REG-1639: Allow unencrypted calls to fetch graph artifacts#8919
REG-1639: Allow unencrypted calls to fetch graph artifacts#8919
Conversation
✅ Docs preview readyThe preview is ready to be viewed. View the preview File Changes 0 new, 1 changed, 0 removedBuild ID: 5c15e910ffcbe1a7bd819124 URL: https://www.apollographql.com/docs/deploy-preview/5c15e910ffcbe1a7bd819124
|
This comment has been minimized.
This comment has been minimized.
carodewig
left a comment
carodewig
left a comment
There was a problem hiding this comment.
Just a few comments/nits, overall LGTM
| /// an IPv6 address like "[::1]:port", using `url::Url` for robust parsing. | ||
| /// IPv6 addresses are returned without brackets (e.g. "::1" not "[::1]"). | ||
| fn extract_host(registry: &str) -> Option<String> { | ||
| Url::parse(&format!("dummy://{registry}")) |
There was a problem hiding this comment.
Are there any cases where the URL will come in with a scheme, so this will 'double up' on schemes and cause parsing to fail?
There was a problem hiding this comment.
The user could type whatever they want, but the graph artifacts URLs they use elsewhere will not include scheme, and the documentation does not show scheme, so I think it will feel natural to the user this way. Making it a little more robust is simple though, so I'll go ahead and touch it up.
| async fn infer_oci_protocol(registry: &str) -> ClientProtocol { | ||
| let host = registry.split(":").next().expect("host must be provided"); | ||
| if host == "localhost" || host == "127.0.0.1" || host == "dockerhost" { | ||
| let hosts = unsecure_hosts(); |
There was a problem hiding this comment.
I don't know this area of the code well - is this something that will be called repeatedly, or just on router initiation? If it's called repeatedly, it's probably worth putting the env value into a OnceLock or LazyLock (or similar) so that it only gets instantiated once
There was a problem hiding this comment.
It gets called repeatedly, but it doesn't need to since the reference cannot change. I'll move the whole inference to startup instead of on the network call.
Co-authored-by: Caroline Rodewig <16093297+carodewig@users.noreply.github.com>
carodewig
left a comment
carodewig
left a comment
There was a problem hiding this comment.
One last comment RE the test strategy!
| async fn test_infer_oci_protocol_localhost() { | ||
| let result = infer_oci_protocol("localhost").await; | ||
| assert_eq!(result, ClientProtocol::Http); | ||
| #[test] |
There was a problem hiding this comment.
Nit: since you're changing all these tests, it might be worth converting them to use rstest - IMO it's easier to see what is covered and what's not when tests are specified as cases.
Examples:
#[rstest::rstest]
#[case::external_registry("registry.apollographql.com/my-graph:latest")]
#[case::docker_io("docker.io/library/alpine:latest")]
// etc
fn url_should_use_ssl(#[case] url: &str) {
assert!(should_use_ssl(url));
}
#[rstest::rstest]
#[case::localhost("localhost:5000/test-graph:latest")]
#[case::127_0_0_1("127.0.0.1:5000/test-graph:latest")]
// etc
fn url_should_not_use_ssl(#[case] url: &str) {
assert!(!should_use_ssl(url));
}
#[rstest::rstest]
#[case::ipv4("127.0.0.1", "127.0.0.1")]
#[case::ipv4("127.0.0.1:5000", "127.0.0.1")]
// etc
fn test_extract_host(#[case] url: &str, #[case] expected_host: &str) {
assert_eq!(extract_host(url).as_deref(), Some(expected_host))
}
mabuyo
left a comment
mabuyo
left a comment
There was a problem hiding this comment.
Had a few wording changes and also added line breaks in the table entry for easier readability. We have an open ticket to fix the newlines not showing up in a table like this but in the meantime, wanted to make sure this was easier to read!
The code snippet could use some work to be better visible but that's on the docs platform side. Logging a ticket for us to look into reformatting this in a separate PR (maybe a table is not the best format anymore as it grows).
Thank you; docs approved!
Co-authored-by: Caroline Rodewig <16093297+carodewig@users.noreply.github.com> Co-authored-by: Michelle Mabuyo <michelle@apollographql.com>
Co-authored-by: Caroline Rodewig <16093297+carodewig@users.noreply.github.com> Co-authored-by: Michelle Mabuyo <michelle@apollographql.com>
Co-authored-by: Caroline Rodewig <16093297+carodewig@users.noreply.github.com> Co-authored-by: Michelle Mabuyo <michelle@apollographql.com>
3 participants
REG-1639
When running a registry in a protected network, such as inside a Kubernetes cluster, users may want to avoid the overhead of setting up and distributing SSL certificates. This PR allows them to allowlist specific URLs so the router will fetch from those internal repositories over HTTP (while a misconfiguration to an external repo will still demand HTTPS).
Slack convo that started this
Checklist
Complete the checklist (and note appropriate exceptions) before the PR is marked ready-for-review.
Exceptions
Note any exceptions here
Notes
Footnotes
It may be appropriate to bring upcoming changes to the attention of other (impacted) groups. Please endeavour to do this before seeking PR approval. The mechanism for doing this will vary considerably, so use your judgement as to how and when to do this. ↩
Configuration is an important part of many changes. Where applicable please try to document configuration examples. ↩
A lot of (if not most) features benefit from built-in observability and
debug-level logs. Please read this guidance on metrics best-practices. ↩Tick whichever testing boxes are applicable. If you are adding Manual Tests, please document the manual testing (extensively) in the Exceptions. ↩