Merge pull request #393 from 100mik/add-ca-certs-imgpkg

Allow additional CA certs to be supplied via vendir YAML when pulling an imgpkg bundle
carvel-dev · Sep 4, 2024 · 09ab9ab · 09ab9ab
2 parents c1b7f72 + 064b9c4
commit 09ab9ab
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 6 deletions.
diff --git a/pkg/vendir/config/directory.go b/pkg/vendir/config/directory.go
@@ -139,6 +139,9 @@ type DirectoryContentsImgpkgBundle struct {
 	ResponseHeaderTimeout  int  `json:"responseHeaderTimeout,omitempty"`
 	DangerousSkipTLSVerify bool `json:"dangerousSkipTLSVerify,omitempty"`
 	Recursive              bool `json:"recursive,omitempty"`
+	// Paths to PEM files containing additional CA certificates
+	// +optional
+	AdditionalCACertificates []string `json:"additionalCACertificates,omitempty"`
 }
 
 func (c DirectoryContentsImgpkgBundle) PreresolvedTag() string { return c.preresolvedTag }

diff --git a/pkg/vendir/fetch/image/imgpkg.go b/pkg/vendir/fetch/image/imgpkg.go
@@ -24,9 +24,10 @@ const (
 )
 
 type ImgpkgOpts struct {
-	SecretRef              *ctlconf.DirectoryContentsLocalRef
-	DangerousSkipTLSVerify bool
-	ResponseHeaderTimeout  int
+	SecretRef                *ctlconf.DirectoryContentsLocalRef
+	DangerousSkipTLSVerify   bool
+	ResponseHeaderTimeout    int
+	AdditionalCACertificates []string
 
 	EnvironFunc func() []string
 }
@@ -164,6 +165,7 @@ func (t *Imgpkg) RegistryOpts() (registry.Opts, error) {
 		EnvironFunc: func() []string {
 			return append(envVariables, t.opts.EnvironFunc()...)
 		},
+		CACertPaths: t.opts.AdditionalCACertificates,
 	}
 	envVars := map[string]string{}
 	for _, envVar := range append(envVariables, t.opts.EnvironFunc()...) {

diff --git a/pkg/vendir/fetch/imgpkgbundle/sync.go b/pkg/vendir/fetch/imgpkgbundle/sync.go
@@ -19,9 +19,10 @@ type Sync struct {
 
 func NewSync(opts ctlconf.DirectoryContentsImgpkgBundle, refFetcher ctlfetch.RefFetcher, c ctlcache.Cache) *Sync {
 	imgpkgOpts := ctlimg.ImgpkgOpts{
-		SecretRef:              opts.SecretRef,
-		DangerousSkipTLSVerify: opts.DangerousSkipTLSVerify,
-		ResponseHeaderTimeout:  opts.ResponseHeaderTimeout,
+		SecretRef:                opts.SecretRef,
+		DangerousSkipTLSVerify:   opts.DangerousSkipTLSVerify,
+		ResponseHeaderTimeout:    opts.ResponseHeaderTimeout,
+		AdditionalCACertificates: opts.AdditionalCACertificates,
 	}
 	return &Sync{opts, ctlimg.NewImgpkg(imgpkgOpts, refFetcher, c)}
 }