Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support insecure registries #1140

Merged
merged 38 commits into from
Sep 22, 2023
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
38 commits
Select commit Hold shift + click to select a range
b884906
Add the support to the new --insecure-registry parameter
Jul 4, 2023
fb1095b
Add the support to the new --insecure-registry parameter in the creat…
Jul 5, 2023
4a9ccac
Add keychain mock and handler test
Jul 20, 2023
894608f
Add support for a single insecure registry
Jul 21, 2023
1e6a3e8
Add support to multiple insecure registries
Jul 25, 2023
ea87988
Adjusted flag name
Jul 25, 2023
c1afa7e
Fix problem with the mock
Jul 26, 2023
7f008ae
InsecureRegistry to InsecureRegistries
Aug 7, 2023
f5504fb
Address comment on FlagTags parity
Aug 7, 2023
ac3feac
Parse the InsecureRegistry env variable with comma separated values
Aug 7, 2023
4a38897
Changed InsecureRegistry to InsecureRegistries
Aug 8, 2023
e2b9509
Changing name at the env variable
Aug 8, 2023
7bf1824
Exporter now accept insecure registries
Aug 8, 2023
4661ea3
Bump up toward the latest version of imgutil
Aug 21, 2023
851bc6a
Remove legacy guard
Aug 22, 2023
473e101
Add WithRegistrySetting with insecure registries into restorer
Aug 22, 2023
321948d
Add support for insecure registries to the rebaser
Aug 24, 2023
edd2f01
Add rebaser testdata directory to .gitignore
Aug 24, 2023
1becb76
Cleaned testdata directory
Aug 25, 2023
70b35a0
Remove testdata rebaser entries from .gitignore
Aug 28, 2023
b062743
Add support to insecure registies for the read-write registry check
Aug 28, 2023
6589463
Move registryHandler into its own file into the image package
Aug 28, 2023
d2b731e
Add dockerfile.windows
Aug 29, 2023
979d57e
Introducing GetInsecureRegistryOptions
Aug 30, 2023
ee32fbe
Fix linter problems
Aug 30, 2023
bc0920d
Remove legacy guards and add test support to arm64
Aug 30, 2023
72f8159
Remove duplication and utilize new GetInsecureRegistryOptions function
Aug 31, 2023
e667328
Extract common code for getting insecure registry options from imageRef
Aug 31, 2023
1abe227
Added cli flags behind proper guards
Sep 4, 2023
760fdf9
Bumped up to the imgutil latest version with the insecure adjustment …
Sep 13, 2023
b20b7e8
Make the getInsecureOptions a static method as a temporary solution t…
Sep 13, 2023
d4e45cc
Added insecure registry to the runImage in the rebaser
Sep 14, 2023
8783bbc
Bump up to the latest version of imgutil with the multiple registries…
Sep 19, 2023
22114fc
Go mod tidy
Sep 19, 2023
baf4c82
Remove insecure-registry filter based on the imageRef
Sep 20, 2023
17e5b1d
Remove reduntant for loop and added a test for multiple GetInsecureOp…
Sep 20, 2023
eb4dad1
Don't remove whitespaces between buildpacks names
Sep 20, 2023
1ac4480
Add FlagInsecureRegistries behind 0.13 guards
Sep 22, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion cmd/lifecycle/exporter.go
Original file line number Diff line number Diff line change
Expand Up @@ -357,7 +357,7 @@ func (e *exportCmd) initRemoteAppImage(analyzedMD files.Analyzed) (imgutil.Image
opts = append(opts, remote.WithHistory())
}

opts = append(opts, image.GetInsecureOptions(e.InsecureRegistries, e.RunImageRef)...)
opts = append(opts, image.GetInsecureOptions(e.InsecureRegistries)...)

if analyzedMD.PreviousImageRef() != "" {
cmd.DefaultLogger.Infof("Reusing layers from image '%s'", analyzedMD.PreviousImageRef())
Expand Down
4 changes: 2 additions & 2 deletions cmd/lifecycle/rebaser.go
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ func (r *rebaseCmd) Exec() error {
)
} else {
var opts []remote.ImageOption
opts = append(opts, append(image.GetInsecureOptions(r.InsecureRegistries, r.RunImageRef), remote.FromBaseImage(r.RunImageRef))...)
opts = append(opts, append(image.GetInsecureOptions(r.InsecureRegistries), remote.FromBaseImage(r.RunImageRef))...)

newBaseImage, err = remote.NewImage(
r.RunImageRef,
Expand Down Expand Up @@ -172,7 +172,7 @@ func (r *rebaseCmd) setAppImage() error {
remote.FromBaseImage(targetImageRef),
}

opts = append(opts, image.GetInsecureOptions(r.InsecureRegistries, targetImageRef)...)
opts = append(opts, image.GetInsecureOptions(r.InsecureRegistries)...)

r.appImage, err = remote.NewImage(
targetImageRef,
Expand Down
2 changes: 1 addition & 1 deletion cmd/lifecycle/restorer.go
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,7 @@ func (r *restoreCmd) pullSparse(imageRef string) (imgutil.Image, error) {
}

var opts []remote.ImageOption
opts = append(opts, append(image.GetInsecureOptions(r.InsecureRegistries, imageRef), remote.FromBaseImage(imageRef))...)
opts = append(opts, append(image.GetInsecureOptions(r.InsecureRegistries), remote.FromBaseImage(imageRef))...)

// get remote image
remoteImage, err := remote.NewImage(imageRef, r.keychain, opts...)
Expand Down
12 changes: 4 additions & 8 deletions image/registry_handler.go
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
package image

import (
"strings"

"github.com/buildpacks/imgutil/remote"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/pkg/errors"
Expand Down Expand Up @@ -35,7 +33,7 @@ func NewRegistryHandler(keychain authn.Keychain, insecureRegistries []string) *D
// EnsureReadAccess ensures that we can read from the registry
func (rv *DefaultRegistryHandler) EnsureReadAccess(imageRefs ...string) error {
for _, imageRef := range imageRefs {
if err := verifyReadAccess(imageRef, rv.keychain, GetInsecureOptions(rv.insecureRegistry, imageRef)); err != nil {
if err := verifyReadAccess(imageRef, rv.keychain, GetInsecureOptions(rv.insecureRegistry)); err != nil {
return err
}
}
Expand All @@ -45,7 +43,7 @@ func (rv *DefaultRegistryHandler) EnsureReadAccess(imageRefs ...string) error {
// EnsureWriteAccess ensures that we can write to the registry
func (rv *DefaultRegistryHandler) EnsureWriteAccess(imageRefs ...string) error {
for _, imageRef := range imageRefs {
if err := verifyReadWriteAccess(imageRef, rv.keychain, GetInsecureOptions(rv.insecureRegistry, imageRef)); err != nil {
if err := verifyReadWriteAccess(imageRef, rv.keychain, GetInsecureOptions(rv.insecureRegistry)); err != nil {
return err
}
}
Expand All @@ -58,13 +56,11 @@ TODO: This is a temporary solution in order to get insecure registries in other
TODO: Ideally we should fix the `imgutil.options` struct visibility in order to mock and test the `remote.WithRegistrySetting`
TODO: function correctly and use the RegistryHandler everywhere it is needed.
*/
func GetInsecureOptions(insecureRegistries []string, imageRef string) []remote.ImageOption {
func GetInsecureOptions(insecureRegistries []string) []remote.ImageOption {
var opts []remote.ImageOption
if len(insecureRegistries) > 0 {
dlion marked this conversation as resolved.
Show resolved Hide resolved
for _, insecureRegistry := range insecureRegistries {
if strings.HasPrefix(imageRef, insecureRegistry) {
opts = append(opts, remote.WithRegistrySetting(insecureRegistry, true))
}
opts = append(opts, remote.WithRegistrySetting(insecureRegistry, true))
}
}
return opts
Expand Down
16 changes: 5 additions & 11 deletions image/registry_handler_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,25 +15,19 @@ func TestRegistryHandler(t *testing.T) {
func testRegistryHandler(t *testing.T, when spec.G, it spec.S) {
when("insecure registry", func() {
it("returns WithRegistrySetting options for the domains specified", func() {
dlion marked this conversation as resolved.
Show resolved Hide resolved
registryOptions := GetInsecureOptions([]string{"host.docker.internal"}, "host.docker.internal/bar")
registryOptions := GetInsecureOptions([]string{"host.docker.internal"})

h.AssertEq(t, len(registryOptions), 1)
})

it("returns WithRegistrySetting options only for the domains specified", func() {
registryOptions := GetInsecureOptions([]string{"host.docker.internal", "this.is.just.a.try"}, "host.docker.internal/bar")

h.AssertEq(t, len(registryOptions), 1)
})

it("returns empty options if any domain hasn't been specified and the imageRef is empty", func() {
options := GetInsecureOptions(nil, "")
it("returns empty options if any domain hasn't been specified", func() {
options := GetInsecureOptions(nil)

h.AssertEq(t, len(options), 0)
})

it("returns empty options if an empty list of insecure registries has been passed but the imageRef has been passed anyway", func() {
options := GetInsecureOptions([]string{}, "host.docker.container")
it("returns empty options if an empty list of insecure registries has been passed", func() {
options := GetInsecureOptions([]string{})

h.AssertEq(t, len(options), 0)
})
Expand Down
2 changes: 1 addition & 1 deletion image/remote_handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ func (h *RemoteHandler) InitImage(imageRef string) (imgutil.Image, error) {
remote.FromBaseImage(imageRef),
}

options = append(options, GetInsecureOptions(h.insecureRegistries, imageRef)...)
options = append(options, GetInsecureOptions(h.insecureRegistries)...)

return remote.NewImage(
imageRef,
Expand Down
Loading