allow downloading insecure, (Fetch via HTTP if HTTPS is unavailable)

[torsten-liermann]

Hi,

minikube start should support insecure download of kubectl & co because of an horrible corporate LAN infrastructure. Is this possible?

Thanks!

logout output of minikube start

Downloading kubeadm v1.17.2
W0220 14:24:53.574297   13590 exit.go:101] Failed to update cluster: downloading binaries: downloading kubeadm: Error downloading kubeadm v1.17.2: failed to download: failed to download to temp file: download failed: 5 error(s) occurred:

Temporary download error: Get https://storage.googleapis.com/kubernetes-release/release/v1.17.2/bin/linux/amd64/kubeadm: x509: certificate signed by unknown authority

[medyagh]

I would be happy to review a pr that will solve this problem with --force flag

[afbjorklund]

I would be happy to review a pr that will solve this problem with --force flag

Wouldn't it be better for the user to set up a local https proxy or something ?

@torsten-liermann : x509: certificate signed by unknown authority

This usually means that the corporate firewall is inspecting all https traffic and resigning it.
So in order to restore internet access, you will need to install a suitable root certificate...

[torsten-liermann]

@afbjorklund
You describe the firewall function correctly. I do not know how to install the self signed certifacte of the proxy on the restricted Windows 10 desktop so that the minikube downloads work.
It is not possible to install third-party TCP / IP-based services on this system. An unreasonable situation for a developer, but that's another topic.

[afbjorklund]

Seems mean to provide (half) a laptop, only to give it crippled internet access...

Anyway, I don't know if there is a non-https mirror of the kubernetes files or not.
For now we only have a mirror in China, which has similar issues like you have.

We are also working with "batteries-included" distributions, that could be used ?

[torsten-liermann]

This is how organizations think that have not yet understood the importance of software development, even though they want to deliver good software. I am only a guest there.

I pulled the minikube software, the kubernetes software, from the Internet via curl --insecure and copied to where this minikube expected. In my experiment, the docker daemon works exclusively with insecure registries. I even have to run a DNS service in a VM in order to be able to resolve Internet addresses on the desktop -- strangely, some programs need this.

I think --force could be a solution for me and my colleagues -- "batterie-included" unfortunately says nothing to me.

[afbjorklund]

"batterie-included" unfortunately says nothing to me.

Basically you would do one big download, where everything needed would be included.

The term itself is from python (or toys): https://en.wikipedia.org/wiki/Batteries_Included

[afbjorklund]

I think --force could be a solution for me and my colleagues

Probably --insecure (like curl) is more descriptive, since it is more about ignoring certificates than overwriting or replacing or whatever the other commands that have force flags are doing.

• https://curl.haxx.se/docs/sslcerts.html

However, I think we need to add such an option to the download library that we are using. Even if it is using go classes to do the download, it doesn't seem like skipping certs is a provided option.

https://godoc.org/github.com/hashicorp/go-getter#HttpGetter

https://golang.org/pkg/crypto/tls/

    // InsecureSkipVerify controls whether a client verifies the
    // server's certificate chain and host name.
    // If InsecureSkipVerify is true, TLS accepts any certificate
    // presented by the server and any host name in that certificate.
    // In this mode, TLS is susceptible to man-in-the-middle attacks.
    // This should be used only for testing.
    InsecureSkipVerify bool

Since you indeed have a corporate "man-in-the-middle", I'm not sure it is an "attack" ?

[torsten-liermann]

This will probably not be permitted under labor law, but I am only a guest and do not use this system for private matters.

At the moment I would limit the insecure to development and testing.

A clean solution must be found for the build and operation of the productive system. It will be a long time before that and leading people will see more clearly.

[afbjorklund]

We would need to add this to the DefaultTransport of the DefaultClient.

https://github.com/hashicorp/go-getter

https://github.com/hashicorp/go-cleanhttp

Currently there are no options to set this, only the Netrc is being used:

	httpGetter := &HttpGetter{
		Netrc: true,
	}

	// Netrc, if true, will lookup and use auth information found
	// in the user's netrc file if available.
	Netrc bool

	// Client is the http.Client to use for Get requests.
	// This defaults to a cleanhttp.DefaultClient if left unset.
	Client *http.Client

It is the Transport that has the TLSClientConfig mentioned above.

https://golang.org/pkg/net/http/#Transport

https://golang.org/pkg/crypto/tls/#Config

---

Still, it would be much better if your IT department provided you with the root cert or a proxy ?
As you mentioned above, there are a lot of other things that expect to be able to use https...

Alternatively, you could do your development and testing somewhere where internet is allowed.
The certificates are part of the transport, by not providing it you are basically cutting off access.

[torsten-liermann]

Many thanks for your help!

I have been doing software development for over 35 years and have many ideas for solutions. But with this customer I am in a situation where I have to spin gold out of straw, but there is no straw and the spinning wheel does not turn. I am glad that I was able to activate Hyper-V.

So far I am not a golang programmer, otherwise I would already have a PR, maybe in a month.

[tstromberg]

We recently added multiple fallback URL's to download.ISO() in pkg/minikube/download/iso.go

If someone wants to implement this, I recommend adding a similar for loop between a URLs with https:// and http://. You'll want to do it across these functions:

• download.ISO()
• download.Driver()
• download.Binary()
• download.Preload()

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[sharifelgamal]

This is still an outstanding issue.

/lifecycle frozen

[medyagh]

I would accept a PR that allows this as a --force option