From 05e3250043fad5cf80fe898e8aab6ef849b86ef5 Mon Sep 17 00:00:00 2001 From: Daisuke Taniwaki Date: Tue, 23 Oct 2018 06:33:41 +0900 Subject: [PATCH] Support insecure pull (#401) --- cmd/executor/cmd/root.go | 2 +- pkg/config/options.go | 2 +- pkg/executor/push.go | 2 +- pkg/util/image_util.go | 31 ++++++++++++++++++++++++++++--- pkg/util/image_util_test.go | 6 +++--- 5 files changed, 34 insertions(+), 9 deletions(-) diff --git a/cmd/executor/cmd/root.go b/cmd/executor/cmd/root.go index 55d256f289..eef088ade6 100644 --- a/cmd/executor/cmd/root.go +++ b/cmd/executor/cmd/root.go @@ -91,7 +91,7 @@ func addKanikoOptionsFlags(cmd *cobra.Command) { RootCmd.PersistentFlags().VarP(&opts.Destinations, "destination", "d", "Registry the final image should be pushed to. Set it repeatedly for multiple destinations.") RootCmd.PersistentFlags().StringVarP(&opts.SnapshotMode, "snapshotMode", "", "full", "Change the file attributes inspected during snapshotting") RootCmd.PersistentFlags().VarP(&opts.BuildArgs, "build-arg", "", "This flag allows you to pass in ARG values at build time. Set it repeatedly for multiple values.") - RootCmd.PersistentFlags().BoolVarP(&opts.InsecurePush, "insecure", "", false, "Push to insecure registry using plain HTTP") + RootCmd.PersistentFlags().BoolVarP(&opts.Insecure, "insecure", "", false, "Pull and push to insecure registry using plain HTTP") RootCmd.PersistentFlags().BoolVarP(&opts.SkipTLSVerify, "skip-tls-verify", "", false, "Push to insecure registry ignoring TLS verify") RootCmd.PersistentFlags().StringVarP(&opts.TarPath, "tarPath", "", "", "Path to save the image in as a tarball instead of pushing") RootCmd.PersistentFlags().BoolVarP(&opts.SingleSnapshot, "single-snapshot", "", false, "Take a single snapshot at the end of the build.") diff --git a/pkg/config/options.go b/pkg/config/options.go index fc15c1f213..7cf6c07d24 100644 --- a/pkg/config/options.go +++ b/pkg/config/options.go @@ -28,7 +28,7 @@ type KanikoOptions struct { CacheDir string Destinations multiArg BuildArgs multiArg - InsecurePush bool + Insecure bool SkipTLSVerify bool SingleSnapshot bool Reproducible bool diff --git a/pkg/executor/push.go b/pkg/executor/push.go index 6cfd39e9ed..dcf49a647f 100644 --- a/pkg/executor/push.go +++ b/pkg/executor/push.go @@ -71,7 +71,7 @@ func DoPush(image v1.Image, opts *config.KanikoOptions) error { // continue pushing unless an error occurs for _, destRef := range destRefs { - if opts.InsecurePush { + if opts.Insecure { newReg, err := name.NewInsecureRegistry(destRef.Repository.Registry.Name(), name.WeakValidation) if err != nil { return errors.Wrap(err, "getting new insecure registry") diff --git a/pkg/util/image_util.go b/pkg/util/image_util.go index 6eb41aa574..8c2c301415 100644 --- a/pkg/util/image_util.go +++ b/pkg/util/image_util.go @@ -17,6 +17,8 @@ limitations under the License. package util import ( + "crypto/tls" + "net/http" "path/filepath" "strconv" @@ -72,7 +74,7 @@ func RetrieveSourceImage(stage config.KanikoStage, buildArgs []string, opts *con } // Otherwise, initialize image as usual - return retrieveRemoteImage(currentBaseName) + return retrieveRemoteImage(currentBaseName, opts) } // RetrieveConfigFile returns the config file for an image @@ -93,18 +95,41 @@ func tarballImage(index int) (v1.Image, error) { return tarball.ImageFromPath(tarPath, nil) } -func remoteImage(image string) (v1.Image, error) { +func remoteImage(image string, opts *config.KanikoOptions) (v1.Image, error) { logrus.Infof("Downloading base image %s", image) ref, err := name.ParseReference(image, name.WeakValidation) if err != nil { return nil, err } + + if opts.Insecure { + newReg, err := name.NewInsecureRegistry(ref.Context().RegistryStr(), name.WeakValidation) + if err != nil { + return nil, err + } + if tag, ok := ref.(name.Tag); ok { + tag.Repository.Registry = newReg + ref = tag + } + if digest, ok := ref.(name.Digest); ok { + digest.Repository.Registry = newReg + ref = digest + } + } + + tr := http.DefaultTransport.(*http.Transport) + if opts.SkipTLSVerify { + tr.TLSClientConfig = &tls.Config{ + InsecureSkipVerify: true, + } + } + k8sc, err := k8schain.NewNoClient() if err != nil { return nil, err } kc := authn.NewMultiKeychain(authn.DefaultKeychain, k8sc) - return remote.Image(ref, remote.WithAuthFromKeychain(kc)) + return remote.Image(ref, remote.WithTransport(tr), remote.WithAuthFromKeychain(kc)) } func cachedImage(opts *config.KanikoOptions, image string) (v1.Image, error) { diff --git a/pkg/util/image_util_test.go b/pkg/util/image_util_test.go index 44897fe728..272e9e284e 100644 --- a/pkg/util/image_util_test.go +++ b/pkg/util/image_util_test.go @@ -32,11 +32,11 @@ var ( dockerfile = ` FROM gcr.io/distroless/base:latest as base COPY . . - + FROM scratch as second ENV foopath context/foo COPY --from=0 $foopath context/b* /foo/ - + FROM base ARG file COPY --from=second /foo $file` @@ -51,7 +51,7 @@ func Test_StandardImage(t *testing.T) { defer func() { retrieveRemoteImage = original }() - mock := func(image string) (v1.Image, error) { + mock := func(image string, opts *config.KanikoOptions) (v1.Image, error) { return nil, nil } retrieveRemoteImage = mock