Skip to content

[ADD] Support tls verify flag for compose#1399

Open
Chethan30 wants to merge 1 commit into
containers:mainfrom
Chethan30:feature/add-tls-verify-flag
Open

[ADD] Support tls verify flag for compose#1399
Chethan30 wants to merge 1 commit into
containers:mainfrom
Chethan30:feature/add-tls-verify-flag

Conversation

@Chethan30

@Chethan30 Chethan30 commented Feb 18, 2026

Copy link
Copy Markdown

Summary

Added support for disabling TLS verification when podman-compose runs podman pull, podman push, and podman build. This allows use behind VPNs or with self-signed/invalid registry certificates where podman would otherwise fail with x509 TLS errors.

Motivation

  • Problem: Under VPNs or with self-signed registry certs, podman pull (and push/build that contact registries) can fail with x509 certificate verification errors.
  • Podman already supports --tls-verify=false for podman pull, podman push, and podman login, but podman-compose did not expose this when invoking these commands internally.
  • Workaround today: Users can pass --podman-pull-args "--tls-verify=false" (and similarly for push/build), but that is hard to discover and easy to forget for commands like up that trigger pulls. This change provides a single, explicit option.

Changes

  • CLI: New global flag --tls-verify with values true or false (default true). When set to false, podman-compose passes --tls-verify=false to all registry-related podman subcommands.
  • Injection: In get_podman_args(cmd), when --tls-verify=false is in effect and cmd is pull, push, or build, the returned arguments include --tls-verify=false. This automatically covers:
    • pull: podman-compose pull and the pull phase in podman-compose up
    • push: podman-compose push
    • build: podman-compose build and the build phase in up (e.g. when using --pull=always)
  • Tests: New unit tests in tests/unit/test_get_podman_args_tls_verify.py for get_podman_args() with tls_verify true/false and for registry vs non-registry commands.
  • Backward compatibility: Default remains TLS verification on. Behavior is unchanged when the new flag is not used.

@Chethan30 Chethan30 force-pushed the feature/add-tls-verify-flag branch from fda5ec2 to 6136b7b Compare February 18, 2026 22:58
Comment thread podman_compose.py Outdated
"push",
"build",
):
xargs.insert(0, "--tls-verify=false")

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is possible to rewrite code to use only append. Inserting in the begining is unnecessarily complicated.

Comment thread podman_compose.py Outdated

@overload
def rec_subs(value: str, subs_dict: dict[str, Any]) -> str: ...

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unneeded changes.

Comment thread podman_compose.py Outdated
)
tls_verify_env = (
"false"
if os.environ.get("PODMAN_COMPOSE_TLS_VERIFY", "true").strip().lower() == "false"

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs documentation

Comment thread podman_compose.py Outdated
"Use false for self-signed or corporate registries "
"(default: true, or PODMAN_COMPOSE_TLS_VERIFY env)"
),
metavar="true|false",

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems wrong

class TestGetPodmanArgsTlsVerify(unittest.TestCase):
def test_tls_verify_true_pull_push_build_no_flag(self) -> None:
compose = compose_with_tls_verify("true")
for cmd in ("pull", "push", "build"):

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

use parameterized.expand

for cmd in ("pull", "push", "build"):
xargs = compose.get_podman_args(cmd)
self.assertNotIn(
"--tls-verify=false",

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Brittle test, it should verify that there are no --tls-verify* flags. Similar problem with other tests.

def test_tls_verify_true_registry_commands_no_tls_flag(self, cmd: str) -> None:
compose = compose_with_tls_verify("true")
xargs = compose.get_podman_args(cmd)
tls_flags = _tls_verify_flags(xargs)

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

very verbose: this variable is not necessary, also assertEqual explanation is also not necessary

@p12tic p12tic left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tls-verify still needs documentation. Also look into git history and structure your commits like in other PRs.

Please read project requirements carefully because I don't have time to review PRs where I need to explicitly point out every little thing it misses. Such PRs will be ignored.

Signed-off-by: Chethan30 <chetan611611611@gmail.com>
@Chethan30 Chethan30 force-pushed the feature/add-tls-verify-flag branch from eb14eee to 19d9a83 Compare February 22, 2026 15:06
@Chethan30

Copy link
Copy Markdown
Author

tls-verify still needs documentation. Also look into git history and structure your commits like in other PRs.

Please read project requirements carefully because I don't have time to review PRs where I need to explicitly point out every little thing it misses. Such PRs will be ignored.

Apologies. It's my first open PR in a while. Some of our internal practices had followed through. I've made effort to fix the style and requirements. Please let me know if any changes.

Thank you for your time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants