Support insecure registries

Signed-off-by: Kim Christensen <kimworking@gmail.com>
getporter · Apr 14, 2024 · 0c1d0d5 · 0c1d0d5
1 parent 96c696f
commit 0c1d0d5
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 18 deletions.
diff --git a/pkg/signing/plugins/cosign/cosign.go b/pkg/signing/plugins/cosign/cosign.go
@@ -14,25 +14,27 @@ var _ plugins.SigningProtocol = &Cosign{}
 
 // Signer implements an in-memory signer for testing.
 type Cosign struct {
-	PublicKey    string
-	PrivateKey   string
-	RegistryMode string
-	Experimental bool
+	PublicKey        string
+	PrivateKey       string
+	RegistryMode     string
+	Experimental     bool
+	InsecureRegistry bool
 }
 
 func NewSigner(c *portercontext.Context, cfg PluginConfig) *Cosign {
 
 	s := &Cosign{
-		PublicKey:    cfg.PublicKey,
-		PrivateKey:   cfg.PrivateKey,
-		RegistryMode: cfg.RegistryMode,
-		Experimental: cfg.Experimental,
+		PublicKey:        cfg.PublicKey,
+		PrivateKey:       cfg.PrivateKey,
+		RegistryMode:     cfg.RegistryMode,
+		Experimental:     cfg.Experimental,
+		InsecureRegistry: cfg.InsecureRegistry,
 	}
 
 	return s
 }
 
-// we should get the certificate... here?
+// TODO: we should get the certificate... here?
 func (s *Cosign) Connect(ctx context.Context) error {
 	//lint:ignore SA4006 ignore unused ctx for now
 	ctx, log := tracing.StartSpan(ctx)
@@ -57,6 +59,9 @@ func (s *Cosign) Sign(ctx context.Context, ref string) error {
 	if s.RegistryMode != "" {
 		args = append(args, "--registry-referrers-mode", s.RegistryMode)
 	}
+	if s.InsecureRegistry {
+		args = append(args, "--allow-insecure-registry")
+	}
 	cmd := exec.Command("cosign", args...)
 	if s.Experimental {
 		cmd.Env = append(cmd.Environ(), "COSIGN_EXPERIMENTAL=1")
@@ -79,6 +84,9 @@ func (s *Cosign) Verify(ctx context.Context, ref string) error {
 	if s.RegistryMode == "oci-1-1" {
 		args = append(args, "--experimental-oci11")
 	}
+	if s.InsecureRegistry {
+		args = append(args, "--allow-insecure-registry")
+	}
 	cmd := exec.Command("cosign", args...)
 	out, err := cmd.CombinedOutput()
 	if err != nil {

diff --git a/pkg/signing/plugins/cosign/plugin.go b/pkg/signing/plugins/cosign/plugin.go
@@ -17,10 +17,11 @@ var _ plugins.SigningProtocol = &Plugin{}
 
 type PluginConfig struct {
 	//theses are paths
-	PublicKey    string `mapstructure:"publickey,omitempty"`
-	PrivateKey   string `mapstructure:"privatekey,omitempty"`
-	RegistryMode string `mapstructure:"registrymode,omitempty"`
-	Experimental bool   `mapstructure:"experimental,omitempty"`
+	PublicKey        string `mapstructure:"publickey,omitempty"`
+	PrivateKey       string `mapstructure:"privatekey,omitempty"`
+	RegistryMode     string `mapstructure:"registrymode,omitempty"`
+	Experimental     bool   `mapstructure:"experimental,omitempty"`
+	InsecureRegistry bool   `mapstructure:"insecureregistry,omitempty"`
 }
 
 // Plugin is the plugin wrapper for accessing secrets from a local filesystem.

diff --git a/pkg/signing/plugins/notation/notation.go b/pkg/signing/plugins/notation/notation.go
@@ -16,12 +16,14 @@ var _ plugins.SigningProtocol = &Signer{}
 type Signer struct {
 
 	// Need the key we want to use
-	SigningKey string
+	SigningKey       string
+	InsecureRegistry bool
 }
 
 func NewSigner(c *portercontext.Context, cfg PluginConfig) *Signer {
 	s := &Signer{
-		SigningKey: cfg.SigningKey,
+		SigningKey:       cfg.SigningKey,
+		InsecureRegistry: cfg.InsecureRegistry,
 	}
 	return s
 }
@@ -46,7 +48,11 @@ func (s *Signer) Sign(ctx context.Context, ref string) error {
 	ctx, log := tracing.StartSpan(ctx)
 	defer log.EndSpan()
 
-	cmd := exec.Command("notation", "sign", ref, "--key", s.SigningKey)
+	args := []string{"sign", ref, "--key", s.SigningKey}
+	if s.InsecureRegistry {
+		args = append(args, "--insecure-registry")
+	}
+	cmd := exec.Command("notation", args...)
 	out, err := cmd.CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("%s: %w", string(out), err)
@@ -60,7 +66,11 @@ func (s *Signer) Verify(ctx context.Context, ref string) error {
 	ctx, log := tracing.StartSpan(ctx)
 	defer log.EndSpan()
 
-	cmd := exec.Command("notation", "verify", ref)
+	args := []string{"verify", ref}
+	if s.InsecureRegistry {
+		args = append(args, "--insecure-registry")
+	}
+	cmd := exec.Command("notation", args...)
 	out, err := cmd.CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("%s: %w", string(out), err)

diff --git a/pkg/signing/plugins/notation/plugin.go b/pkg/signing/plugins/notation/plugin.go
@@ -16,7 +16,8 @@ const PluginKey = plugins.PluginInterface + ".porter.notation"
 var _ plugins.SigningProtocol = &Plugin{}
 
 type PluginConfig struct {
-	SigningKey string `mapstructure:"key,omitempty"`
+	SigningKey       string `mapstructure:"key,omitempty"`
+	InsecureRegistry bool   `mapstructure:"insecureregistry,omitempty"`
 }
 
 // Plugin is the plugin wrapper for accessing secrets from a local filesystem.