From 436d0fe8b1eaf3de25e2eeb94c2507fb1128abde Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Min=C3=A1=C5=99?= Date: Mon, 6 Nov 2017 19:21:34 +0100 Subject: [PATCH 1/2] verify-signature: fixed insecure fall-back MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ignore not trusted CA with connected to secured registry. Signed-off-by: Michal Minář --- pkg/oc/admin/image/manifest.go | 9 ++++++++- pkg/oc/admin/image/verify-signature.go | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/pkg/oc/admin/image/manifest.go b/pkg/oc/admin/image/manifest.go index 3bf521c0d2b6..d7efa8bd16a1 100644 --- a/pkg/oc/admin/image/manifest.go +++ b/pkg/oc/admin/image/manifest.go @@ -7,6 +7,8 @@ import ( "github.com/docker/distribution/digest" + "k8s.io/client-go/rest" + "github.com/openshift/origin/pkg/image/importer" ) @@ -18,7 +20,12 @@ func getImageManifestByIDFromRegistry(registry *url.URL, repositoryName, imageID credentials := importer.NewBasicCredentials() credentials.Add(registry, username, password) - repo, err := importer.NewContext(http.DefaultTransport, http.DefaultTransport). + insecureRT, err := rest.TransportFor(&rest.Config{TLSClientConfig: rest.TLSClientConfig{Insecure: true}}) + if err != nil { + return nil, err + } + + repo, err := importer.NewContext(http.DefaultTransport, insecureRT). WithCredentials(credentials). Repository(ctx, registry, repositoryName, insecure) if err != nil { diff --git a/pkg/oc/admin/image/verify-signature.go b/pkg/oc/admin/image/verify-signature.go index fd7d02a13a26..38f894d8d63d 100644 --- a/pkg/oc/admin/image/verify-signature.go +++ b/pkg/oc/admin/image/verify-signature.go @@ -256,7 +256,7 @@ func (o *VerifyImageSignatureOptions) getImageManifest(img *imageapi.Image) ([]b if len(o.RegistryURL) > 0 { registryURL = &url.URL{Host: o.RegistryURL, Scheme: "https"} if o.Insecure { - registryURL.Scheme = "http" + registryURL.Scheme = "" } } return getImageManifestByIDFromRegistry(registryURL, parsed.RepositoryName(), img.Name, o.CurrentUser, o.CurrentUserToken, o.Insecure) From 262b8bafff6b5f338e647c94bc9530121fc18131 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Min=C3=A1=C5=99?= Date: Mon, 6 Nov 2017 19:24:00 +0100 Subject: [PATCH 2/2] extended: reenabled image signature workflow test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michal Minář --- test/extended/registry/signature.go | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/test/extended/registry/signature.go b/test/extended/registry/signature.go index 050783941790..325a5455e33f 100644 --- a/test/extended/registry/signature.go +++ b/test/extended/registry/signature.go @@ -2,6 +2,7 @@ package registry import ( "fmt" + "strings" g "github.com/onsi/ginkgo" o "github.com/onsi/gomega" @@ -12,7 +13,7 @@ import ( e2e "k8s.io/kubernetes/test/e2e/framework" ) -var _ = g.Describe("[imageapis][registry][Skipped][Serial] image signature workflow", func() { +var _ = g.Describe("[imageapis][registry][Serial] image signature workflow", func() { defer g.GinkgoRecover() @@ -22,7 +23,6 @@ var _ = g.Describe("[imageapis][registry][Skipped][Serial] image signature workf ) g.It("can push a signed image to openshift registry and verify it", func() { - g.Skip("FIXME: fix oadm verify-image-signature to work with secured registry") g.By("building a signer image that knows how to sign images") output, err := oc.Run("create").Args("-f", signerBuildFixture).Output() if err != nil { @@ -86,8 +86,17 @@ var _ = g.Describe("[imageapis][registry][Skipped][Serial] image signature workf // Sign and copy the origin-pod image into target image stream tag // TODO: Fix skopeo to pickup the Kubernetes environment variables (remove the $KUBERNETES_MASTER) g.By("signing the origin-pod:latest image and pushing it into openshift registry") - _, err = pod.Exec("KUBERNETES_MASTER=https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT GNUPGHOME=/var/lib/origin/gnupg " + - "skopeo --debug --tls-verify=false copy --sign-by joe@foo.bar --dest-creds " + user + ":" + token + " --dest-tls-verify=false docker://docker.io/openshift/origin-pod:latest atomic:" + signedImage) + out, err = pod.Exec(strings.Join([]string{ + "KUBERNETES_MASTER=https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT", + "GNUPGHOME=/var/lib/origin/gnupg", + "skopeo", "--debug", "copy", "--sign-by", "joe@foo.bar", + "--dest-creds=" + user + ":" + token, + // TODO: test with this turned to true as well + "--dest-tls-verify=false", + "docker://docker.io/openshift/origin-pod:latest", + "atomic:" + signedImage, + }, " ")) + fmt.Fprintf(g.GinkgoWriter, "output: %s\n", out) o.Expect(err).NotTo(o.HaveOccurred()) err = exutil.WaitForAnImageStreamTag(oc, oc.Namespace(), "signed", "latest") @@ -102,8 +111,16 @@ var _ = g.Describe("[imageapis][registry][Skipped][Serial] image signature workf o.Expect(err).NotTo(o.HaveOccurred()) o.Expect(out).To(o.ContainSubstring("Unverified")) - out, err = pod.Exec("GNUPGHOME=/var/lib/origin/gnupg " + - "oc adm verify-image-signature " + imageName + " --expected-identity=" + signedImage + " --save") + out, err = pod.Exec(strings.Join([]string{ + "GNUPGHOME=/var/lib/origin/gnupg", + "oc", "adm", "verify-image-signature", + "--insecure=true", // TODO: import the ca certificate into the signing pod + "--loglevel=5", + imageName, + "--expected-identity=" + signedImage, + " --save", + }, " ")) + fmt.Fprintf(g.GinkgoWriter, "output: %s\n", out) o.Expect(err).NotTo(o.HaveOccurred()) o.Expect(out).To(o.ContainSubstring("identity is now confirmed"))