Skip to content

[kots]: add firewall check for the pull registry #11111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 5, 2022
Merged

[kots]: add firewall check for the pull registry #11111

merged 1 commit into from
Jul 5, 2022

Conversation

mrsimonemms
Copy link
Contributor

Description

Adds a simple check to ensure that a network connection can be made to the pull registry. The command curl https://eu.gcr.io/v2/ does actually (correctly) return an unauthorized error as the check is that it can make an HTTP connection in the timeout. However, it still exits with a code 0.

If it fails to connect within the timeout, it will exit with a non-zero error code.

In airgapped, it runs against the pull repository.

Related Issue(s)

Fixes #10244

How to test

Install in a non-airgapped and airgapped environment

Release Notes

[kots]: add firewall check for the pull registry

Documentation

Werft options:

  • /werft with-preview

@mrsimonemms mrsimonemms requested a review from a team July 4, 2022 11:06
@github-actions github-actions bot added the team: delivery Issue belongs to the self-hosted team label Jul 4, 2022
@mrsimonemms mrsimonemms force-pushed the sje/kots-firewall-check branch from 2397f19 to 1d1eac4 Compare July 4, 2022 11:06
corneliusludmann
corneliusludmann approved these changes Jul 5, 2022
View reviewed changes
Copy link
Contributor

@corneliusludmann corneliusludmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implementation looks good. 👍 Looking forward to having this released! 🚀

The only concern of my always paranoid mind is whether the v2/ endpoint is actually reachable for all supported registries? Is this a common endpoint that is used in the image pull protocol? Or could it be that some registries do not answer properly on this path but only on the actual full image path?

The second rather minor question is whether we need to check the status code as well? Or set the -L flag to follow redirects? What is, when the registry is behind a proxy? Could it happen that the proxy answers with an okayish status code (that lets curl run successfully) but the actual registry is still not reachable? Maybe in case of a redirect?

Don't know. Maybe I'm overthinking this.

/hold in case you want to test something after my comment. Otherwise, feel free to remove the hold label.

@mrsimonemms
Copy link
Contributor Author

My understanding based upon the API spec is that it's always on /v2. But, as we know from the AWS implementation, there's no guarantee that it's been implemented correctly just because it's in the spec.

For the second point, I don't think we need to follow the -L or check the status. In fact, if you run curl https://eu.gcr.io/v2/, you'll see that it actually returns a 401 error - the test is checking that something is terminating that call and not timing out.

The other way we could do this is to simply not test airgapped installations. The test is that they can access the pull registry - in an airgapped installation, they'd have had to connect to their pull registry to get the KOTS images anyway so maybe this test doesn't actually add anything to the party.

@mrsimonemms mrsimonemms force-pushed the sje/kots-firewall-check branch from 1d1eac4 to 019faf0 Compare July 5, 2022 16:44
@mrsimonemms
Copy link
Contributor Author

@corneliusludmann I've amended the PR so that it doesn't test in an airgapped environment. I'll leave for you to remove the "hold" if/when you're ready

@roboquat roboquat merged commit 2946c9f into main Jul 5, 2022
@roboquat roboquat deleted the sje/kots-firewall-check branch July 5, 2022 17:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@corneliusludmann corneliusludmann corneliusludmann approved these changes

Assignees
No one assigned
Labels
release-note size/M team: delivery Issue belongs to the self-hosted team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Self-Hosted] Preflight check for to check for firewall settings
3 participants
@mrsimonemms @corneliusludmann @roboquat