possible information leak due to setting docker registry insecure by default

Hi,

during testing of openstack "train" release (but this applies to "master" as well, I checked) we realized the following, which applies afaik to latest docker, kolla and kolla-ansible versions:

if you configure a custom docker-registry via variable "docker_registry" in ansible/group_vars/all.yml (line 112 on current master branch)

then, the following logic is applied in line 115:

docker_registry_insecure: "{{ 'yes' if docker_registry else 'no' }}"

which translates into the service being deployed with the insecure registry flag being enabled:

https://review.opendev.org/c/openstack/kolla-ansible/+/575023/5/ansible/roles/baremetal/templates/docker_systemd_service.j2

so, per default, if you provide your own registry, kolla-ansible deploys all docker daemons with the insecure option "insecure-registries", which is defined as follows:

> With insecure registries enabled, Docker goes through the following steps:

> First, try using HTTPS.
> If HTTPS is available but the certificate is invalid, ignore the error about the certificate.
> If HTTPS is not available, fall back to HTTP.

Source: https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry

So, if, for some reason, HTTPS fails, docker will connect via plaintext protocol HTTP to the registry.
I did not check since which version docker introduced this behaviour, but I assume it's there for a long time.

Notice also, how docker discourages this option, even if you use self signed certs.

This might leak confidential information, for example, if you configure your registry (let's say gitlab) to redirect to an S3 Bucket, there are plaintext jwt authentication tokens contained in the URL which will be transfered via HTTP plaintext.

so this could leak confidental access to a registry/images, or in the worst case, to complete S3 Buckets, or other storage backends, which might contain other sensitive data.

This was introduced, it seems in: https://review.opendev.org/c/openstack/kolla-ansible/+/575023

Notice the description says "Option for enable SSL verification on docker registry"

but this is not really true.

to default to a secure state, this option should IMHO not be set as a default!

the default should be, to not set "insecure-registries".

You need to deploy a valid SSL Cert to your registry, which gets checked by docker (the cert chain must be in the local truststore, of course).

if you did this, there is no need for additional configuration like the above flag!

the above flag should imho only be used in test setup or on dev workstations (and even there maybe not, depending on your threat model!), when you can't provide a valid TLS Cert Chain.

it's way to easy to end up with an unencrypted, insecure channel, which transmits cleartext data over the internet.

luckily in our test setup we had additional security guards enabled, which prevented an information leak.

if you have any questions or feedback, please don't hesitate to contact me.

kind regards

Sven Kieske