fix(registry): deprecated skip-tls and add use-http and skip-tls-verify

Makefile

@@ -116,7 +116,7 @@ clean:
 
 .PHONY: e2e
 e2e:
-	$(GO) run github.com/onsi/ginkgo/ginkgo --v --randomizeAllSpecs --randomizeSuites --race $(if $(TEST),-focus '$(TEST)') $(TAGS) ./test/e2e -- $(if $(SKIPTLS),-skip-tls true)
+	$(GO) run github.com/onsi/ginkgo/ginkgo --v --randomizeAllSpecs --randomizeSuites --race $(if $(TEST),-focus '$(TEST)') $(TAGS) ./test/e2e -- $(if $(SKIPTLS),-skip-tls-verify true) $(if $(USEHTTP),-use-http true)
 
 
 .PHONY: release

cmd/opm/alpha/bundle/unpack.go

@@ -12,6 +12,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
+	"github.com/operator-framework/operator-registry/cmd/opm/internal/util"
 	"github.com/operator-framework/operator-registry/pkg/image"
 	"github.com/operator-framework/operator-registry/pkg/image/containerdregistry"
 	"github.com/operator-framework/operator-registry/pkg/lib/bundle"
@@ -28,11 +29,16 @@ func newBundleUnpackCmd() *cobra.Command {
 		RunE: unpackBundle,
 	}
 	unpack.Flags().BoolP("debug", "d", false, "enable debug log output")
-	unpack.Flags().BoolP("skip-tls", "s", false, "disable TLS verification")
+	unpack.Flags().BoolP("skip-tls", "s", false, "use plain HTTP")
+	unpack.Flags().Bool("skip-tls-verify", false, "disable TLS verification")
+	unpack.Flags().Bool("use-http", false, "use plain HTTP")
 	unpack.Flags().BoolP("skip-validation", "v", false, "disable bundle validation")
 	unpack.Flags().StringP("root-ca", "c", "", "file path of a root CA to use when communicating with image registries")
 	unpack.Flags().StringP("out", "o", "./", "directory in which to unpack operator bundle content")
 
+	if err := unpack.Flags().MarkDeprecated("skip-tls", "use --use-http and --skip-tls-verify instead"); err != nil {
+		logrus.Panic(err.Error())
+	}
 	return unpack
 }
 
@@ -71,13 +77,14 @@ func unpackBundle(cmd *cobra.Command, args []string) error {
 
 	var (
 		registryOpts []containerdregistry.RegistryOption
-		skipTLS      bool
 	)
-	skipTLS, err = cmd.Flags().GetBool("skip-tls")
+
+	skipTLSVerify, useHTTP, err := util.GetTLSOptions(cmd)
 	if err != nil {
 		return err
 	}
-	registryOpts = append(registryOpts, containerdregistry.SkipTLS(skipTLS))
+
+	registryOpts = append(registryOpts, containerdregistry.SkipTLSVerify(skipTLSVerify), containerdregistry.WithPlainHTTP(useHTTP))
 
 	var skipValidation bool
 	skipValidation, err = cmd.Flags().GetBool("skip-validation")

cmd/opm/alpha/diff/cmd.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/operator-framework/operator-registry/alpha/action"
 	"github.com/operator-framework/operator-registry/alpha/declcfg"
+	"github.com/operator-framework/operator-registry/cmd/opm/internal/util"
 	containerd "github.com/operator-framework/operator-registry/pkg/image/containerdregistry"
 	"github.com/operator-framework/operator-registry/pkg/lib/certs"
 )
@@ -154,15 +155,21 @@ func (a *diff) addFunc(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("invalid --output value: %q", a.output)
 	}
 
-	skipTLS, err := cmd.Flags().GetBool("skip-tls")
+	skipTLSVerify, useHTTP, err := util.GetTLSOptions(cmd)
 	if err != nil {
-		logrus.Panic(err)
+		return err
 	}
+
 	rootCAs, err := certs.RootCAs(a.caFile)
 	if err != nil {
 		a.logger.Fatalf("error getting root CAs: %v", err)
 	}
-	reg, err := containerd.NewRegistry(containerd.SkipTLS(skipTLS), containerd.WithLog(a.logger), containerd.WithRootCAs(rootCAs))
+	reg, err := containerd.NewRegistry(
+		containerd.SkipTLSVerify(skipTLSVerify),
+		containerd.WithLog(a.logger),
+		containerd.WithRootCAs(rootCAs),
+		containerd.WithPlainHTTP(useHTTP),
+	)
 	if err != nil {
 		a.logger.Fatalf("error creating containerd registry: %v", err)
 	}

cmd/opm/index/add.go

@@ -7,6 +7,7 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/kubectl/pkg/util/templates"
 
+	"github.com/operator-framework/operator-registry/cmd/opm/internal/util"
 	"github.com/operator-framework/operator-registry/pkg/containertools"
 	"github.com/operator-framework/operator-registry/pkg/lib/indexer"
 	"github.com/operator-framework/operator-registry/pkg/registry"
@@ -126,7 +127,7 @@ func runIndexAddCmdFunc(cmd *cobra.Command, _ []string) error {
 		return err
 	}
 
-	skipTLS, err := cmd.Flags().GetBool("skip-tls")
+	skipTLSVerify, useHTTP, err := util.GetTLSOptions(cmd)
 	if err != nil {
 		return err
 	}
@@ -174,7 +175,8 @@ func runIndexAddCmdFunc(cmd *cobra.Command, _ []string) error {
 		Bundles:           bundles,
 		Permissive:        permissive,
 		Mode:              modeEnum,
-		SkipTLS:           skipTLS,
+		SkipTLSVerify:     skipTLSVerify,
+		PlainHTTP:         useHTTP,
 		Overwrite:         overwrite,
 		EnableAlpha:       enableAlpha,
 	}

cmd/opm/index/cmd.go

@@ -33,6 +33,12 @@ func AddCommand(parent *cobra.Command) {
 
 	parent.AddCommand(cmd)
 	parent.PersistentFlags().Bool("skip-tls", false, "skip TLS certificate verification for container image registries while pulling bundles or index")
+	parent.PersistentFlags().Bool("skip-tls-verify", false, "skip TLS certificate verification for container image registries while pulling bundles")
+	parent.PersistentFlags().Bool("use-http", false, "use plain HTTP for container image registries while pulling bundles")
+	if err := parent.PersistentFlags().MarkDeprecated("skip-tls", "use --use-http and --skip-tls-verify instead"); err != nil {
+		logrus.Panic(err.Error())
+	}
+
 	cmd.AddCommand(newIndexDeleteCmd())
 	addIndexAddCmd(cmd)
 	cmd.AddCommand(newIndexExportCmd())

cmd/opm/index/delete.go

@@ -4,6 +4,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
+	"github.com/operator-framework/operator-registry/cmd/opm/internal/util"
 	"github.com/operator-framework/operator-registry/pkg/containertools"
 	"github.com/operator-framework/operator-registry/pkg/lib/indexer"
 	"github.com/operator-framework/operator-registry/pkg/sqlite"
@@ -95,7 +96,7 @@ func runIndexDeleteCmdFunc(cmd *cobra.Command, _ []string) error {
 		return err
 	}
 
-	skipTLS, err := cmd.Flags().GetBool("skip-tls")
+	skipTLSVerify, useHTTP, err := util.GetTLSOptions(cmd)
 	if err != nil {
 		return err
 	}
@@ -117,7 +118,8 @@ func runIndexDeleteCmdFunc(cmd *cobra.Command, _ []string) error {
 		Operators:         operators,
 		Tag:               tag,
 		Permissive:        permissive,
-		SkipTLS:           skipTLS,
+		SkipTLSVerify:     skipTLSVerify,
+		PlainHTTP:         useHTTP,
 	}
 
 	err = indexDeleter.DeleteFromIndex(request)

cmd/opm/index/deprecatetruncate.go

@@ -5,6 +5,7 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/kubectl/pkg/util/templates"
 
+	"github.com/operator-framework/operator-registry/cmd/opm/internal/util"
 	"github.com/operator-framework/operator-registry/pkg/containertools"
 	"github.com/operator-framework/operator-registry/pkg/lib/indexer"
 	"github.com/operator-framework/operator-registry/pkg/sqlite"
@@ -110,7 +111,7 @@ func runIndexDeprecateTruncateCmdFunc(cmd *cobra.Command, _ []string) error {
 		return err
 	}
 
-	skipTLS, err := cmd.Flags().GetBool("skip-tls")
+	skipTLSVerify, useHTTP, err := util.GetTLSOptions(cmd)
 	if err != nil {
 		return err
 	}
@@ -137,7 +138,8 @@ func runIndexDeprecateTruncateCmdFunc(cmd *cobra.Command, _ []string) error {
 		Tag:                 tag,
 		Bundles:             bundles,
 		Permissive:          permissive,
-		SkipTLS:             skipTLS,
+		SkipTLSVerify:       skipTLSVerify,
+		PlainHTTP:           useHTTP,
 		AllowPackageRemoval: allowPackageRemoval,
 	}
 

cmd/opm/index/export.go

@@ -7,6 +7,7 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/kubectl/pkg/util/templates"
 
+	"github.com/operator-framework/operator-registry/cmd/opm/internal/util"
 	"github.com/operator-framework/operator-registry/pkg/containertools"
 	"github.com/operator-framework/operator-registry/pkg/lib/indexer"
 	"github.com/operator-framework/operator-registry/pkg/sqlite"
@@ -100,7 +101,7 @@ func runIndexExportCmdFunc(cmd *cobra.Command, _ []string) error {
 		return err
 	}
 
-	skipTLS, err := cmd.Flags().GetBool("skip-tls")
+	skipTLSVerify, useHTTP, err := util.GetTLSOptions(cmd)
 	if err != nil {
 		return err
 	}
@@ -116,7 +117,8 @@ func runIndexExportCmdFunc(cmd *cobra.Command, _ []string) error {
 		Packages:      packages,
 		DownloadPath:  downloadPath,
 		ContainerTool: containertools.NewContainerTool(containerTool, containertools.NoneTool),
-		SkipTLS:       skipTLS,
+		SkipTLSVerify: skipTLSVerify,
+		PlainHTTP:     useHTTP,
 	}
 
 	err = indexExporter.ExportFromIndex(request)

cmd/opm/index/prune.go

@@ -6,6 +6,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
+	"github.com/operator-framework/operator-registry/cmd/opm/internal/util"
 	"github.com/operator-framework/operator-registry/pkg/containertools"
 	"github.com/operator-framework/operator-registry/pkg/lib/indexer"
 	"github.com/operator-framework/operator-registry/pkg/sqlite"
@@ -99,7 +100,7 @@ func runIndexPruneCmdFunc(cmd *cobra.Command, _ []string) error {
 		return err
 	}
 
-	skipTLS, err := cmd.Flags().GetBool("skip-tls")
+	skipTLSVerify, useHTTP, err := util.GetTLSOptions(cmd)
 	if err != nil {
 		return err
 	}
@@ -118,7 +119,8 @@ func runIndexPruneCmdFunc(cmd *cobra.Command, _ []string) error {
 		Packages:          packages,
 		Tag:               tag,
 		Permissive:        permissive,
-		SkipTLS:           skipTLS,
+		SkipTLSVerify:     skipTLSVerify,
+		PlainHTTP:         useHTTP,
 	}
 
 	err = indexPruner.PruneFromIndex(request)

cmd/opm/index/prunestranded.go

@@ -6,6 +6,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
+	"github.com/operator-framework/operator-registry/cmd/opm/internal/util"
 	"github.com/operator-framework/operator-registry/pkg/containertools"
 	"github.com/operator-framework/operator-registry/pkg/lib/indexer"
 	"github.com/operator-framework/operator-registry/pkg/sqlite"
@@ -84,7 +85,7 @@ func runIndexPruneStrandedCmdFunc(cmd *cobra.Command, _ []string) error {
 		return err
 	}
 
-	skipTLS, err := cmd.Flags().GetBool("skip-tls")
+	skipTLSVerify, useHTTP, err := util.GetTLSOptions(cmd)
 	if err != nil {
 		return err
 	}
@@ -101,7 +102,8 @@ func runIndexPruneStrandedCmdFunc(cmd *cobra.Command, _ []string) error {
 		BinarySourceImage: binaryImage,
 		OutDockerfile:     outDockerfile,
 		Tag:               tag,
-		SkipTLS:           skipTLS,
+		SkipTLSVerify:     skipTLSVerify,
+		PlainHTTP:         useHTTP,
 	}
 
 	err = indexPruner.PruneStrandedFromIndex(request)

cmd/opm/internal/util/util.go

@@ -0,0 +1,39 @@
+package util
+
+import (
+	"errors"
+
+	"github.com/spf13/cobra"
+)
+
+// GetTLSOptions validates and returns TLS options set by opm flags
+func GetTLSOptions(cmd *cobra.Command) (bool, bool, error) {
+	skipTLS, err := cmd.Flags().GetBool("skip-tls")
+	if err != nil {
+		return false, false, err
+	}
+	skipTLSVerify, err := cmd.Flags().GetBool("skip-tls-verify")
+	if err != nil {
+		return false, false, err
+	}
+	useHTTP, err := cmd.Flags().GetBool("use-http")
+	if err != nil {
+		return false, false, err
+	}
+
+	switch {
+	case cmd.Flags().Changed("skip-tls") && cmd.Flags().Changed("use-http"):
+		return false, false, errors.New("invalid flag combination: cannot use --use-http with --skip-tls")
+	case cmd.Flags().Changed("skip-tls") && cmd.Flags().Changed("skip-tls-verify"):
+		return false, false, errors.New("invalid flag combination: cannot use --skip-tls-verify with --skip-tls")
+	case skipTLSVerify && useHTTP:
+		return false, false, errors.New("invalid flag combination: --use-http and --skip-tls-verify cannot both be true")
+	default:
+		// return use HTTP true if just skipTLS
+		// is set for functional parity with existing
+		if skipTLS {
+			return false, true, nil
+		}
+		return skipTLSVerify, useHTTP, nil
+	}
+}

cmd/opm/registry/add.go

@@ -7,6 +7,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
+	"github.com/operator-framework/operator-registry/cmd/opm/internal/util"
 	"github.com/operator-framework/operator-registry/pkg/containertools"
 	"github.com/operator-framework/operator-registry/pkg/lib/registry"
 	reg "github.com/operator-framework/operator-registry/pkg/registry"
@@ -36,7 +37,9 @@ func newRegistryAddCmd() *cobra.Command {
 	rootCmd.Flags().StringP("database", "d", "bundles.db", "relative path to database file")
 	rootCmd.Flags().StringSliceP("bundle-images", "b", []string{}, "comma separated list of links to bundle image")
 	rootCmd.Flags().Bool("permissive", false, "allow registry load errors")
-	rootCmd.Flags().Bool("skip-tls", false, "skip TLS certificate verification for container image registries while pulling bundles")
+	rootCmd.Flags().Bool("skip-tls", false, "use Plain HTTP for container image registries while pulling bundles")
+	rootCmd.Flags().Bool("skip-tls-verify", false, "skip TLS certificate verification for container image registries while pulling bundles")
+	rootCmd.Flags().Bool("use-http", false, "use plain HTTP for container image registries while pulling bundles")
 	rootCmd.Flags().String("ca-file", "", "the root certificates to use when --container-tool=none; see docker/podman docs for certificate loading instructions")
 	rootCmd.Flags().StringP("mode", "", "replaces", "graph update mode that defines how channel graphs are updated. One of: [replaces, semver, semver-skippatch]")
 	rootCmd.Flags().StringP("container-tool", "c", "none", "tool to interact with container images (save, build, etc.). One of: [none, docker, podman]")
@@ -48,6 +51,9 @@ func newRegistryAddCmd() *cobra.Command {
 	if err := rootCmd.Flags().MarkHidden("enable-alpha"); err != nil {
 		logrus.Panic(err.Error())
 	}
+	if err := rootCmd.Flags().MarkDeprecated("skip-tls", "use --use-http and --skip-tls-verify instead"); err != nil {
+		logrus.Panic(err.Error())
+	}
 	return rootCmd
 }
 
@@ -56,10 +62,6 @@ func addFunc(cmd *cobra.Command, _ []string) error {
 	if err != nil {
 		return err
 	}
-	skipTLS, err := cmd.Flags().GetBool("skip-tls")
-	if err != nil {
-		return err
-	}
 	caFile, err := cmd.Flags().GetString("ca-file")
 	if err != nil {
 		return err
@@ -95,9 +97,14 @@ func addFunc(cmd *cobra.Command, _ []string) error {
 		return err
 	}
 
+	skipTLSVerify, useHTTP, err := util.GetTLSOptions(cmd)
+	if err != nil {
+		return err
+	}
+
 	if caFile != "" {
-		if skipTLS {
-			return errors.New("--skip-tls must be false when --ca-file is set")
+		if skipTLSVerify {
+			return errors.New("--skip-tls-verify must be false when --ca-file is set")
 		}
 		if containerTool != containertools.NoneTool {
 			return fmt.Errorf("--ca-file cannot be set with --container-tool=%[1]s; "+
@@ -107,7 +114,8 @@ func addFunc(cmd *cobra.Command, _ []string) error {
 
 	request := registry.AddToRegistryRequest{
 		Permissive:    permissive,
-		SkipTLS:       skipTLS,
+		SkipTLSVerify: skipTLSVerify,
+		PlainHTTP:     useHTTP,
 		CaFile:        caFile,
 		InputDatabase: fromFilename,
 		Bundles:       bundleImages,
@@ -119,8 +127,12 @@ func addFunc(cmd *cobra.Command, _ []string) error {
 
 	logger := logrus.WithFields(logrus.Fields{"bundles": bundleImages})
 
-	if skipTLS {
-		logger.Warn("--skip-tls flag is set: this mode is insecure and meant for development purposes only.")
+	if skipTLSVerify {
+		logger.Warn("--skip-tls-verify flag is set: this mode is insecure and meant for development purposes only.")
+	}
+
+	if useHTTP {
+		logger.Warn("--use-http flag is set: this mode is insecure and meant for development purposes only.")
 	}
 
 	logger.Info("adding to the registry")

docs/contributors/e2e_tests.md

@@ -19,13 +19,13 @@ running even after the test suite has completed.
 1. Start the e2e tests:
 
    ```bash
-   DOCKER_REGISTRY_HOST=localhost:5000 GOENV='GOOS=linux' make build e2e SKIPTLS="true" CLUSTER=kind
+   DOCKER_REGISTRY_HOST=localhost:5000 GOENV='GOOS=linux' make build e2e USEHTTP="true" CLUSTER=kind
    ```
 
 1. Run a specific BDD test using the `TEST` argument to make. Note that this argument uses regular expressions.
 
    ```bash
-   DOCKER_REGISTRY_HOST=localhost:5000 GOENV='GOOS=linux' make build e2e TEST='builds and manipulates bundle and index images' SKIPTLS="true" CLUSTER=kind   
+   DOCKER_REGISTRY_HOST=localhost:5000 GOENV='GOOS=linux' make build e2e TEST='builds and manipulates bundle and index images' USEHTTP="true" CLUSTER=kind   
    ```
 
 1. If you want a quick way to ensure that your TEST regex argument will work, you can bypass the