From 0c1d0d5a1620ee848dd2d68146702e0b635e9f52 Mon Sep 17 00:00:00 2001 From: Kim Christensen Date: Sun, 14 Apr 2024 23:40:35 +0200 Subject: [PATCH] Support insecure registries Signed-off-by: Kim Christensen --- pkg/signing/plugins/cosign/cosign.go | 26 ++++++++++++++++-------- pkg/signing/plugins/cosign/plugin.go | 9 ++++---- pkg/signing/plugins/notation/notation.go | 18 ++++++++++++---- pkg/signing/plugins/notation/plugin.go | 3 ++- 4 files changed, 38 insertions(+), 18 deletions(-) diff --git a/pkg/signing/plugins/cosign/cosign.go b/pkg/signing/plugins/cosign/cosign.go index 26dd4f5cc..54d2f4bc4 100644 --- a/pkg/signing/plugins/cosign/cosign.go +++ b/pkg/signing/plugins/cosign/cosign.go @@ -14,25 +14,27 @@ var _ plugins.SigningProtocol = &Cosign{} // Signer implements an in-memory signer for testing. type Cosign struct { - PublicKey string - PrivateKey string - RegistryMode string - Experimental bool + PublicKey string + PrivateKey string + RegistryMode string + Experimental bool + InsecureRegistry bool } func NewSigner(c *portercontext.Context, cfg PluginConfig) *Cosign { s := &Cosign{ - PublicKey: cfg.PublicKey, - PrivateKey: cfg.PrivateKey, - RegistryMode: cfg.RegistryMode, - Experimental: cfg.Experimental, + PublicKey: cfg.PublicKey, + PrivateKey: cfg.PrivateKey, + RegistryMode: cfg.RegistryMode, + Experimental: cfg.Experimental, + InsecureRegistry: cfg.InsecureRegistry, } return s } -// we should get the certificate... here? +// TODO: we should get the certificate... here? func (s *Cosign) Connect(ctx context.Context) error { //lint:ignore SA4006 ignore unused ctx for now ctx, log := tracing.StartSpan(ctx) @@ -57,6 +59,9 @@ func (s *Cosign) Sign(ctx context.Context, ref string) error { if s.RegistryMode != "" { args = append(args, "--registry-referrers-mode", s.RegistryMode) } + if s.InsecureRegistry { + args = append(args, "--allow-insecure-registry") + } cmd := exec.Command("cosign", args...) if s.Experimental { cmd.Env = append(cmd.Environ(), "COSIGN_EXPERIMENTAL=1") @@ -79,6 +84,9 @@ func (s *Cosign) Verify(ctx context.Context, ref string) error { if s.RegistryMode == "oci-1-1" { args = append(args, "--experimental-oci11") } + if s.InsecureRegistry { + args = append(args, "--allow-insecure-registry") + } cmd := exec.Command("cosign", args...) out, err := cmd.CombinedOutput() if err != nil { diff --git a/pkg/signing/plugins/cosign/plugin.go b/pkg/signing/plugins/cosign/plugin.go index 2fc64feba..370e7bd4e 100644 --- a/pkg/signing/plugins/cosign/plugin.go +++ b/pkg/signing/plugins/cosign/plugin.go @@ -17,10 +17,11 @@ var _ plugins.SigningProtocol = &Plugin{} type PluginConfig struct { //theses are paths - PublicKey string `mapstructure:"publickey,omitempty"` - PrivateKey string `mapstructure:"privatekey,omitempty"` - RegistryMode string `mapstructure:"registrymode,omitempty"` - Experimental bool `mapstructure:"experimental,omitempty"` + PublicKey string `mapstructure:"publickey,omitempty"` + PrivateKey string `mapstructure:"privatekey,omitempty"` + RegistryMode string `mapstructure:"registrymode,omitempty"` + Experimental bool `mapstructure:"experimental,omitempty"` + InsecureRegistry bool `mapstructure:"insecureregistry,omitempty"` } // Plugin is the plugin wrapper for accessing secrets from a local filesystem. diff --git a/pkg/signing/plugins/notation/notation.go b/pkg/signing/plugins/notation/notation.go index 3a0abe4dc..fa9cfcae6 100644 --- a/pkg/signing/plugins/notation/notation.go +++ b/pkg/signing/plugins/notation/notation.go @@ -16,12 +16,14 @@ var _ plugins.SigningProtocol = &Signer{} type Signer struct { // Need the key we want to use - SigningKey string + SigningKey string + InsecureRegistry bool } func NewSigner(c *portercontext.Context, cfg PluginConfig) *Signer { s := &Signer{ - SigningKey: cfg.SigningKey, + SigningKey: cfg.SigningKey, + InsecureRegistry: cfg.InsecureRegistry, } return s } @@ -46,7 +48,11 @@ func (s *Signer) Sign(ctx context.Context, ref string) error { ctx, log := tracing.StartSpan(ctx) defer log.EndSpan() - cmd := exec.Command("notation", "sign", ref, "--key", s.SigningKey) + args := []string{"sign", ref, "--key", s.SigningKey} + if s.InsecureRegistry { + args = append(args, "--insecure-registry") + } + cmd := exec.Command("notation", args...) out, err := cmd.CombinedOutput() if err != nil { return fmt.Errorf("%s: %w", string(out), err) @@ -60,7 +66,11 @@ func (s *Signer) Verify(ctx context.Context, ref string) error { ctx, log := tracing.StartSpan(ctx) defer log.EndSpan() - cmd := exec.Command("notation", "verify", ref) + args := []string{"verify", ref} + if s.InsecureRegistry { + args = append(args, "--insecure-registry") + } + cmd := exec.Command("notation", args...) out, err := cmd.CombinedOutput() if err != nil { return fmt.Errorf("%s: %w", string(out), err) diff --git a/pkg/signing/plugins/notation/plugin.go b/pkg/signing/plugins/notation/plugin.go index 4cb4c96b0..03b9c9cfa 100644 --- a/pkg/signing/plugins/notation/plugin.go +++ b/pkg/signing/plugins/notation/plugin.go @@ -16,7 +16,8 @@ const PluginKey = plugins.PluginInterface + ".porter.notation" var _ plugins.SigningProtocol = &Plugin{} type PluginConfig struct { - SigningKey string `mapstructure:"key,omitempty"` + SigningKey string `mapstructure:"key,omitempty"` + InsecureRegistry bool `mapstructure:"insecureregistry,omitempty"` } // Plugin is the plugin wrapper for accessing secrets from a local filesystem.