Skip to content

feat(oci-client): use plain HTTP for loopback registries#807

Open
jtsylve wants to merge 1 commit into
blue-build:mainfrom
jtsylve:oci-client-localhost-http
Open

feat(oci-client): use plain HTTP for loopback registries#807
jtsylve wants to merge 1 commit into
blue-build:mainfrom
jtsylve:oci-client-localhost-http

Conversation

@jtsylve

@jtsylve jtsylve commented Jun 30, 2026

Copy link
Copy Markdown

OciClientDriver::get_metadata builds its oci-client with ClientConfig::default(), whose protocol is HTTPS. The CLI also links reqwest with rustls-tls (webpki roots) and hardcodes accept_invalid_certificates: false, so a self-signed TLS registry is not trusted either. The result: bluebuild build cannot inspect an image on a plain-HTTP local registry — the post-push manifest fetch fails with a connect error against https://localhost:5000/....

Change

Treat loopback registries (localhost, 127.0.0.0/8, ::1 — any port) as plain HTTP, exactly as cosign, containerd, and docker already do. Everything else stays HTTPS, so there is no behavior change for real registries and no new configuration to set.

Notes

  • Loopback detection is factored into an is_loopback_registry helper that handles an optional :port suffix and bracketed IPv6 literals, with unit tests covering loopback (incl. 127.0.0.0/8, ::1, [::1]:5000) and remote (incl. 2001:db8::1, localhost.example.com) cases.
  • oci-client has no auto-negotiating protocol (only Http / Https / HttpsExcept). The client is built per-registry and only ever contacts the already-confirmed-loopback registry, so ClientProtocol::Http is used directly.
  • cargo fmt --check, cargo clippy, and the new unit tests pass.

`OciClientDriver::get_metadata` builds its oci-client with
`ClientConfig::default()`, whose protocol is HTTPS. The CLI also links
reqwest with `rustls-tls` (webpki roots) and hardcodes
`accept_invalid_certificates: false`, so a self-signed TLS registry is not
trusted either. The result: `bluebuild build` cannot inspect an image on a
plain-HTTP local registry — the post-push manifest fetch fails with a connect
error against `https://localhost:5000/...`.

Treat loopback registries (localhost, 127.0.0.0/8, ::1 — any port) as plain
HTTP, exactly as cosign, containerd, and docker already do. Everything else
stays HTTPS, so there is no behavior change for real registries and no new
configuration to set.

The loopback-host detection is factored into a `is_loopback_registry` helper
(handling optional ports and bracketed IPv6 literals) with unit tests.

Signed-off-by: Joe Sylve <joe.sylve@gmail.com>
@jtsylve jtsylve requested a review from gmpinder as a code owner June 30, 2026 17:54
mod test {
use super::is_loopback_registry;

#[test]

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Try making use of rstest instead

https://crates.io/crates/rstest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants