From 50990100c5768e01bc8491419d183b44aac645db Mon Sep 17 00:00:00 2001
From: x893675 <x893675@icloud.com>
Date: Wed, 15 Nov 2023 11:37:04 +0800
Subject: [PATCH] buildctl: Add insecure config for registry-auth-tlscontext
 flag

Signed-off-by: x893675 <x893675@icloud.com>
---
 cmd/buildctl/build.go                        |  2 +-
 cmd/buildctl/build/registryauthtlscontext.go | 21 ++++++++++++++------
 docs/reference/buildctl.md                   |  2 +-
 session/auth/authprovider/authconfig.go      |  1 +
 session/auth/authprovider/authprovider.go    |  3 +++
 5 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/cmd/buildctl/build.go b/cmd/buildctl/build.go
index b2f5d8a5f5e6..1d185bba4734 100644
--- a/cmd/buildctl/build.go
+++ b/cmd/buildctl/build.go
@@ -107,7 +107,7 @@ var buildCommand = cli.Command{
 		},
 		cli.StringSliceFlag{
 			Name:  "registry-auth-tlscontext",
-			Usage: "Overwrite TLS configuration when authenticating with registries, e.g. --registry-auth-tlscontext host=https://myserver:2376,ca=/path/to/my/ca.crt,cert=/path/to/my/cert.crt,key=/path/to/my/key.crt",
+			Usage: "Overwrite TLS configuration when authenticating with registries, e.g. --registry-auth-tlscontext host=https://myserver:2376,insecure=false,ca=/path/to/my/ca.crt,cert=/path/to/my/cert.crt,key=/path/to/my/key.crt",
 		},
 	},
 }
diff --git a/cmd/buildctl/build/registryauthtlscontext.go b/cmd/buildctl/build/registryauthtlscontext.go
index 5e958b3b0f9b..e0b67fea4ac6 100644
--- a/cmd/buildctl/build/registryauthtlscontext.go
+++ b/cmd/buildctl/build/registryauthtlscontext.go
@@ -2,6 +2,7 @@ package build
 
 import (
 	"encoding/csv"
+	"strconv"
 	"strings"
 
 	"github.com/moby/buildkit/session/auth/authprovider"
@@ -9,10 +10,11 @@ import (
 )
 
 type authTLSContextEntry struct {
-	Host string
-	CA   string
-	Cert string
-	Key  string
+	Host     string
+	CA       string
+	Cert     string
+	Key      string
+	Insecure bool
 }
 
 func parseRegistryAuthTLSContextCSV(s string) (authTLSContextEntry, error) {
@@ -37,14 +39,18 @@ func parseRegistryAuthTLSContextCSV(s string) (authTLSContextEntry, error) {
 			authTLSContext.Cert = value
 		case "key":
 			authTLSContext.Key = value
+		case "insecure":
+			authTLSContext.Insecure, _ = strconv.ParseBool(value)
 		}
 	}
 	if authTLSContext.Host == "" {
 		return authTLSContext, errors.New("--registry-auth-tlscontext requires host=<host>")
 	}
 	if authTLSContext.CA == "" {
-		if authTLSContext.Cert == "" || authTLSContext.Key == "" {
-			return authTLSContext, errors.New("--registry-auth-tlscontext requires ca=<ca> or cert=<cert>,key=<key>")
+		if !authTLSContext.Insecure {
+			if authTLSContext.Cert == "" || authTLSContext.Key == "" {
+				return authTLSContext, errors.New("--registry-auth-tlscontext requires ca=<ca> or cert=<cert>,key=<key> or insecure=true")
+			}
 		}
 	} else {
 		if (authTLSContext.Cert != "" && authTLSContext.Key == "") || (authTLSContext.Cert == "" && authTLSContext.Key != "") {
@@ -70,6 +76,9 @@ func ParseRegistryAuthTLSContext(registryAuthTLSContext []string) (map[string]*a
 		if !ok {
 			authConfigs[c.Host] = &authprovider.AuthTLSConfig{}
 		}
+		if c.Insecure {
+			authConfigs[c.Host].Insecure = true
+		}
 		if c.CA != "" {
 			authConfigs[c.Host].RootCAs = append(authConfigs[c.Host].RootCAs, c.CA)
 		}
diff --git a/docs/reference/buildctl.md b/docs/reference/buildctl.md
index 332299354934..a080270cf3cb 100644
--- a/docs/reference/buildctl.md
+++ b/docs/reference/buildctl.md
@@ -78,7 +78,7 @@ OPTIONS:
    --metadata-file value             Output build metadata (e.g., image digest) to a file as JSON
    --source-policy-file value        Read source policy file from a JSON file
    --ref-file value                  Write build ref to a file
-   --registry-auth-tlscontext value  Overwrite TLS configuration when authenticating with registries, e.g. --registry-auth-tlscontext host=https://myserver:2376,ca=/path/to/my/ca.crt,cert=/path/to/my/cert.crt,key=/path/to/my/key.crt
+   --registry-auth-tlscontext value  Overwrite TLS configuration when authenticating with registries, e.g. --registry-auth-tlscontext host=https://myserver:2376,insecure=false,ca=/path/to/my/ca.crt,cert=/path/to/my/cert.crt,key=/path/to/my/key.crt
    
 ```
 <!---GENERATE_END-->
diff --git a/session/auth/authprovider/authconfig.go b/session/auth/authprovider/authconfig.go
index 911e134836f7..18b2550db2ba 100644
--- a/session/auth/authprovider/authconfig.go
+++ b/session/auth/authprovider/authconfig.go
@@ -2,6 +2,7 @@ package authprovider
 
 type AuthTLSConfig struct {
 	RootCAs  []string
+	Insecure bool
 	KeyPairs []TLSKeyPair
 }
 
diff --git a/session/auth/authprovider/authprovider.go b/session/auth/authprovider/authprovider.go
index 87618caa3421..c258a7a2569f 100644
--- a/session/auth/authprovider/authprovider.go
+++ b/session/auth/authprovider/authprovider.go
@@ -178,6 +178,9 @@ func (ap *authProvider) tlsConfig(host string) (*tls.Config, error) {
 		}
 		tc.Certificates = append(tc.Certificates, cert)
 	}
+	if c.Insecure {
+		tc.InsecureSkipVerify = true
+	}
 	return tc, nil
 }