Support Insecure Registries

Signed-off-by: Prashant Rewar <108176843+prashantrewar@users.noreply.github.com>
buildpacks · Feb 21, 2024 · 25196b8 · 25196b8
1 parent 8ed450d
commit 25196b8
Show file tree

Hide file tree

Showing 8 changed files with 60 additions and 13 deletions.
diff --git a/internal/build/lifecycle_execution.go b/internal/build/lifecycle_execution.go
@@ -328,6 +328,10 @@ func (l *LifecycleExecution) Create(ctx context.Context, buildCache, launchCache
 		flags = append(flags, "-uid", strconv.Itoa(l.opts.UID))
 	}
 
+	for _, reg := range l.opts.InsecureRegistries {
+		flags = append(flags, "-insecure-registry", reg)
+	}
+
 	if l.opts.PreviousImage != "" {
 		if l.opts.Image == nil {
 			return errors.New("image can't be nil")
@@ -481,6 +485,10 @@ func (l *LifecycleExecution) Restore(ctx context.Context, buildCache Cache, kani
 		flags = append(flags, "-uid", strconv.Itoa(l.opts.UID))
 	}
 
+	for _, reg := range l.opts.InsecureRegistries {
+		flags = append(flags, "-insecure-registry", reg)
+	}
+
 	// for kaniko
 	kanikoCacheBindOp := NullOp()
 	if (l.platformAPI.AtLeast("0.10") && l.hasExtensionsForBuild()) ||
@@ -586,6 +594,10 @@ func (l *LifecycleExecution) Analyze(ctx context.Context, buildCache, launchCach
 		flags = append(flags, "-uid", strconv.Itoa(l.opts.UID))
 	}
 
+	for _, reg := range l.opts.InsecureRegistries {
+		flags = append(flags, "-insecure-registry", reg)
+	}
+
 	if l.opts.PreviousImage != "" {
 		if l.opts.Image == nil {
 			return errors.New("image can't be nil")
@@ -795,6 +807,10 @@ func (l *LifecycleExecution) Export(ctx context.Context, buildCache, launchCache
 		flags = append(flags, "-uid", strconv.Itoa(l.opts.UID))
 	}
 
+	for _, reg := range l.opts.InsecureRegistries {
+		flags = append(flags, "-insecure-registry", reg)
+	}
+
 	cacheBindOp := NullOp()
 	switch buildCache.Type() {
 	case cache.Image:

diff --git a/internal/build/lifecycle_executor.go b/internal/build/lifecycle_executor.go
@@ -102,6 +102,7 @@ type LifecycleOptions struct {
 	SBOMDestinationDir              string
 	CreationTime                    *time.Time
 	Keychain                        authn.Keychain
+	InsecureRegistries              []string
 }
 
 func NewLifecycleExecutor(logger logging.Logger, docker DockerClient) *LifecycleExecutor {

diff --git a/internal/commands/build.go b/internal/commands/build.go
@@ -55,6 +55,7 @@ type BuildFlags struct {
 	DateTime             string
 	PreBuildpacks        []string
 	PostBuildpacks       []string
+	InsecureRegistries   []string
 }
 
 // Build an image from source code
@@ -198,6 +199,7 @@ func Build(logger logging.Logger, cfg config.Config, packClient PackClient) *cob
 					PreviousInputImage: inputPreviousImage,
 					LayoutRepoDir:      cfg.LayoutRepositoryDir,
 				},
+				InsecureRegistries: flags.InsecureRegistries,
 			}); err != nil {
 				return errors.Wrap(err, "failed to build")
 			}
@@ -231,6 +233,7 @@ func buildCommandFlags(cmd *cobra.Command, buildFlags *BuildFlags, cfg config.Co
 	cmd.Flags().StringVarP(&buildFlags.AppPath, "path", "p", "", "Path to app dir or zip-formatted file (defaults to current working directory)")
 	cmd.Flags().StringSliceVarP(&buildFlags.Buildpacks, "buildpack", "b", nil, "Buildpack to use. One of:\n  a buildpack by id and version in the form of '<buildpack>@<version>',\n  path to a buildpack directory (not supported on Windows),\n  path/URL to a buildpack .tar or .tgz file, or\n  a packaged buildpack image name in the form of '<hostname>/<repo>[:<tag>]'"+stringSliceHelp("buildpack"))
 	cmd.Flags().StringSliceVarP(&buildFlags.Extensions, "extension", "", nil, "Extension to use. One of:\n  an extension by id and version in the form of '<extension>@<version>',\n  path to an extension directory (not supported on Windows),\n  path/URL to an extension .tar or .tgz file, or\n  a packaged extension image name in the form of '<hostname>/<repo>[:<tag>]'"+stringSliceHelp("extension"))
+	cmd.Flags().StringSliceVarP(&buildFlags.InsecureRegistries, "insecure-registry", "", nil, "List of insecure registries")
 	cmd.Flags().StringVarP(&buildFlags.Builder, "builder", "B", cfg.DefaultBuilder, "Builder image")
 	cmd.Flags().Var(&buildFlags.Cache, "cache",
 		`Cache options used to define cache techniques for build process.

diff --git a/internal/commands/rebase.go b/internal/commands/rebase.go
@@ -51,7 +51,7 @@ func Rebase(logger logging.Logger, cfg config.Config, pack PackClient) *cobra.Co
 	cmd.Flags().StringVar(&policy, "pull-policy", "", "Pull policy to use. Accepted values are always, never, and if-not-present. The default is always")
 	cmd.Flags().StringVar(&opts.ReportDestinationDir, "report-output-dir", "", "Path to export build report.toml.\nOmitting the flag yield no report file.")
 	cmd.Flags().BoolVar(&opts.Force, "force", false, "Perform rebase operation without target validation (only available for API >= 0.12)")
-
+	cmd.Flags().StringSliceVarP(&opts.InsecureRegistries, "insecure-registry", "", nil, "List of insecure registries")
 	AddHelpFlag(cmd, "rebase")
 	return cmd
 }
diff --git a/pkg/client/build.go b/pkg/client/build.go
@@ -209,6 +209,8 @@ type BuildOptions struct {
 
 	// Configuration to export to OCI layout format
 	LayoutConfig *LayoutConfig
+
+	InsecureRegistries []string
 }
 
 func (b *BuildOptions) Layout() bool {
@@ -551,6 +553,7 @@ func (c *Client) Build(ctx context.Context, opts BuildOptions) error {
 		CreationTime:             opts.CreationTime,
 		Layout:                   opts.Layout(),
 		Keychain:                 c.keychain,
+		InsecureRegistries:       opts.InsecureRegistries,
 	}
 
 	switch {

diff --git a/pkg/client/client.go b/pkg/client/client.go
@@ -102,9 +102,10 @@ type Client struct {
 	lifecycleExecutor   LifecycleExecutor
 	buildpackDownloader BuildpackDownloader
 
-	experimental    bool
-	registryMirrors map[string]string
-	version         string
+	experimental       bool
+	registryMirrors    map[string]string
+	version            string
+	insecureRegistries []string
 }
 
 // Option is a type of function that mutate settings on the client.
@@ -187,6 +188,13 @@ func WithRegistryMirrors(registryMirrors map[string]string) Option {
 	}
 }
 
+// WithInsecureRegistries sets insecure registry to pull images from.
+func WithInsecureRegistries(insecureRegistries []string) Option {
+	return func(c *Client) {
+		c.insecureRegistries = insecureRegistries
+	}
+}
+
 // WithKeychain sets keychain of credentials to image registries
 func WithKeychain(keychain authn.Keychain) Option {
 	return func(c *Client) {
@@ -231,7 +239,7 @@ func NewClient(opts ...Option) (*Client, error) {
 	}
 
 	if client.imageFetcher == nil {
-		client.imageFetcher = image.NewFetcher(client.logger, client.docker, image.WithRegistryMirrors(client.registryMirrors), image.WithKeychain(client.keychain))
+		client.imageFetcher = image.NewFetcher(client.logger, client.docker, image.WithRegistryMirrors(client.registryMirrors), image.WithKeychain(client.keychain), image.WithInsecureRegistries(client.insecureRegistries))
 	}
 
 	if client.imageFactory == nil {

diff --git a/pkg/client/rebase.go b/pkg/client/rebase.go
@@ -46,11 +46,14 @@ type RebaseOptions struct {
 	// Pass-through force flag to lifecycle rebase command to skip target data
 	// validated (will not have any effect if API < 0.12).
 	Force bool
+
+	InsecureRegistries []string
 }
 
 // Rebase updates the run image layers in an app image.
 // This operation mutates the image specified in opts.
 func (c *Client) Rebase(ctx context.Context, opts RebaseOptions) error {
+	var flags = []string{"rebase"}
 	imageRef, err := c.parseTagReference(opts.RepoName)
 	if err != nil {
 		return errors.Wrapf(err, "invalid image name '%s'", opts.RepoName)
@@ -112,6 +115,10 @@ func (c *Client) Rebase(ctx context.Context, opts RebaseOptions) error {
 		return err
 	}
 
+	for _, reg := range opts.InsecureRegistries {
+		flags = append(flags, "-insecure-registry", reg)
+	}
+
 	c.logger.Infof("Rebasing %s on run image %s", style.Symbol(appImage.Name()), style.Symbol(baseImage.Name()))
 	rebaser := &phase.Rebaser{Logger: c.logger, PlatformAPI: build.SupportedPlatformAPIVersions.Latest(), Force: opts.Force}
 	report, err := rebaser.Rebase(appImage, baseImage, appImage.Name(), nil)

diff --git a/pkg/image/fetcher.go b/pkg/image/fetcher.go
@@ -42,6 +42,13 @@ func WithRegistryMirrors(registryMirrors map[string]string) FetcherOption {
 	}
 }
 
+// WithInsecureRegistries supply your own insecure registries.
+func WithInsecureRegistries(insecureRegistries []string) FetcherOption {
+	return func(c *Fetcher) {
+		c.insecureRegistries = insecureRegistries
+	}
+}
+
 func WithKeychain(keychain authn.Keychain) FetcherOption {
 	return func(c *Fetcher) {
 		c.keychain = keychain
@@ -54,17 +61,19 @@ type DockerClient interface {
 }
 
 type Fetcher struct {
-	docker          DockerClient
-	logger          logging.Logger
-	registryMirrors map[string]string
-	keychain        authn.Keychain
+	docker             DockerClient
+	logger             logging.Logger
+	registryMirrors    map[string]string
+	keychain           authn.Keychain
+	insecureRegistries []string
 }
 
 type FetchOptions struct {
-	Daemon       bool
-	Platform     string
-	PullPolicy   PullPolicy
-	LayoutOption LayoutOption
+	Daemon             bool
+	Platform           string
+	PullPolicy         PullPolicy
+	LayoutOption       LayoutOption
+	InsecureRegistries []string
 }
 
 func NewFetcher(logger logging.Logger, docker DockerClient, opts ...FetcherOption) *Fetcher {