aesthetics of having a bunch of flags to control different security properties of crane.

100% agree.

In cases where you pass both crane.Insecure and crane.WithTransport, we don't actually have a way to wire in the InsecureSkipVerify option, unless the given http.RoundTripper happens to be an *http.Transport. I suppose in that case, we could attempt to modify it, but that seems rather confusing as well.

This seems a bit messy. And I feel like the user providing the http.RoundTripper is a signal that they want that to be exactly as they provided it.

Another option would be to give crane options a default transport (cloned from remote.DefaultTransport) and have crane.Insecure modify that, but with crane.WithTransport overriding the default transport if passed.

This feels the best to me. At first glance, it seems backwards compatible - if you were providing an http.RoundTripper already, nothing changes. If you weren't, then you get the behavior that's aligned with the the CLI.

But, depending on how you would want this implemented, it feels like it could add a bit of back-and-forth to the snippets that handle options. I'm guessing we'd have to track if the insecure flag was passed, but no transport was provided by the user, causing the default to be added in. Maybe there are other ways to handle it.

I'm happy to take a stab at a fix. Just let me know how you'd like to move forward.

[jonjohnsonjr]

I'm happy to take a stab at a fix. Just let me know how you'd like to move forward.

That would be great. Without thinking too much about it, I would probably start with exposing a Transport http.RoundTripper in crane.Options to hold the current transport value (because why not), and modify crane.WithTransport to do something similar to crane.WithAuthFromKeychain where crane.Options.Remote[1] always holds a remote.WithTransport option.

If we add a private defaultTransport *http.Transport in crane.Options that we create in makeOptions, we can have crane.Insecure mutate that, which should only have an affect if it's not overridden by crane.WithTransport.

One major downside to that approach is that we might be creating a transport that gets thrown away, so I think I just convinced myself your approach is cleaner :)

[komish]

@jonjohnsonjr Just so I'm clear, did you want me to follow the example of crane.WithAuthFromKeychain, or did you want me to internally track whether a transport was provided within crane.Options and only add the default transport if crane.Insecure was set and crane.WithTransport was not set?

I have them both, I'm just trying to decide which to submit. Working through the presubmit scripts mentioned in CONTRIBUTING.md now. I'm just second-guessing myself here because of the following blurb:

One major downside to that approach is that we might be creating a transport that gets thrown away, so I think I just convinced myself your approach is cleaner :)

[jonjohnsonjr]

Sorry I should have cleaned up my internal thought process rather than just hitting Comment.

Let's start with tracking everything internally and exposing as little as possible, with a nice big comment explaining that crane.Insecure affects both things and crane.WithTransport will partially override it.