Add insecure-registry and tls-skip-verify-registry flags (#537)

GoogleContainerTools · Jan 29, 2019 · f8f59ea · f8f59ea
1 parent e3bf9fb
commit f8f59ea
Show file tree

Hide file tree

Showing 8 changed files with 74 additions and 27 deletions.
diff --git a/README.md b/README.md
@@ -355,6 +355,16 @@ If `--destination=gcr.io/kaniko-project/test`, then cached layers will be stored
 
 _This flag must be used in conjunction with the `--cache=true` flag._
 
+#### --insecure-registry
+
+Set this flag to use plain HTTP requests when accessing a registry. It is supposed to be useed for testing purposes only and should not be used in production!
+You can set it multiple times for multiple registries.
+
+#### --skip-tls-verify-registry
+
+Set this flag to skip TLS cerificate validation when accessing a registry. It is supposed to be useed for testing purposes only and should not be used in production!
+You can set it multiple times for multiple registries.
+
 #### --cleanup
 
 Set this flag to clean the filesystem at the end of the build.

diff --git a/cmd/executor/cmd/root.go b/cmd/executor/cmd/root.go
@@ -129,6 +129,8 @@ func addKanikoOptionsFlags(cmd *cobra.Command) {
 	RootCmd.PersistentFlags().BoolVarP(&opts.Cache, "cache", "", false, "Use cache when building image")
 	RootCmd.PersistentFlags().BoolVarP(&opts.Cleanup, "cleanup", "", false, "Clean the filesystem at the end")
 	RootCmd.PersistentFlags().DurationVarP(&opts.CacheTTL, "cache-ttl", "", time.Hour*336, "Cache timeout in hours. Defaults to two weeks.")
+	RootCmd.PersistentFlags().VarP(&opts.InsecureRegistries, "insecure-registry", "", "Insecure registry using plain HTTP to push and pull. Set it repeatedly for multiple registries.")
+	RootCmd.PersistentFlags().VarP(&opts.SkipTLSVerifyRegistries, "skip-tls-verify-registry", "", "Insecure registry ignoring TLS verify to push and pull. Set it repeatedly for multiple registries.")
 }
 
 // addHiddenFlags marks certain flags as hidden from the executor help text

diff --git a/pkg/cache/cache.go b/pkg/cache/cache.go
@@ -17,7 +17,9 @@ limitations under the License.
 package cache
 
 import (
+	"crypto/tls"
 	"fmt"
+	"net/http"
 	"os"
 	"path"
 	"path/filepath"
@@ -55,7 +57,24 @@ func (rc *RegistryCache) RetrieveLayer(ck string) (v1.Image, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, fmt.Sprintf("getting reference for %s", cache))
 	}
-	img, err := remote.Image(cacheRef, remote.WithAuthFromKeychain(creds.GetKeychain()))
+
+	registryName := cacheRef.Repository.Registry.Name()
+	if rc.Opts.InsecureRegistries.Contains(registryName) {
+		newReg, err := name.NewInsecureRegistry(registryName, name.WeakValidation)
+		if err != nil {
+			return nil, err
+		}
+		cacheRef.Repository.Registry = newReg
+	}
+
+	tr := http.DefaultTransport.(*http.Transport)
+	if rc.Opts.SkipTLSVerifyRegistries.Contains(registryName) {
+		tr.TLSClientConfig = &tls.Config{
+			InsecureSkipVerify: true,
+		}
+	}
+
+	img, err := remote.Image(cacheRef, remote.WithTransport(tr), remote.WithAuthFromKeychain(creds.GetKeychain()))
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/config/args.go b/pkg/config/args.go
@@ -42,3 +42,12 @@ func (b *multiArg) Set(value string) error {
 func (b *multiArg) Type() string {
 	return "multi-arg type"
 }
+
+func (b *multiArg) Contains(v string) bool {
+	for _, s := range *b {
+		if s == v {
+			return true
+		}
+	}
+	return false
+}
diff --git a/pkg/config/options.go b/pkg/config/options.go
@@ -22,26 +22,28 @@ import (
 
 // KanikoOptions are options that are set by command line arguments
 type KanikoOptions struct {
-	DockerfilePath    string
-	SrcContext        string
-	SnapshotMode      string
-	Bucket            string
-	TarPath           string
-	Target            string
-	CacheRepo         string
-	CacheDir          string
-	Destinations      multiArg
-	BuildArgs         multiArg
-	Insecure          bool
-	SkipTLSVerify     bool
-	InsecurePull      bool
-	SkipTLSVerifyPull bool
-	SingleSnapshot    bool
-	Reproducible      bool
-	NoPush            bool
-	Cache             bool
-	Cleanup           bool
-	CacheTTL          time.Duration
+	DockerfilePath          string
+	SrcContext              string
+	SnapshotMode            string
+	Bucket                  string
+	TarPath                 string
+	Target                  string
+	CacheRepo               string
+	CacheDir                string
+	Destinations            multiArg
+	BuildArgs               multiArg
+	Insecure                bool
+	SkipTLSVerify           bool
+	InsecurePull            bool
+	SkipTLSVerifyPull       bool
+	SingleSnapshot          bool
+	Reproducible            bool
+	NoPush                  bool
+	Cache                   bool
+	Cleanup                 bool
+	CacheTTL                time.Duration
+	InsecureRegistries      multiArg
+	SkipTLSVerifyRegistries multiArg
 }
 
 // WarmerOptions are options that are set by command line arguments to the cache warmer.

diff --git a/pkg/executor/build.go b/pkg/executor/build.go
@@ -145,6 +145,7 @@ func (s *stageBuilder) optimize(compositeKey CompositeCache, cfg v1.Config, cmds
 		if command.ShouldCacheOutput() {
 			img, err := layerCache.RetrieveLayer(ck)
 			if err != nil {
+				logrus.Debugf("Failed to retrieve layer: %s", err)
 				logrus.Infof("No cached layer found for cmd %s", command.String())
 				logrus.Debugf("Key missing was: %s", compositeKey.Key())
 				break

diff --git a/pkg/executor/push.go b/pkg/executor/push.go
@@ -73,8 +73,9 @@ func DoPush(image v1.Image, opts *config.KanikoOptions) error {
 
 	// continue pushing unless an error occurs
 	for _, destRef := range destRefs {
-		if opts.Insecure {
-			newReg, err := name.NewInsecureRegistry(destRef.Repository.Registry.Name(), name.WeakValidation)
+		registryName := destRef.Repository.Registry.Name()
+		if opts.Insecure || opts.InsecureRegistries.Contains(registryName) {
+			newReg, err := name.NewInsecureRegistry(registryName, name.WeakValidation)
 			if err != nil {
 				return errors.Wrap(err, "getting new insecure registry")
 			}
@@ -88,7 +89,7 @@ func DoPush(image v1.Image, opts *config.KanikoOptions) error {
 
 		// Create a transport to set our user-agent.
 		tr := http.DefaultTransport
-		if opts.SkipTLSVerify {
+		if opts.SkipTLSVerify || opts.SkipTLSVerifyRegistries.Contains(registryName) {
 			tr.(*http.Transport).TLSClientConfig = &tls.Config{
 				InsecureSkipVerify: true,
 			}
@@ -135,5 +136,7 @@ func pushLayerToCache(opts *config.KanikoOptions, cacheKey string, tarPath strin
 	}
 	cacheOpts := *opts
 	cacheOpts.Destinations = []string{cache}
+	cacheOpts.InsecureRegistries = opts.InsecureRegistries
+	cacheOpts.SkipTLSVerifyRegistries = opts.SkipTLSVerifyRegistries
 	return DoPush(empty, &cacheOpts)
 }
diff --git a/pkg/util/image_util.go b/pkg/util/image_util.go
@@ -100,8 +100,9 @@ func remoteImage(image string, opts *config.KanikoOptions) (v1.Image, error) {
 		return nil, err
 	}
 
-	if opts.InsecurePull {
-		newReg, err := name.NewInsecureRegistry(ref.Context().RegistryStr(), name.WeakValidation)
+	registryName := ref.Context().RegistryStr()
+	if opts.InsecurePull || opts.InsecureRegistries.Contains(registryName) {
+		newReg, err := name.NewInsecureRegistry(registryName, name.WeakValidation)
 		if err != nil {
 			return nil, err
 		}
@@ -116,7 +117,7 @@ func remoteImage(image string, opts *config.KanikoOptions) (v1.Image, error) {
 	}
 
 	tr := http.DefaultTransport.(*http.Transport)
-	if opts.SkipTLSVerifyPull {
+	if opts.SkipTLSVerifyPull || opts.SkipTLSVerifyRegistries.Contains(registryName) {
 		tr.TLSClientConfig = &tls.Config{
 			InsecureSkipVerify: true,
 		}