respecting insecure flag, tests/lint passing, no new tests

vmware-labs · Dec 22, 2023 · 6ec0a28 · 6ec0a28
1 parent 0ff0f0a
commit 6ec0a28
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 30 deletions.
diff --git a/cmd/dt/push.go b/cmd/dt/push.go
@@ -64,6 +64,7 @@ func newPushCmd() *cobra.Command {
 					chartutils.WithContext(ctx),
 					chartutils.WithProgressBar(subLog.ProgressBar()),
 					chartutils.WithArtifactsDir(chart.ImageArtifactsDir()),
+					chartutils.WithInsecureMode(insecure),
 				); err != nil {
 					return subLog.Failf("Failed to push images: %w", err)
 				}

diff --git a/cmd/dt/unwrap.go b/cmd/dt/unwrap.go
@@ -139,6 +139,7 @@ func pushChartImagesAndVerify(ctx context.Context, wrap wrapping.Wrap, l log.Sec
 		chartutils.WithContext(ctx),
 		chartutils.WithArtifactsDir(wrap.ImageArtifactsDir()),
 		chartutils.WithProgressBar(l.ProgressBar()),
+		chartutils.WithInsecureMode(insecure),
 	); err != nil {
 		return err
 	}

diff --git a/pkg/artifacts/artifacts.go b/pkg/artifacts/artifacts.go
@@ -5,8 +5,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"net/http"
-	"crypto/tls"
 	"os"
 	"path/filepath"
 	"strings"
@@ -42,11 +40,19 @@ var (
 // Config defines the configuration when pulling/pushing artifacts to a registry
 type Config struct {
 	ResolveReference bool
+	InsecureMode     bool
 }
 
 // Option defines a Config option
 type Option func(*Config)
 
+// WithInsecureMode configures Insecure transport
+func WithInsecureMode(insecure bool) func(cfg *Config) {
+	return func(cfg *Config) {
+		cfg.InsecureMode = insecure
+	}
+}
+
 // WithResolveReference configures the ResolveReference setting
 func WithResolveReference(v bool) func(cfg *Config) {
 	return func(cfg *Config) {
@@ -56,14 +62,14 @@ func WithResolveReference(v bool) func(cfg *Config) {
 
 // NewConfig creates a new Config
 func NewConfig(opts ...Option) *Config {
-	cfg := &Config{ResolveReference: true}
+	cfg := &Config{ResolveReference: true, InsecureMode: false}
 	for _, opt := range opts {
 		opt(cfg)
 	}
 	return cfg
 }
 
-func getImageTagAndDigest(image string) (string, string, error) {
+func getImageTagAndDigest(image string, opts ...Option) (string, string, error) {
 	ref, err := name.ParseReference(image)
 	if err != nil {
 		return "", "", fmt.Errorf("failed to parse image reference: %w", err)
@@ -74,13 +80,12 @@ func getImageTagAndDigest(image string) (string, string, error) {
 
 	switch v := ref.(type) {
 	case name.Tag:
-		// Hack -- needs to respect insecure flag instead
-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
+		cfg := NewConfig(opts...)
+		craneOpts := make([]crane.Option, 0)
+		if cfg.InsecureMode {
+			craneOpts = append(craneOpts, crane.Insecure)
 		}
-		desc, err := imagelock.GetImageRemoteDescriptor(image, crane.WithTransport(httpClient.Transport))
+		desc, err := imagelock.GetImageRemoteDescriptor(image, craneOpts...)
 		if err != nil {
 			return "", "", fmt.Errorf("error getting descriptor: %w", err)
 		}
@@ -100,8 +105,8 @@ func getImageTagAndDigest(image string) (string, string, error) {
 	return imgTag, hex, nil
 }
 
-func getImageArtifactsDir(image *imagelock.ChartImage, destDir string, suffix string) (string, error) {
-	imgTag, _, err := getImageTagAndDigest(image.Image)
+func getImageArtifactsDir(image *imagelock.ChartImage, destDir string, suffix string, opts ...Option) (string, error) {
+	imgTag, _, err := getImageTagAndDigest(image.Image, opts...)
 	if err != nil {
 		return "", fmt.Errorf("failed to parse image reference: %w", err)
 	}
@@ -120,7 +125,7 @@ func pushArtifact(ctx context.Context, image string, dest string, tagSuffix stri
 		return "", fmt.Errorf("failed to get image repository: %w", err)
 	}
 
-	imgTag, hex, err := getImageTagAndDigest(image)
+	imgTag, hex, err := getImageTagAndDigest(image, opts...)
 	if err != nil {
 		return "", err
 	}
@@ -171,7 +176,7 @@ func pushAssetMetadata(ctx context.Context, imageRef string, destDir string, opt
 func PushImageMetadata(ctx context.Context, image *imagelock.ChartImage, destDir string, opts ...Option) error {
 	imageRef := image.Image
 
-	dir, err := getImageArtifactsDir(image, destDir, "metadata")
+	dir, err := getImageArtifactsDir(image, destDir, "metadata", opts...)
 	if err != nil {
 		return fmt.Errorf("failed to obtain signature location: %v", err)
 	}
@@ -182,7 +187,7 @@ func PushImageMetadata(ctx context.Context, image *imagelock.ChartImage, destDir
 // PushImageSignatures pushes a oci-layout directory to the registry as the image signature
 func PushImageSignatures(ctx context.Context, image *imagelock.ChartImage, destDir string, opts ...Option) error {
 	imageRef := image.Image
-	dir, err := getImageArtifactsDir(image, destDir, "sig")
+	dir, err := getImageArtifactsDir(image, destDir, "sig", opts...)
 	if err != nil {
 		return fmt.Errorf("failed to obtain signature location: %v", err)
 	}
@@ -213,7 +218,7 @@ func pullArtifact(ctx context.Context, image string, destDir string, tagSuffix s
 	}
 
 	var tag string
-	imgTag, hex, err := getImageTagAndDigest(image)
+	imgTag, hex, err := getImageTagAndDigest(image, opts...)
 	if err != nil {
 		return "", err
 	}
@@ -251,7 +256,7 @@ func pullArtifact(ctx context.Context, image string, destDir string, tagSuffix s
 func PullImageMetadata(ctx context.Context, image *imagelock.ChartImage, destDir string, opts ...Option) error {
 	imageRef := image.Image
 
-	dir, err := getImageArtifactsDir(image, destDir, "metadata")
+	dir, err := getImageArtifactsDir(image, destDir, "metadata", opts...)
 	if err != nil {
 		return fmt.Errorf("failed to obtain signature location: %v", err)
 	}
@@ -283,7 +288,7 @@ func pullAssetMetadata(ctx context.Context, imageRef string, dir string, opts ..
 // PullImageSignatures pulls the image signature and stores it locally as an oci-layout
 func PullImageSignatures(ctx context.Context, image *imagelock.ChartImage, destDir string, opts ...Option) error {
 	imageRef := image.Image
-	dir, err := getImageArtifactsDir(image, destDir, "sig")
+	dir, err := getImageArtifactsDir(image, destDir, "sig", opts...)
 	if err != nil {
 		return fmt.Errorf("failed to obtain signature location: %v", err)
 	}

diff --git a/pkg/chartutils/images.go b/pkg/chartutils/images.go
@@ -3,8 +3,6 @@ package chartutils
 import (
 	"context"
 	"fmt"
-	"net/http"
-	"crypto/tls"
 	"os"
 	"path/filepath"
 
@@ -122,7 +120,13 @@ func PushImages(lock *imagelock.ImagesLock, imagesDir string, opts ...Option) er
 	p, _ := cfg.ProgressBar.WithTotal(len(lock.Images)).UpdateTitle("Pushing images").Start()
 	defer p.Stop()
 
-	o := crane.GetOptions(crane.WithContext(ctx))
+	craneOpts := make([]crane.Option, 0)
+	craneOpts = append(craneOpts, crane.WithContext(ctx))
+	if cfg.InsecureMode {
+		craneOpts = append(craneOpts, crane.Insecure)
+	}
+	o := crane.GetOptions(craneOpts...)
+
 	maxRetries := cfg.MaxRetries
 	for _, imgData := range lock.Images {
 
@@ -145,7 +149,10 @@ func PushImages(lock *imagelock.ImagesLock, imagesDir string, opts ...Option) er
 				if err := pushImage(imgData, imagesDir, o); err != nil {
 					return err
 				}
-				if err := artifacts.PushImageSignatures(context.Background(), imgData, artifactsDir); err != nil {
+				if err := artifacts.PushImageSignatures(context.Background(),
+					imgData,
+					artifactsDir,
+					artifacts.WithInsecureMode(cfg.InsecureMode)); err != nil {
 					if err == artifacts.ErrLocalArtifactNotExist {
 						l.Debugf("image %q does not have a local signature stored", imgData.Image)
 					} else {
@@ -155,7 +162,10 @@ func PushImages(lock *imagelock.ImagesLock, imagesDir string, opts ...Option) er
 					p.UpdateTitle(fmt.Sprintf("Pushed image %q signature", imgData.Image))
 				}
 
-				if err := artifacts.PushImageMetadata(context.Background(), imgData, artifactsDir); err != nil {
+				if err := artifacts.PushImageMetadata(context.Background(),
+					imgData,
+					artifactsDir,
+					artifacts.WithInsecureMode(cfg.InsecureMode)); err != nil {
 					if err == artifacts.ErrLocalArtifactNotExist {
 						l.Debugf("image %q does not have a local metadata artifact stored", imgData.Image)
 					} else {
@@ -214,13 +224,6 @@ func pushImage(imgData *imagelock.ChartImage, imagesDir string, o crane.Options)
 		return fmt.Errorf("failed to parse image reference %q: %w", imgData.Image, err)
 	}
 
-	// Hack -- needs to respect insecure flag instead
-	httpClient := &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-		},
-	}
-	o.Remote = append(o.Remote, remote.WithTransport(httpClient.Transport))
 	if err := remote.WriteIndex(ref, idx, o.Remote...); err != nil {
 		return fmt.Errorf("failed to write image index: %w", err)
 	}

diff --git a/pkg/chartutils/options.go b/pkg/chartutils/options.go
@@ -18,6 +18,14 @@ type Configuration struct {
 	ArtifactsDir   string
 	FetchArtifacts bool
 	MaxRetries     int
+	InsecureMode   bool
+}
+
+// WithInsecureMode configures Insecure transport
+func WithInsecureMode(insecure bool) func(cfg *Configuration) {
+	return func(cfg *Configuration) {
+		cfg.InsecureMode = insecure
+	}
 }
 
 // WithArtifactsDir configures the ArtifactsDir
@@ -65,6 +73,7 @@ func NewConfiguration(opts ...Option) *Configuration {
 		FetchArtifacts: false,
 		MaxRetries:     3,
 		Log:            log.NewSilentLogger(),
+		InsecureMode:   false,
 	}
 	for _, opt := range opts {
 		opt(cfg)