Adding TLS options to the sign logic.

When checking if the `signed` image already exist or when pulling the
image to sign, we should be able to set some TLS options.

This flow follows the same logic we have for builds.

Signed-off-by: Yoni Bettan <yonibettan@gmail.com>

api/v1beta1/module_types.go

@@ -72,6 +72,10 @@ type Sign struct {
 	// Image to sign, ignored if a Build is present, required otherwise
 	UnsignedImage string `json:"unsignedImage,omitempty"`
 
+	// +optional
+	// UnsignedImageRegistryTLS contains settings determining how to access registries of the unsigned image.
+	UnsignedImageRegistryTLS TLSOptions `json:"baseImageRegistryTLS"`
+
 	// a secret containing the private key used to sign kernel modules for secureboot
 	KeySecret *v1.LocalObjectReference `json:"keySecret"`
 

config/crd/bases/kmm.sigs.k8s.io_managedclustermodules.yaml

@@ -2168,6 +2168,22 @@ spec:
                                   description: Sign enables in-cluster signing for
                                     this mapping
                                   properties:
+                                    baseImageRegistryTLS:
+                                      description: UnsignedImageRegistryTLS contains
+                                        settings determining how to access registries
+                                        of the unsigned image.
+                                      properties:
+                                        insecure:
+                                          description: If Insecure is true, the operator
+                                            will be able to access a registry in an
+                                            insecure (plain HTTP) protocol.
+                                          type: boolean
+                                        insecureSkipTLSVerify:
+                                          description: If InsecureSkipTLSVerify, the
+                                            operator will accept any certificate provided
+                                            by the registry.
+                                          type: boolean
+                                      type: object
                                     certSecret:
                                       description: a secret containing the public
                                         key used to sign kernel modules for secureboot
@@ -2301,6 +2317,22 @@ spec:
                           sign:
                             description: Sign provides default kmod signing settings
                             properties:
+                              baseImageRegistryTLS:
+                                description: UnsignedImageRegistryTLS contains settings
+                                  determining how to access registries of the unsigned
+                                  image.
+                                properties:
+                                  insecure:
+                                    description: If Insecure is true, the operator
+                                      will be able to access a registry in an insecure
+                                      (plain HTTP) protocol.
+                                    type: boolean
+                                  insecureSkipTLSVerify:
+                                    description: If InsecureSkipTLSVerify, the operator
+                                      will accept any certificate provided by the
+                                      registry.
+                                    type: boolean
+                                type: object
                               certSecret:
                                 description: a secret containing the public key used
                                   to sign kernel modules for secureboot

config/crd/bases/kmm.sigs.k8s.io_modules.yaml

@@ -2074,6 +2074,22 @@ spec:
                               description: Sign enables in-cluster signing for this
                                 mapping
                               properties:
+                                baseImageRegistryTLS:
+                                  description: UnsignedImageRegistryTLS contains settings
+                                    determining how to access registries of the unsigned
+                                    image.
+                                  properties:
+                                    insecure:
+                                      description: If Insecure is true, the operator
+                                        will be able to access a registry in an insecure
+                                        (plain HTTP) protocol.
+                                      type: boolean
+                                    insecureSkipTLSVerify:
+                                      description: If InsecureSkipTLSVerify, the operator
+                                        will accept any certificate provided by the
+                                        registry.
+                                      type: boolean
+                                  type: object
                                 certSecret:
                                   description: a secret containing the public key
                                     used to sign kernel modules for secureboot
@@ -2206,6 +2222,21 @@ spec:
                       sign:
                         description: Sign provides default kmod signing settings
                         properties:
+                          baseImageRegistryTLS:
+                            description: UnsignedImageRegistryTLS contains settings
+                              determining how to access registries of the unsigned
+                              image.
+                            properties:
+                              insecure:
+                                description: If Insecure is true, the operator will
+                                  be able to access a registry in an insecure (plain
+                                  HTTP) protocol.
+                                type: boolean
+                              insecureSkipTLSVerify:
+                                description: If InsecureSkipTLSVerify, the operator
+                                  will accept any certificate provided by the registry.
+                                type: boolean
+                            type: object
                           certSecret:
                             description: a secret containing the public key used to
                               sign kernel modules for secureboot

internal/sign/job/manager.go

@@ -25,15 +25,17 @@ func NewSignJobManager(signer Signer, helper sign.Helper, jobHelper utils.JobHel
 	}
 }
 
-func (jbm *signJobManager) Sync(ctx context.Context, mod kmmv1beta1.Module, m kmmv1beta1.KernelMapping, targetKernel string, imageToSign string, targetImage string, pushImage bool) (utils.Result, error) {
+func (jbm *signJobManager) Sync(ctx context.Context, mod kmmv1beta1.Module, m kmmv1beta1.KernelMapping, targetKernel,
+	imageToSign, targetImage string, pushImage bool) (utils.Result, error) {
 	logger := log.FromContext(ctx)
 
 	logger.Info("Signing in-cluster")
 
 	signConfig := jbm.helper.GetRelevantSign(mod, m)
 	jobLabels := jbm.jobHelper.JobLabels(mod, targetKernel, "sign")
 
-	jobTemplate, err := jbm.signer.MakeJobTemplate(mod, signConfig, targetKernel, imageToSign, targetImage, jobLabels, pushImage)
+	jobTemplate, err := jbm.signer.MakeJobTemplate(mod, signConfig, targetKernel, imageToSign, targetImage,
+		jobLabels, pushImage, m.RegistryTLS)
 	if err != nil {
 		return utils.Result{}, fmt.Errorf("could not make Job template: %v", err)
 	}

internal/sign/job/manager_test.go

@@ -90,7 +90,8 @@ var _ = Describe("JobManager", func() {
 					helper.EXPECT().GetRelevantSign(mod, km).Return(km.Sign),
 
 					jobhelper.EXPECT().JobLabels(mod, kernelVersion, "sign").Return(labels),
-					maker.EXPECT().MakeJobTemplate(mod, km.Sign, kernelVersion, previousImageName, km.ContainerImage, labels, true).Return(&j, nil),
+					maker.EXPECT().MakeJobTemplate(mod, km.Sign, kernelVersion, previousImageName, km.ContainerImage,
+						labels, true, nil).Return(&j, nil),
 					jobhelper.EXPECT().GetModuleJobByKernel(ctx, mod, kernelVersion, utils.JobTypeSign).Return(&newJob, nil),
 					jobhelper.EXPECT().IsJobChanged(&j, &newJob).Return(false, nil),
 					jobhelper.EXPECT().GetJobStatus(&newJob).Return(r.Status, r.Requeue, joberr),
@@ -119,7 +120,8 @@ var _ = Describe("JobManager", func() {
 			gomock.InOrder(
 				helper.EXPECT().GetRelevantSign(mod, km).Return(km.Sign),
 				jobhelper.EXPECT().JobLabels(mod, kernelVersion, "sign").Return(labels),
-				maker.EXPECT().MakeJobTemplate(mod, km.Sign, kernelVersion, previousImageName, km.ContainerImage, labels, true).Return(nil, errors.New("random error")),
+				maker.EXPECT().MakeJobTemplate(mod, km.Sign, kernelVersion, previousImageName, km.ContainerImage,
+					labels, true, nil).Return(nil, errors.New("random error")),
 			)
 
 			mgr := NewSignJobManager(maker, helper, jobhelper)
@@ -147,7 +149,8 @@ var _ = Describe("JobManager", func() {
 			gomock.InOrder(
 				helper.EXPECT().GetRelevantSign(mod, km).Return(km.Sign),
 				jobhelper.EXPECT().JobLabels(mod, kernelVersion, "sign").Return(labels),
-				maker.EXPECT().MakeJobTemplate(mod, km.Sign, kernelVersion, previousImageName, km.ContainerImage, labels, true).Return(&j, nil),
+				maker.EXPECT().MakeJobTemplate(mod, km.Sign, kernelVersion, previousImageName, km.ContainerImage,
+					labels, true, nil).Return(&j, nil),
 				jobhelper.EXPECT().GetModuleJobByKernel(ctx, mod, kernelVersion, utils.JobTypeSign).Return(nil, errors.New("random error")),
 			)
 
@@ -176,7 +179,8 @@ var _ = Describe("JobManager", func() {
 			gomock.InOrder(
 				helper.EXPECT().GetRelevantSign(mod, km).Return(km.Sign),
 				jobhelper.EXPECT().JobLabels(mod, kernelVersion, "sign").Return(labels),
-				maker.EXPECT().MakeJobTemplate(mod, km.Sign, kernelVersion, previousImageName, km.ContainerImage, labels, true).Return(&j, nil),
+				maker.EXPECT().MakeJobTemplate(mod, km.Sign, kernelVersion, previousImageName, km.ContainerImage,
+					labels, true, nil).Return(&j, nil),
 				jobhelper.EXPECT().GetModuleJobByKernel(ctx, mod, kernelVersion, utils.JobTypeSign).Return(nil, utils.ErrNoMatchingJob),
 				jobhelper.EXPECT().CreateJob(ctx, &j).Return(errors.New("unable to create job")),
 			)
@@ -207,7 +211,8 @@ var _ = Describe("JobManager", func() {
 			gomock.InOrder(
 				helper.EXPECT().GetRelevantSign(mod, km).Return(km.Sign),
 				jobhelper.EXPECT().JobLabels(mod, kernelVersion, "sign").Return(labels),
-				maker.EXPECT().MakeJobTemplate(mod, km.Sign, kernelVersion, previousImageName, km.ContainerImage, labels, true).Return(&j, nil),
+				maker.EXPECT().MakeJobTemplate(mod, km.Sign, kernelVersion, previousImageName, km.ContainerImage,
+					labels, true, nil).Return(&j, nil),
 				jobhelper.EXPECT().GetModuleJobByKernel(ctx, mod, kernelVersion, utils.JobTypeSign).Return(nil, utils.ErrNoMatchingJob),
 				jobhelper.EXPECT().CreateJob(ctx, &j).Return(nil),
 			)
@@ -239,7 +244,8 @@ var _ = Describe("JobManager", func() {
 			gomock.InOrder(
 				helper.EXPECT().GetRelevantSign(mod, km).Return(km.Sign),
 				jobhelper.EXPECT().JobLabels(mod, kernelVersion, "sign").Return(labels),
-				maker.EXPECT().MakeJobTemplate(mod, km.Sign, kernelVersion, previousImageName, km.ContainerImage, labels, true).Return(&newJob, nil),
+				maker.EXPECT().MakeJobTemplate(mod, km.Sign, kernelVersion, previousImageName, km.ContainerImage,
+					labels, true, nil).Return(&newJob, nil),
 				jobhelper.EXPECT().GetModuleJobByKernel(ctx, mod, kernelVersion, utils.JobTypeSign).Return(&newJob, nil),
 				jobhelper.EXPECT().IsJobChanged(&newJob, &newJob).Return(true, nil),
 				jobhelper.EXPECT().DeleteJob(ctx, &newJob).Return(nil),

internal/sign/job/signer.go

@@ -17,7 +17,8 @@ import (
 //go:generate mockgen -source=signer.go -package=signjob -destination=mock_signer.go
 
 type Signer interface {
-	MakeJobTemplate(mod kmmv1beta1.Module, signConfig *kmmv1beta1.Sign, targetKernel string, imageToSign string, targetImage string, labels map[string]string, pushImage bool) (*batchv1.Job, error)
+	MakeJobTemplate(mod kmmv1beta1.Module, signConfig *kmmv1beta1.Sign, targetKernel, imageToSign, targetImage string,
+		labels map[string]string, pushImage bool, registryTLS *kmmv1beta1.TLSOptions) (*batchv1.Job, error)
 }
 
 type signer struct {
@@ -28,7 +29,9 @@ func NewSigner(scheme *runtime.Scheme) Signer {
 	return &signer{scheme: scheme}
 }
 
-func (m *signer) MakeJobTemplate(mod kmmv1beta1.Module, signConfig *kmmv1beta1.Sign, targetKernel string, imageToSign string, targetImage string, labels map[string]string, pushImage bool) (*batchv1.Job, error) {
+func (m *signer) MakeJobTemplate(mod kmmv1beta1.Module, signConfig *kmmv1beta1.Sign, targetKernel, imageToSign, targetImage string,
+	labels map[string]string, pushImage bool, registryTLS *kmmv1beta1.TLSOptions) (*batchv1.Job, error) {
+
 	var args []string
 
 	if pushImage {
@@ -66,6 +69,24 @@ func (m *signer) MakeJobTemplate(mod kmmv1beta1.Module, signConfig *kmmv1beta1.S
 		volumeMounts = append(volumeMounts, utils.MakeSecretVolumeMount(mod.Spec.ImageRepoSecret, "/docker_config"))
 	}
 
+	if signConfig.UnsignedImageRegistryTLS.Insecure {
+		args = append(args, "--insecure-pull")
+	}
+
+	if signConfig.UnsignedImageRegistryTLS.InsecureSkipTLSVerify {
+		args = append(args, "--skip-tls-verify-pull")
+	}
+
+	if registryTLS != nil {
+		if registryTLS.Insecure {
+			args = append(args, "--insecure")
+		}
+
+		if registryTLS.InsecureSkipTLSVerify {
+			args = append(args, "--skip-tls-verify")
+		}
+	}
+
 	job := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: mod.Name + "-sign-",

internal/sign/job/signer_test.go

@@ -1,6 +1,8 @@
 package signjob
 
 import (
+	"strings"
+
 	"github.com/golang/mock/gomock"
 	"github.com/google/go-cmp/cmp"
 	kmmv1beta1 "github.com/kubernetes-sigs/kernel-module-management/api/v1beta1"
@@ -11,7 +13,6 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/pointer"
-	"strings"
 )
 
 var _ = Describe("MakeJobTemplate", func() {
@@ -184,7 +185,7 @@ var _ = Describe("MakeJobTemplate", func() {
 		mod := mod.DeepCopy()
 		mod.Spec.Selector = nodeSelector
 
-		actual, err := m.MakeJobTemplate(*mod, km.Sign, kernelVersion, unsignedImage, signedImage, labels, true)
+		actual, err := m.MakeJobTemplate(*mod, km.Sign, kernelVersion, unsignedImage, signedImage, labels, true, nil)
 		Expect(err).NotTo(HaveOccurred())
 
 		Expect(
@@ -212,7 +213,7 @@ var _ = Describe("MakeJobTemplate", func() {
 			FilesToSign:   filelist,
 		}
 
-		actual, err := m.MakeJobTemplate(mod, signConfig, kernelVersion, "", signedImage, labels, pushFlag)
+		actual, err := m.MakeJobTemplate(mod, signConfig, kernelVersion, "", signedImage, labels, pushFlag, nil)
 		Expect(err).NotTo(HaveOccurred())
 		Expect(actual.Spec.Template.Spec.Containers[0].Args).To(ContainElement("-unsignedimage"))
 		Expect(actual.Spec.Template.Spec.Containers[0].Args).To(ContainElement("-pullsecret"))
@@ -246,4 +247,41 @@ var _ = Describe("MakeJobTemplate", func() {
 			false,
 		),
 	)
+
+	DescribeTable("should set correct kaniko TLS flags", func(registryTLS *kmmv1beta1.TLSOptions, s kmmv1beta1.Sign, kanikoFlag string) {
+
+		actual, err := m.MakeJobTemplate(mod, &s, kernelVersion, unsignedImage, signedImage, labels, false, registryTLS)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(actual.Spec.Template.Spec.Containers[0].Args).To(ContainElement(kanikoFlag))
+
+	},
+		Entry(
+			"UnsignedImageRegistryTLS.Insecure",
+			nil,
+			kmmv1beta1.Sign{
+				UnsignedImageRegistryTLS: kmmv1beta1.TLSOptions{Insecure: true},
+			},
+			"--insecure-pull",
+		),
+		Entry(
+			"UnsignedImageRegistryTLS.InsecureSkipTLSVerify",
+			nil,
+			kmmv1beta1.Sign{
+				UnsignedImageRegistryTLS: kmmv1beta1.TLSOptions{InsecureSkipTLSVerify: true},
+			},
+			"--skip-tls-verify-pull",
+		),
+		Entry(
+			"RegistryTLS.Insecure",
+			&kmmv1beta1.TLSOptions{Insecure: true},
+			nil,
+			"--insecure",
+		),
+		Entry(
+			"RegistryTLS.InsecureSkipTLSVerify",
+			&kmmv1beta1.TLSOptions{InsecureSkipTLSVerify: true},
+			nil,
+			"--skip-tls-verify",
+		),
+	)
 })