Make k8s keychain vs default keychain configurable

Signed-off-by: Marco Franssen <marco.franssen@philips.com>
philips-labs · Feb 14, 2022 · 0d93f72 · 0d93f72
1 parent 9a1ac90
commit 0d93f72
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 6 deletions.
diff --git a/cmd/slsa-provenance/cli/container.go b/cmd/slsa-provenance/cli/container.go
@@ -53,7 +53,7 @@ func OCI() *cobra.Command {
 				return err
 			}
 
-			opts := oci.WithDefaultClientOptions(cmd.Context(), true)
+			opts := o.GetRegistryClientOpts(cmd.Context())
 			subjecter := oci.NewContainerSubjecter(repo, digest, tags, opts...)
 
 			env := &github.Environment{

diff --git a/cmd/slsa-provenance/cli/options/oci.go b/cmd/slsa-provenance/cli/options/oci.go
@@ -1,15 +1,22 @@
 package options
 
 import (
+	"context"
+
+	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/spf13/cobra"
+
+	"github.com/philips-labs/slsa-provenance-action/lib/oci"
 )
 
 // OCIOptions Commandline flags used for the generate oci command.
 type OCIOptions struct {
 	GenerateOptions
-	Repository string
-	Digest     string
-	Tags       []string
+	Repository         string
+	Digest             string
+	Tags               []string
+	AllowInsecure      bool
+	KubernetesKeychain bool
 }
 
 // GetRepository The oci repository to search for the given tags.
@@ -39,4 +46,12 @@ func (o *OCIOptions) AddFlags(cmd *cobra.Command) {
 	cmd.PersistentFlags().StringVar(&o.Repository, "repository", "", "The repository of the oci artifact.")
 	cmd.PersistentFlags().StringVar(&o.Digest, "digest", "", "The digest for the oci artifact.")
 	cmd.PersistentFlags().StringSliceVar(&o.Tags, "tags", []string{"latest"}, "The given tags for this oci release.")
+	cmd.Flags().BoolVar(&o.AllowInsecure, "allow-insecure", false, "whether to allow insecure connections to registries. Don't use this for anything but testing")
+	cmd.Flags().BoolVar(&o.KubernetesKeychain, "k8s-keychain", false, "whether to use the kubernetes keychain instead of the default keychain (supports workload identity).")
+}
+
+// GetRegistryClientOpts sets some sane default options for crane to authenticate
+// private registries
+func (o *OCIOptions) GetRegistryClientOpts(ctx context.Context) []crane.Option {
+	return oci.WithDefaultClientOptions(ctx, o.KubernetesKeychain, o.AllowInsecure)
 }
diff --git a/lib/oci/auth.go b/lib/oci/auth.go
@@ -2,6 +2,8 @@ package oci
 
 import (
 	"context"
+	"crypto/tls"
+	"net/http"
 
 	"github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
 	"github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api"
@@ -13,7 +15,7 @@ import (
 
 // WithDefaultClientOptions sets some sane default options for crane to authenticate
 // private registries
-func WithDefaultClientOptions(ctx context.Context, k8sKeychain bool) []crane.Option {
+func WithDefaultClientOptions(ctx context.Context, k8sKeychain, allowInsecure bool) []crane.Option {
 	opts := []crane.Option{
 		crane.WithContext(ctx),
 	}
@@ -30,5 +32,9 @@ func WithDefaultClientOptions(ctx context.Context, k8sKeychain bool) []crane.Opt
 		opts = append(opts, crane.WithAuthFromKeychain(authn.DefaultKeychain))
 	}
 
+	if allowInsecure {
+		opts = append(opts, crane.WithTransport(&http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}})) // #nosec G402
+	}
+
 	return opts
 }
diff --git a/lib/oci/subjects_test.go b/lib/oci/subjects_test.go
@@ -16,7 +16,7 @@ func TestSubjects(t *testing.T) {
 
 	repo := "ghcr.io/philips-labs/slsa-provenance"
 
-	opts := WithDefaultClientOptions(context.Background(), false)
+	opts := WithDefaultClientOptions(context.Background(), false, false)
 
 	errorCases := []struct {
 		name   string