mirror of
https://github.com/containers/buildah.git
synced 2025-07-31 15:24:26 +03:00
Skip tlsVerify insecure BUILD_REGISTRY_SOURCES
If the registry is set to insecure allowd using BUILD_REGISTRY_SOURCES, hardcode to skip the tls verify to avoid the errors. Returns error if set insecureRegistries but force to use tls-verify. Signed-off-by: Qi Wang <qiwan@redhat.com>
This commit is contained in:
Qi Wang
52
commit.go
52
commit.go
@ -167,17 +167,17 @@ var (
|
||||
// variable, if it's set. The contents are expected to be a JSON-encoded
|
||||
// github.com/openshift/api/config/v1.Image, set by an OpenShift build
|
||||
// controller that arranged for us to be run in a container.
|
||||
func checkRegistrySourcesAllows(forWhat string, dest types.ImageReference) error {
|
||||
func checkRegistrySourcesAllows(forWhat string, dest types.ImageReference) (insecure bool, err error) {
|
||||
transport := dest.Transport()
|
||||
if transport == nil {
|
||||
return nil
|
||||
return false, nil
|
||||
}
|
||||
if transport.Name() != docker.Transport.Name() {
|
||||
return nil
|
||||
return false, nil
|
||||
}
|
||||
dref := dest.DockerReference()
|
||||
if dref == nil || reference.Domain(dref) == "" {
|
||||
return nil
|
||||
return false, nil
|
||||
}
|
||||
|
||||
if registrySources, ok := os.LookupEnv("BUILD_REGISTRY_SOURCES"); ok && len(registrySources) > 0 {
|
||||
@ -188,7 +188,7 @@ func checkRegistrySourcesAllows(forWhat string, dest types.ImageReference) error
|
||||
AllowedRegistries []string `json:"allowedRegistries,omitempty"`
|
||||
}
|
||||
if err := json.Unmarshal([]byte(registrySources), &sources); err != nil {
|
||||
return errors.Wrapf(err, "error parsing $BUILD_REGISTRY_SOURCES (%q) as JSON", registrySources)
|
||||
return false, errors.Wrapf(err, "error parsing $BUILD_REGISTRY_SOURCES (%q) as JSON", registrySources)
|
||||
}
|
||||
blocked := false
|
||||
if len(sources.BlockedRegistries) > 0 {
|
||||
@ -199,7 +199,7 @@ func checkRegistrySourcesAllows(forWhat string, dest types.ImageReference) error
|
||||
}
|
||||
}
|
||||
if blocked {
|
||||
return errors.Errorf("%s registry at %q denied by policy: it is in the blocked registries list", forWhat, reference.Domain(dref))
|
||||
return false, errors.Errorf("%s registry at %q denied by policy: it is in the blocked registries list", forWhat, reference.Domain(dref))
|
||||
}
|
||||
allowed := true
|
||||
if len(sources.AllowedRegistries) > 0 {
|
||||
@ -211,10 +211,13 @@ func checkRegistrySourcesAllows(forWhat string, dest types.ImageReference) error
|
||||
}
|
||||
}
|
||||
if !allowed {
|
||||
return errors.Errorf("%s registry at %q denied by policy: not in allowed registries list", forWhat, reference.Domain(dref))
|
||||
return false, errors.Errorf("%s registry at %q denied by policy: not in allowed registries list", forWhat, reference.Domain(dref))
|
||||
}
|
||||
if len(sources.InsecureRegistries) > 0 {
|
||||
return true, nil
|
||||
}
|
||||
}
|
||||
return nil
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// Commit writes the contents of the container, along with its updated
|
||||
@ -278,9 +281,18 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
|
||||
}()
|
||||
|
||||
// Check if the commit is blocked by $BUILDER_REGISTRY_SOURCES.
|
||||
if err := checkRegistrySourcesAllows("commit to", dest); err != nil {
|
||||
insecure, err := checkRegistrySourcesAllows("commit to", dest)
|
||||
if err != nil {
|
||||
return imgID, nil, "", err
|
||||
}
|
||||
if insecure {
|
||||
if systemContext.DockerInsecureSkipTLSVerify == types.OptionalBoolFalse {
|
||||
return imgID, nil, "", errors.Errorf("can't require tls verification on an insecured registry")
|
||||
}
|
||||
systemContext.DockerInsecureSkipTLSVerify = types.OptionalBoolTrue
|
||||
systemContext.OCIInsecureSkipTLSVerify = true
|
||||
systemContext.DockerDaemonInsecureSkipTLSVerify = true
|
||||
}
|
||||
if len(options.AdditionalTags) > 0 {
|
||||
names, err := util.ExpandNames(options.AdditionalTags, "", systemContext, b.store)
|
||||
if err != nil {
|
||||
@ -291,9 +303,18 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
|
||||
if err != nil {
|
||||
return imgID, nil, "", errors.Wrapf(err, "error parsing image name %q as an image reference", name)
|
||||
}
|
||||
if err := checkRegistrySourcesAllows("commit to", additionalDest); err != nil {
|
||||
insecure, err := checkRegistrySourcesAllows("commit to", additionalDest)
|
||||
if err != nil {
|
||||
return imgID, nil, "", err
|
||||
}
|
||||
if insecure {
|
||||
if systemContext.DockerInsecureSkipTLSVerify == types.OptionalBoolFalse {
|
||||
return imgID, nil, "", errors.Errorf("can't require tls verification on an insecured registry")
|
||||
}
|
||||
systemContext.DockerInsecureSkipTLSVerify = types.OptionalBoolTrue
|
||||
systemContext.OCIInsecureSkipTLSVerify = true
|
||||
systemContext.DockerDaemonInsecureSkipTLSVerify = true
|
||||
}
|
||||
}
|
||||
}
|
||||
logrus.Debugf("committing image with reference %q is allowed by policy", transports.ImageName(dest))
|
||||
@ -471,9 +492,18 @@ func Push(ctx context.Context, image string, dest types.ImageReference, options
|
||||
}
|
||||
|
||||
// Check if the push is blocked by $BUILDER_REGISTRY_SOURCES.
|
||||
if err := checkRegistrySourcesAllows("push to", dest); err != nil {
|
||||
insecure, err := checkRegistrySourcesAllows("push to", dest)
|
||||
if err != nil {
|
||||
return nil, "", err
|
||||
}
|
||||
if insecure {
|
||||
if systemContext.DockerInsecureSkipTLSVerify == types.OptionalBoolFalse {
|
||||
return nil, "", errors.Errorf("can't require tls verification on an insecured registry")
|
||||
}
|
||||
systemContext.DockerInsecureSkipTLSVerify = types.OptionalBoolTrue
|
||||
systemContext.OCIInsecureSkipTLSVerify = true
|
||||
systemContext.DockerDaemonInsecureSkipTLSVerify = true
|
||||
}
|
||||
logrus.Debugf("pushing image to reference %q is allowed by policy", transports.ImageName(dest))
|
||||
|
||||
// Copy everything.
|
||||
|
||||
Reference in New Issue
Block a user