diff --git a/pkg/image/options.go b/pkg/image/options.go index 891cb9ac89..a30a7c2e4a 100644 --- a/pkg/image/options.go +++ b/pkg/image/options.go @@ -52,17 +52,15 @@ func GetOptions(ctx context.Context, imageName name.Reference, insecure bool, do options = append(options, remote.WithContext(ctx)) transport := http.DefaultTransport.(*http.Transport).Clone() + transport.TLSClientConfig = &tls.Config{ + MinVersion: tls.VersionTLS12, + InsecureSkipVerify: false, + } if insecure { - // #nosec:G402 explicitly requested by user to use insecure registry - transport.TLSClientConfig = &tls.Config{ - InsecureSkipVerify: true, - } - } else { - transport.TLSClientConfig = &tls.Config{ - InsecureSkipVerify: false, - MinVersion: tls.VersionTLS12, - } + // #nosec:G402 insecure is explicitly requested by user, make sure to skip verification and reset empty defaults + transport.TLSClientConfig.InsecureSkipVerify = insecure + transport.TLSClientConfig.MinVersion = 0 } // find a Docker config.json diff --git a/test/utils/v1alpha1/webhook.go b/test/utils/v1alpha1/webhook.go index 731a7133ed..8d5542a0bf 100644 --- a/test/utils/v1alpha1/webhook.go +++ b/test/utils/v1alpha1/webhook.go @@ -11,6 +11,7 @@ import ( "time" "github.com/shipwright-io/build/pkg/webhook/conversion" + "github.com/shipwright-io/build/test/utils" "github.com/onsi/ginkgo/v2" "github.com/onsi/gomega" @@ -51,20 +52,8 @@ func StartBuildWebhook() *http.Server { } }() - client := &http.Client{ - Transport: &http.Transport{ - IdleConnTimeout: 5 * time.Second, - ResponseHeaderTimeout: 5 * time.Second, - // #nosec:G402 test code - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, - }, - TLSHandshakeTimeout: 5 * time.Second, - }, - } - gomega.Eventually(func() int { - r, err := client.Get("https://localhost:30443/health") + r, err := utils.TestClient().Get("https://localhost:30443/health") if err != nil { return 0 } @@ -81,20 +70,8 @@ func StopBuildWebhook(webhookServer *http.Server) { err := webhookServer.Close() gomega.Expect(err).ToNot(gomega.HaveOccurred()) - client := &http.Client{ - Transport: &http.Transport{ - IdleConnTimeout: 5 * time.Second, - ResponseHeaderTimeout: 5 * time.Second, - // #nosec:G402 test code - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, - }, - TLSHandshakeTimeout: 5 * time.Second, - }, - } - gomega.Eventually(func() int { - r, err := client.Get("https://localhost:30443/health") + r, err := utils.TestClient().Get("https://localhost:30443/health") if err != nil { return 0 } diff --git a/test/utils/v1beta1/webhook.go b/test/utils/v1beta1/webhook.go index 731a7133ed..8d5542a0bf 100644 --- a/test/utils/v1beta1/webhook.go +++ b/test/utils/v1beta1/webhook.go @@ -11,6 +11,7 @@ import ( "time" "github.com/shipwright-io/build/pkg/webhook/conversion" + "github.com/shipwright-io/build/test/utils" "github.com/onsi/ginkgo/v2" "github.com/onsi/gomega" @@ -51,20 +52,8 @@ func StartBuildWebhook() *http.Server { } }() - client := &http.Client{ - Transport: &http.Transport{ - IdleConnTimeout: 5 * time.Second, - ResponseHeaderTimeout: 5 * time.Second, - // #nosec:G402 test code - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, - }, - TLSHandshakeTimeout: 5 * time.Second, - }, - } - gomega.Eventually(func() int { - r, err := client.Get("https://localhost:30443/health") + r, err := utils.TestClient().Get("https://localhost:30443/health") if err != nil { return 0 } @@ -81,20 +70,8 @@ func StopBuildWebhook(webhookServer *http.Server) { err := webhookServer.Close() gomega.Expect(err).ToNot(gomega.HaveOccurred()) - client := &http.Client{ - Transport: &http.Transport{ - IdleConnTimeout: 5 * time.Second, - ResponseHeaderTimeout: 5 * time.Second, - // #nosec:G402 test code - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, - }, - TLSHandshakeTimeout: 5 * time.Second, - }, - } - gomega.Eventually(func() int { - r, err := client.Get("https://localhost:30443/health") + r, err := utils.TestClient().Get("https://localhost:30443/health") if err != nil { return 0 } diff --git a/test/utils/webhook.go b/test/utils/webhook.go index 731a7133ed..19f0d375ca 100644 --- a/test/utils/webhook.go +++ b/test/utils/webhook.go @@ -16,6 +16,24 @@ import ( "github.com/onsi/gomega" ) +func TestClient() *http.Client { + transport := &http.Transport{ + IdleConnTimeout: 5 * time.Second, + ResponseHeaderTimeout: 5 * time.Second, + TLSHandshakeTimeout: 5 * time.Second, + TLSClientConfig: &tls.Config{ + MinVersion: tls.VersionTLS12, + }, + } + + // #nosec:G402 test code + transport.TLSClientConfig.InsecureSkipVerify = true + + return &http.Client{ + Transport: transport, + } +} + func StartBuildWebhook() *http.Server { mux := http.NewServeMux() mux.HandleFunc("/convert", conversion.CRDConvertHandler(context.Background())) @@ -51,20 +69,8 @@ func StartBuildWebhook() *http.Server { } }() - client := &http.Client{ - Transport: &http.Transport{ - IdleConnTimeout: 5 * time.Second, - ResponseHeaderTimeout: 5 * time.Second, - // #nosec:G402 test code - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, - }, - TLSHandshakeTimeout: 5 * time.Second, - }, - } - gomega.Eventually(func() int { - r, err := client.Get("https://localhost:30443/health") + r, err := TestClient().Get("https://localhost:30443/health") if err != nil { return 0 } @@ -81,20 +87,8 @@ func StopBuildWebhook(webhookServer *http.Server) { err := webhookServer.Close() gomega.Expect(err).ToNot(gomega.HaveOccurred()) - client := &http.Client{ - Transport: &http.Transport{ - IdleConnTimeout: 5 * time.Second, - ResponseHeaderTimeout: 5 * time.Second, - // #nosec:G402 test code - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, - }, - TLSHandshakeTimeout: 5 * time.Second, - }, - } - gomega.Eventually(func() int { - r, err := client.Get("https://localhost:30443/health") + r, err := TestClient().Get("https://localhost:30443/health") if err != nil { return 0 }