fix(oci): honor --insecure-registry when up re-loads the model#13894
Open
ptrdom wants to merge 1 commit into
Open
fix(oci): honor --insecure-registry when up re-loads the model#13894ptrdom wants to merge 1 commit into
up re-loads the model#13894ptrdom wants to merge 1 commit into
Conversation
`docker compose -f oci://<insecure-registry>/... up` failed against a
plain-HTTP/loopback registry unless `--yes` was passed, even though the
initial project load succeeded.
`up` loads the project once via ToProject/LoadProject (which correctly
forwarded --insecure-registry), then runUp calls checksForRemoteStack.
Without --yes that path re-loads the model via ToModel to prompt for
interpolation variables, and ToModel builds its OCI loader through
ProjectOptions.remoteLoaders, which constructed an empty
`api.OCIOptions{}`. The re-load therefore dropped the insecure-registry
list, so the resolver spoke HTTPS to a plain-HTTP registry and failed
before the prompt was ever shown. (config/viz share this ToModel path
and hit the same failure.)
The root cause was two independent OCI-options construction sites that
drifted. Consolidate them into ProjectOptions.ociOptions() so every load
path pulls an OCI artifact with the same configuration.
Also expose ociRemoteLoader.InsecureRegistries() so the wiring can be
asserted in a unit test.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Domantas Petrauskas <dom.petrauskas@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
docker compose -f oci://<insecure-registry>/... upfails against a plain-HTTP /loopback registry unless
--yesis passed, even though the initial projectload succeeds.
Root cause
uploads the project once viaToProject→LoadProject, which correctlyforwards
--insecure-registry.runUpthen callschecksForRemoteStack; without--yesthat path re-loads the model viaToModelto prompt for interpolationvariables.
ToModelbuilds its OCI loader throughProjectOptions.remoteLoaders,which constructed an empty
api.OCIOptions{}— dropping the insecure-registrylist. The resolver then speaks HTTPS to a plain-HTTP registry and fails before the
prompt is even shown.
oci.Getalways performs a network resolve (even with the artifact disk-cached),so the second load genuinely re-contacts the registry with the wrong config.
configandvizshare theToModelpath and hit the same failure.Note this is distinct from the Docker Desktop proxy loopback bypass (#13824): the
shared transport already handles proxy bypass for consuming; this PR fixes the
separate plain-HTTP flag being dropped on the re-load path.
Fix
The two OCI-options construction sites had drifted. Consolidate them into
ProjectOptions.ociOptions()so every path that pulls an OCI artifact uses thesame configuration. Exposes
ociRemoteLoader.InsecureRegistries()to assert thewiring in a unit test.
Testing
TestRemoteLoaders_PropagatesInsecureRegistries— guards thatremoteLoadersforwards
--insecure-registry(fails on the pre-fix code, passes after).TestOCIOptions_PropagatesInsecureRegistries— covers the shared helper.🤖 Generated with Claude Code