buildctl: Add insecure config for registry-auth-tlscontext flag

Signed-off-by: x893675 <[email protected]>
moby · Nov 16, 2023 · 0b791f5 · 0b791f5
1 parent 5ae9b23
commit 0b791f5
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 7 deletions.
diff --git a/cmd/buildctl/build.go b/cmd/buildctl/build.go
@@ -107,7 +107,7 @@ var buildCommand = cli.Command{
 		},
 		cli.StringSliceFlag{
 			Name:  "registry-auth-tlscontext",
-			Usage: "Overwrite TLS configuration when authenticating with registries, e.g. --registry-auth-tlscontext host=https://myserver:2376,ca=/path/to/my/ca.crt,cert=/path/to/my/cert.crt,key=/path/to/my/key.crt",
+			Usage: "Overwrite TLS configuration when authenticating with registries, e.g. --registry-auth-tlscontext host=https://myserver:2376,insecure=false,ca=/path/to/my/ca.crt,cert=/path/to/my/cert.crt,key=/path/to/my/key.crt",
 		},
 	},
 }

diff --git a/cmd/buildctl/build/registryauthtlscontext.go b/cmd/buildctl/build/registryauthtlscontext.go
@@ -2,17 +2,19 @@ package build
 
 import (
 	"encoding/csv"
+	"strconv"
 	"strings"
 
 	"github.com/moby/buildkit/session/auth/authprovider"
 	"github.com/pkg/errors"
 )
 
 type authTLSContextEntry struct {
-	Host string
-	CA   string
-	Cert string
-	Key  string
+	Host     string
+	CA       string
+	Cert     string
+	Key      string
+	Insecure bool
 }
 
 func parseRegistryAuthTLSContextCSV(s string) (authTLSContextEntry, error) {
@@ -37,14 +39,18 @@ func parseRegistryAuthTLSContextCSV(s string) (authTLSContextEntry, error) {
 			authTLSContext.Cert = value
 		case "key":
 			authTLSContext.Key = value
+		case "insecure":
+			authTLSContext.Insecure, _ = strconv.ParseBool(value)
 		}
 	}
 	if authTLSContext.Host == "" {
 		return authTLSContext, errors.New("--registry-auth-tlscontext requires host=<host>")
 	}
 	if authTLSContext.CA == "" {
-		if authTLSContext.Cert == "" || authTLSContext.Key == "" {
-			return authTLSContext, errors.New("--registry-auth-tlscontext requires ca=<ca> or cert=<cert>,key=<key>")
+		if !authTLSContext.Insecure {
+			if authTLSContext.Cert == "" || authTLSContext.Key == "" {
+				return authTLSContext, errors.New("--registry-auth-tlscontext requires ca=<ca> or cert=<cert>,key=<key> or insecure=true")
+			}
 		}
 	} else {
 		if (authTLSContext.Cert != "" && authTLSContext.Key == "") || (authTLSContext.Cert == "" && authTLSContext.Key != "") {
@@ -70,6 +76,9 @@ func ParseRegistryAuthTLSContext(registryAuthTLSContext []string) (map[string]*a
 		if !ok {
 			authConfigs[c.Host] = &authprovider.AuthTLSConfig{}
 		}
+		if c.Insecure {
+			authConfigs[c.Host].Insecure = true
+		}
 		if c.CA != "" {
 			authConfigs[c.Host].RootCAs = append(authConfigs[c.Host].RootCAs, c.CA)
 		}

diff --git a/session/auth/authprovider/authconfig.go b/session/auth/authprovider/authconfig.go
@@ -2,6 +2,7 @@ package authprovider
 
 type AuthTLSConfig struct {
 	RootCAs  []string
+	Insecure bool
 	KeyPairs []TLSKeyPair
 }
 

diff --git a/session/auth/authprovider/authprovider.go b/session/auth/authprovider/authprovider.go
@@ -178,6 +178,9 @@ func (ap *authProvider) tlsConfig(host string) (*tls.Config, error) {
 		}
 		tc.Certificates = append(tc.Certificates, cert)
 	}
+	if c.Insecure {
+		tc.InsecureSkipVerify = true
+	}
 	return tc, nil
 }