Enable custom certificates option for OCI

If implemented, users will be able to use custom certificates and CA to while interacting with OCI registries. Signed-off-by: Soule BA <bah.soule@gmail.com> Signed-off-by: Tom Runyon <tom@defenseunicorns.com>
3 years ago · 11379e5bbd
parent ea7891aea5
commit 11379e5bbd
11 changed files with 86 additions and 18 deletions
--- a/cmd/helm/push.go
+++ b/cmd/helm/push.go
@ -35,10 +35,16 @@ it will also be uploaded.
 `

 type registryPushOptions struct {
+<<<<<<< HEAD
 	certFile              string
 	keyFile               string
 	caFile                string
 	insecureSkipTLSverify bool
+=======
+	certFile string
+	keyFile  string
+	caFile   string
+>>>>>>> e676fd1c (Enable custom certificates option for OCI)
 }

 func newPushCmd(cfg *action.Configuration, out io.Writer) *cobra.Command {
@ -71,7 +77,10 @@ func newPushCmd(cfg *action.Configuration, out io.Writer) *cobra.Command {
 			remote := args[1]
 			client := action.NewPushWithOpts(action.WithPushConfig(cfg),
 				action.WithTLSClientConfig(o.certFile, o.keyFile, o.caFile),
+<<<<<<< HEAD
 				action.WithInsecureSkipTLSVerify(o.insecureSkipTLSverify),
+=======
+>>>>>>> e676fd1c (Enable custom certificates option for OCI)
 				action.WithPushOptWriter(out))
 			client.Settings = settings
 			output, err := client.Run(chartRef, remote)
@ -87,7 +96,10 @@ func newPushCmd(cfg *action.Configuration, out io.Writer) *cobra.Command {
 	f.StringVar(&o.certFile, "cert-file", "", "identify registry client using this SSL certificate file")
 	f.StringVar(&o.keyFile, "key-file", "", "identify registry client using this SSL key file")
 	f.StringVar(&o.caFile, "ca-file", "", "verify certificates of HTTPS-enabled servers using this CA bundle")
+<<<<<<< HEAD
 	f.BoolVar(&o.insecureSkipTLSverify, "insecure-skip-tls-verify", false, "skip tls certificate checks for the chart upload")
+=======
+>>>>>>> e676fd1c (Enable custom certificates option for OCI)

 	return cmd
 }
--- a/cmd/helm/registry_login.go
+++ b/cmd/helm/registry_login.go
@ -43,7 +43,10 @@ type registryLoginOptions struct {
 	certFile             string
 	keyFile              string
 	caFile               string
+<<<<<<< HEAD
 	insecure             bool
+=======
+>>>>>>> e676fd1c (Enable custom certificates option for OCI)
 }

 func newRegistryLoginCmd(cfg *action.Configuration, out io.Writer) *cobra.Command {
@ -66,8 +69,12 @@ func newRegistryLoginCmd(cfg *action.Configuration, out io.Writer) *cobra.Comman
 			return action.NewRegistryLogin(cfg).Run(out, hostname, username, password,
 				action.WithCertFile(o.certFile),
 				action.WithKeyFile(o.keyFile),
+<<<<<<< HEAD
 				action.WithCAFile(o.caFile),
 				action.WithInsecure(o.insecure))
+=======
+				action.WithCAFile(o.caFile))
+>>>>>>> e676fd1c (Enable custom certificates option for OCI)
 		},
 	}

@ -75,7 +82,10 @@ func newRegistryLoginCmd(cfg *action.Configuration, out io.Writer) *cobra.Comman
 	f.StringVarP(&o.username, "username", "u", "", "registry username")
 	f.StringVarP(&o.password, "password", "p", "", "registry password or identity token")
 	f.BoolVarP(&o.passwordFromStdinOpt, "password-stdin", "", false, "read password or identity token from stdin")
+<<<<<<< HEAD
 	f.BoolVarP(&o.insecure, "insecure", "", false, "allow connections to TLS registry without certs")
+=======
+>>>>>>> e676fd1c (Enable custom certificates option for OCI)
 	f.StringVar(&o.certFile, "cert-file", "", "identify registry client using this SSL certificate file")
 	f.StringVar(&o.keyFile, "key-file", "", "identify registry client using this SSL key file")
 	f.StringVar(&o.caFile, "ca-file", "", "verify certificates of HTTPS-enabled servers using this CA bundle")
--- a/pkg/action/registry_login.go
+++ b/pkg/action/registry_login.go
@ -28,7 +28,10 @@ type RegistryLogin struct {
 	certFile string
 	keyFile  string
 	caFile   string
+<<<<<<< HEAD
 	insecure bool
+=======
+>>>>>>> e676fd1c (Enable custom certificates option for OCI)
 }

 type RegistryLoginOpt func(*RegistryLogin) error
@ -83,6 +86,9 @@ func (a *RegistryLogin) Run(out io.Writer, hostname string, username string, pas
 	return a.cfg.RegistryClient.Login(
 		hostname,
 		registry.LoginOptBasicAuth(username, password),
+<<<<<<< HEAD
 		registry.LoginOptInsecure(a.insecure),
+=======
+>>>>>>> e676fd1c (Enable custom certificates option for OCI)
 		registry.LoginOptTLSClientConfig(a.certFile, a.keyFile, a.caFile))
 }
--- a/pkg/getter/ocigetter.go
+++ b/pkg/getter/ocigetter.go
@ -122,8 +122,13 @@ func (g *OCIGetter) newRegistryClient() (*registry.Client, error) {
 		}
 	})

+<<<<<<< HEAD
 	if (g.opts.certFile != "" && g.opts.keyFile != "") || g.opts.caFile != "" || g.opts.insecureSkipVerifyTLS {
 		tlsConf, err := tlsutil.NewClientTLS(g.opts.certFile, g.opts.keyFile, g.opts.caFile, g.opts.insecureSkipVerifyTLS)
+=======
+	if (g.opts.certFile != "" && g.opts.keyFile != "") || g.opts.caFile != "" {
+		tlsConf, err := tlsutil.NewClientTLS(g.opts.certFile, g.opts.keyFile, g.opts.caFile)
+>>>>>>> e676fd1c (Enable custom certificates option for OCI)
 		if err != nil {
 			return nil, fmt.Errorf("can't create TLS config for client: %w", err)
 		}
--- a/pkg/getter/ocigetter_test.go
+++ b/pkg/getter/ocigetter_test.go
@ -39,7 +39,10 @@ func TestOCIGetter(t *testing.T) {
 	ca, pub, priv := join(cd, "rootca.crt"), join(cd, "crt.pem"), join(cd, "key.pem")
 	timeout := time.Second * 5
 	transport := &http.Transport{}
+<<<<<<< HEAD
 	insecureSkipTLSverify := false
+=======
+>>>>>>> e676fd1c (Enable custom certificates option for OCI)

 	// Test with options
 	g, err = NewOCIGetter(
@ -47,7 +50,10 @@ func TestOCIGetter(t *testing.T) {
 		WithTLSClientConfig(pub, priv, ca),
 		WithTimeout(timeout),
 		WithTransport(transport),
+<<<<<<< HEAD
 		WithInsecureSkipVerifyTLS(insecureSkipTLSverify),
+=======
+>>>>>>> e676fd1c (Enable custom certificates option for OCI)
 	)
 	if err != nil {
 		t.Fatal(err)
--- a/pkg/pusher/ocipusher.go
+++ b/pkg/pusher/ocipusher.go
@ -106,8 +106,13 @@ func NewOCIPusher(ops ...Option) (Pusher, error) {
 }

 func (pusher *OCIPusher) newRegistryClient() (*registry.Client, error) {
+<<<<<<< HEAD
 	if (pusher.opts.certFile != "" && pusher.opts.keyFile != "") || pusher.opts.caFile != "" || pusher.opts.insecureSkipTLSverify {
 		tlsConf, err := tlsutil.NewClientTLS(pusher.opts.certFile, pusher.opts.keyFile, pusher.opts.caFile, pusher.opts.insecureSkipTLSverify)
+=======
+	if (pusher.opts.certFile != "" && pusher.opts.keyFile != "") || pusher.opts.caFile != "" {
+		tlsConf, err := tlsutil.NewClientTLS(pusher.opts.certFile, pusher.opts.keyFile, pusher.opts.caFile)
+>>>>>>> e676fd1c (Enable custom certificates option for OCI)
 		if err != nil {
 			return nil, errors.Wrap(err, "can't create TLS config for client")
 		}
--- a/pkg/pusher/ocipusher_test.go
+++ b/pkg/pusher/ocipusher_test.go
@ -35,12 +35,18 @@ func TestNewOCIPusher(t *testing.T) {
 	cd := "../../testdata"
 	join := filepath.Join
 	ca, pub, priv := join(cd, "rootca.crt"), join(cd, "crt.pem"), join(cd, "key.pem")
+<<<<<<< HEAD
 	insecureSkipTLSverify := false
+=======
+>>>>>>> e676fd1c (Enable custom certificates option for OCI)

 	// Test with options
 	p, err = NewOCIPusher(
 		WithTLSClientConfig(pub, priv, ca),
+<<<<<<< HEAD
 		WithInsecureSkipTLSVerify(insecureSkipTLSverify),
+=======
+>>>>>>> e676fd1c (Enable custom certificates option for OCI)
 	)
 	if err != nil {
 		t.Fatal(err)
--- a/pkg/pusher/pusher.go
+++ b/pkg/pusher/pusher.go
@ -27,11 +27,18 @@ import (
 //
 // Pushers may or may not ignore these parameters as they are passed in.
 type options struct {
+<<<<<<< HEAD
 	registryClient        *registry.Client
 	certFile              string
 	keyFile               string
 	caFile                string
 	insecureSkipTLSverify bool
+=======
+	registryClient *registry.Client
+	certFile       string
+	keyFile        string
+	caFile         string
+>>>>>>> e676fd1c (Enable custom certificates option for OCI)
 }

 // Option allows specifying various settings configurable by the user for overriding the defaults
@ -54,6 +61,7 @@ func WithTLSClientConfig(certFile, keyFile, caFile string) Option {
 	}
 }

+<<<<<<< HEAD
 // WithInsecureSkipTLSVerify determines if a TLS Certificate will be checked
 func WithInsecureSkipTLSVerify(insecureSkipTLSVerify bool) Option {
 	return func(opts *options) {
@ -61,6 +69,8 @@ func WithInsecureSkipTLSVerify(insecureSkipTLSVerify bool) Option {
 	}
 }

+=======
+>>>>>>> e676fd1c (Enable custom certificates option for OCI)
 // Pusher is an interface to support upload to the specified URL.
 type Pusher interface {
 	// Push file content by url string
--- a/pkg/registry/client_test.go
+++ b/pkg/registry/client_test.go
@ -17,6 +17,7 @@ limitations under the License.
 package registry

 import (
+<<<<<<< HEAD
 <<<<<<< HEAD
 	"bytes"
 	"context"
@ -29,10 +30,14 @@ import (
 >>>>>>> dd5e82b5 (refactor to new test suite)
 	"os"
 	"path/filepath"
+=======
+	"fmt"
+	"os"
+>>>>>>> e676fd1c (Enable custom certificates option for OCI)
 	"testing"
-	"time"

 	"github.com/containerd/containerd/errdefs"
+<<<<<<< HEAD
 	"github.com/distribution/distribution/v3/configuration"
 	"github.com/distribution/distribution/v3/registry"
 	"github.com/phayes/freeport"
@ -182,6 +187,18 @@ func (suite *RegistryClientTestSuite) SetupSuite() {
 	suite.Nil(err, "no error creating test registry")

 	suite.CompromisedRegistryHost = initCompromisedRegistryTestServer()
+=======
+	"github.com/stretchr/testify/suite"
+)
+
+type RegistryClientTestSuite struct {
+	TestSuite
+}
+
+func (suite *RegistryClientTestSuite) SetupSuite() {
+	// init test client
+	dockerRegistry := setup(&suite.TestSuite, false)
+>>>>>>> e676fd1c (Enable custom certificates option for OCI)

 	// plain http registry
 	plainHTTPConfig := &configuration.Configuration{}
--- a/pkg/registry/client_tls_test.go
+++ b/pkg/registry/client_tls_test.go
@ -29,7 +29,11 @@ type TLSRegistryClientTestSuite struct {

 func (suite *TLSRegistryClientTestSuite) SetupSuite() {
 	// init test client
+<<<<<<< HEAD
 	dockerRegistry := setup(&suite.TestSuite, true, false)
+=======
+	dockerRegistry := setup(&suite.TestSuite, true)
+>>>>>>> e676fd1c (Enable custom certificates option for OCI)

 	// Start Docker registry
 	go dockerRegistry.ListenAndServe()
--- a/pkg/registry/utils_test.go
+++ b/pkg/registry/utils_test.go
@ -59,25 +59,14 @@ var (

 type TestSuite struct {
 	suite.Suite
-	Out                io.Writer
-	DockerRegistryHost string
-
+	Out                     io.Writer
+	DockerRegistryHost      string
 	CompromisedRegistryHost string
 	WorkspaceDir            string
 	RegistryClient          *Client
-
-	Context context.Context
-	Cancel  func()
 }

-// setup creates a oci registry for use in testing and sets the internal
-// RegistryClient in the provided *TestSutie object with a client for communicating
-// to the registry for testing:
-//
-//	tlsEnabled - true for an https registry, false for http
-//	insecure - true for forcing the client to trust the certs when communicating to the registry
-//	            false otherwise
-func setup(suite *TestSuite, tlsEnabled bool, insecure bool) *registry.Registry {
+func setup(suite *TestSuite, tlsEnabled bool) *registry.Registry {
 	suite.WorkspaceDir = testWorkspaceDir
 	os.RemoveAll(suite.WorkspaceDir)
 	os.Mkdir(suite.WorkspaceDir, 0700)
@ -135,7 +124,6 @@ func setup(suite *TestSuite, tlsEnabled bool, insecure bool) *registry.Registry
 		// That function does not handle matching of ip addresses in octal,
 		// decimal or hex form.
 		suite.DockerRegistryHost = fmt.Sprintf("0x7f000001:%d", port)
-
 	} else {
 		suite.DockerRegistryHost = fmt.Sprintf("localhost:%d", port)
 	}
@ -159,8 +147,7 @@ func setup(suite *TestSuite, tlsEnabled bool, insecure bool) *registry.Registry
 		config.HTTP.TLS.Key = tlsServerKey
 		config.HTTP.TLS.ClientCAs = []string{tlsCA}
 	}
-	suite.Context, suite.Cancel = context.WithCancel(context.Background())
-	dockerRegistry, err := registry.NewRegistry(suite.Context, config)
+	dockerRegistry, err := registry.NewRegistry(context.Background(), config)
 	suite.Nil(err, "no error creating test registry")

 	suite.CompromisedRegistryHost = initCompromisedRegistryTestServer()