Skip to content

Commit

Permalink
(feature): add skip-tls-verify option for image sources
Browse files Browse the repository at this point in the history
Signed-off-by: Bryce Palmer <[email protected]>
  • Loading branch information
everettraven committed Oct 26, 2023
1 parent e078853 commit 5df03ef
Show file tree
Hide file tree
Showing 9 changed files with 66 additions and 86 deletions.
6 changes: 2 additions & 4 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -67,8 +67,7 @@ test-e2e: $(GINKGO) ## Run the e2e tests
$(GINKGO) --tags $(GO_BUILD_TAGS) $(E2E_FLAGS) -trace -progress $(FOCUS) test/e2e

e2e: KIND_CLUSTER_NAME=catalogd-e2e
e2e: DEPLOY_TARGET=e2e
e2e: kind-cluster image-registry install test-e2e kind-cluster-cleanup ## Run e2e test suite on local kind cluster
e2e: run image-registry test-e2e kind-cluster-cleanup ## Run e2e test suite on local kind cluster

image-registry: ## Setup in-cluster image registry
./test/tools/imageregistry/registry.sh
Expand Down Expand Up @@ -154,11 +153,10 @@ kind-load: $(KIND) ## Load the built images onto the local cluster
.PHONY: install
install: build-container kind-load deploy wait ## Install local catalogd

DEPLOY_TARGET ?= default
.PHONY: deploy
deploy: $(KUSTOMIZE) ## Deploy Catalogd to the K8s cluster specified in ~/.kube/config.
cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMAGE)
$(KUSTOMIZE) build config/${DEPLOY_TARGET} | kubectl apply -f -
$(KUSTOMIZE) build config/default | kubectl apply -f -

.PHONY: undeploy
undeploy: $(KUSTOMIZE) ## Undeploy Catalogd from the K8s cluster specified in ~/.kube/config.
Expand Down
6 changes: 6 additions & 0 deletions api/core/v1alpha1/catalog_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,12 @@ type ImageSource struct {
// specified as a duration (e.g., "5m", "1h", "24h", "etc".). Note that PollInterval may not be
// specified for a catalog image referenced by a sha256 digest.
PollInterval *metav1.Duration `json:"pollInterval,omitempty"`
// SkipTLSVerify indicates that TLS certificate validation should be skipped.
// If this option is specified, the HTTPS protocol will still be used to
// fetch the specified image reference.
// This should not be used in a production environment.
// +optional
SkipTLSVerify bool `json:"skipTLSVerify,omitempty"`
}

func init() {
Expand Down
7 changes: 7 additions & 0 deletions config/crd/bases/catalogd.operatorframework.io_catalogs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,13 @@ spec:
description: Ref contains the reference to a container image
containing Catalog contents.
type: string
skipTLSVerify:
description: SkipTLSVerify indicates that TLS certificate
validation should be skipped. If this option is specified,
the HTTPS protocol will still be used to fetch the specified
image reference. This should not be used in a production
environment.
type: boolean
required:
- ref
type: object
Expand Down
30 changes: 0 additions & 30 deletions config/e2e/kustomization.yaml

This file was deleted.

11 changes: 11 additions & 0 deletions internal/source/image_registry_client.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,11 @@ package source
import (
"archive/tar"
"context"
"crypto/tls"
"errors"
"fmt"
"io/fs"
"net/http"
"os"
"path/filepath"
"strings"
Expand Down Expand Up @@ -65,6 +67,15 @@ func (i *ImageRegistry) Unpack(ctx context.Context, catalog *catalogdv1alpha1.Ca
remoteOpts = append(remoteOpts, remote.WithAuthFromKeychain(authChain))
}

if catalog.Spec.Source.Image.SkipTLSVerify {
insecureTransport := remote.DefaultTransport.(*http.Transport).Clone()
if insecureTransport.TLSClientConfig == nil {
insecureTransport.TLSClientConfig = &tls.Config{}

Check failure on line 73 in internal/source/image_registry_client.go

View workflow job for this annotation

GitHub Actions / lint

G402: TLS MinVersion too low. (gosec)
}
insecureTransport.TLSClientConfig.InsecureSkipVerify = true // nolint:gosec
remoteOpts = append(remoteOpts, remote.WithTransport(insecureTransport))
}

digest, isDigest := imgRef.(name.Digest)
if isDigest {
hexVal := strings.TrimPrefix(digest.DigestStr(), "sha256:")
Expand Down
34 changes: 34 additions & 0 deletions internal/source/image_registry_client_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -299,6 +299,40 @@ func TestImageRegistry(t *testing.T) {
return img
}(),
},
{
name: "digest ref, insecure specified, happy path",
catalog: &v1alpha1.Catalog{
ObjectMeta: metav1.ObjectMeta{
Name: "test",
},
Spec: v1alpha1.CatalogSpec{
Source: v1alpha1.CatalogSource{
Type: v1alpha1.SourceTypeImage,
Image: &v1alpha1.ImageSource{
Ref: "",
SkipTLSVerify: true,
},
},
},
},
wantErr: false,
refType: "digest",
image: func() v1.Image {
img, err := random.Image(20, 3)
if err != nil {
panic(err)
}
img, err = mutate.Config(img, v1.Config{
Labels: map[string]string{
source.ConfigDirLabel: "/configs",
},
})
if err != nil {
panic(err)
}
return img
}(),
},
} {
t.Run(tt.name, func(t *testing.T) {
// Create context, temporary cache directory,
Expand Down
3 changes: 2 additions & 1 deletion test/e2e/unpack_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,8 @@ var _ = Describe("Catalog Unpacking", func() {
Source: catalogd.CatalogSource{
Type: catalogd.SourceTypeImage,
Image: &catalogd.ImageSource{
Ref: catalogImageRef(),
Ref: catalogImageRef(),
SkipTLSVerify: true,
},
},
},
Expand Down
14 changes: 2 additions & 12 deletions test/tools/imageregistry/imagebuilder.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,9 @@ spec:
image: gcr.io/kaniko-project/executor:latest
args: ["--dockerfile=/workspace/test-catalog.Dockerfile",
"--context=/workspace/",
"--destination=docker-registry.catalogd-e2e.svc:5000/test-catalog:e2e"]
"--destination=docker-registry.catalogd-e2e.svc:5000/test-catalog:e2e",
"--skip-tls-verify"]
volumeMounts:
- name: certs
mountPath: /etc/ssl/certs/
readOnly: true
- name: dockerfile
mountPath: /workspace/
- name: build-contents
Expand All @@ -31,11 +29,3 @@ spec:
- name: build-contents
configMap:
name: catalogd-e2e.build-contents
- name: certs
configMap:
name: regcerts
defaultMode: 0644
optional: false
items:
- key: ca-certificates.crt
path: ca-certificates.crt
41 changes: 2 additions & 39 deletions test/tools/imageregistry/registry.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,8 @@ set -e
# of catalogd's unpacking process. It does a few things:
# 1. Installs cert-manager for creating a self-signed certificate for the image registry
# 2. Creates all the resources necessary for deploying the image registry in the catalogd-e2e namespace
# 3. Creates a ConfigMap containing the CA cert for the image registry to be used by the catalogd-controller-manager
# 4. Creates a ConfigMap containing the CA cert for the image registry to be used by the kaniko pod
# 5. Creates ConfigMaps containing the test catalog + Dockerfile to be mounted to the kaniko pod
# 6. Waits for kaniko pod to have Phase == Succeeded, indicating the test catalog image has been built + pushed
# 3. Creates ConfigMaps containing the test catalog + Dockerfile to be mounted to the kaniko pod
# 4. Waits for kaniko pod to have Phase == Succeeded, indicating the test catalog image has been built + pushed
# to the test image registry
# Usage:
# registry.sh
Expand All @@ -22,41 +20,6 @@ kubectl wait --for=condition=Available --namespace=cert-manager deployment/cert-
kubectl apply -f test/tools/imageregistry/imgreg.yaml
kubectl wait -n catalogd-e2e --for=condition=Available deployment/docker-registry --timeout=60s

# get cert value
certval=$(kubectl -n catalogd-e2e get secret/catalogd-e2e-registry -o=jsonpath='{.data.ca\.crt}' | base64 -d | sed 's/^/ /')

kubectl apply -f - << EOF
apiVersion: v1
kind: Namespace
metadata:
name: catalogd-system
EOF
# create a ConfigMap that contains the CA certs for the image registry
# This one is created for the catalogd-controller-manager
kubectl apply -f - << EOF
apiVersion: v1
kind: ConfigMap
metadata:
namespace: catalogd-system
name: docker-registry.catalogd-e2e.svc
data:
"ca-certificates.crt": |
${certval}
EOF

# create a ConfigMap that contains the CA certs for the image registry
# this one is created for the kaniko pod
kubectl apply -f - << EOF
apiVersion: v1
kind: ConfigMap
metadata:
namespace: catalogd-e2e
name: regcerts
data:
"ca-certificates.crt": |
${certval}
EOF

# Load the testdata onto the cluster as a configmap so it can be used with kaniko
kubectl create configmap -n catalogd-e2e --from-file=testdata/catalogs/test-catalog.Dockerfile catalogd-e2e.dockerfile
kubectl create configmap -n catalogd-e2e --from-file=testdata/catalogs/test-catalog catalogd-e2e.build-contents
Expand Down

0 comments on commit 5df03ef

Please sign in to comment.