From 4ba6148621eb6be868c27883162a36e80c0ff0bc Mon Sep 17 00:00:00 2001 From: Sebastian Jackel Date: Fri, 24 Aug 2018 14:20:32 +0200 Subject: [PATCH 1/3] Implement separation between Insecure (HTTP) registry and skipping TLS verification into two separate command line parameters --- cmd/executor/cmd/root.go | 3 ++- pkg/executor/push.go | 4 ++-- pkg/options/options.go | 25 +++++++++++++------------ 3 files changed, 17 insertions(+), 15 deletions(-) diff --git a/cmd/executor/cmd/root.go b/cmd/executor/cmd/root.go index 44a00c757..ecfc986b8 100644 --- a/cmd/executor/cmd/root.go +++ b/cmd/executor/cmd/root.go @@ -85,7 +85,8 @@ func addKanikoOptionsFlags(cmd *cobra.Command) { RootCmd.PersistentFlags().VarP(&opts.Destinations, "destination", "d", "Registry the final image should be pushed to. Set it repeatedly for multiple destinations.") RootCmd.PersistentFlags().StringVarP(&opts.SnapshotMode, "snapshotMode", "", "full", "Change the file attributes inspected during snapshotting") RootCmd.PersistentFlags().VarP(&opts.BuildArgs, "build-arg", "", "This flag allows you to pass in ARG values at build time. Set it repeatedly for multiple values.") - RootCmd.PersistentFlags().BoolVarP(&opts.DockerInsecureSkipTLSVerify, "insecure-skip-tls-verify", "", false, "Push to insecure registry ignoring TLS verify") + RootCmd.PersistentFlags().BoolVarP(&opts.DockerInsecure, "insecure", "", false, "Push to insecure registry using plain HTTP") + RootCmd.PersistentFlags().BoolVarP(&opts.SkipTlsVerify, "skip-tls-verify", "", false, "Push to insecure registry ignoring TLS verify") RootCmd.PersistentFlags().StringVarP(&opts.TarPath, "tarPath", "", "", "Path to save the image in as a tarball instead of pushing") RootCmd.PersistentFlags().BoolVarP(&opts.SingleSnapshot, "single-snapshot", "", false, "Take a single snapshot at the end of the build.") RootCmd.PersistentFlags().BoolVarP(&opts.Reproducible, "reproducible", "", false, "Strip timestamps out of the image to make it reproducible") diff --git a/pkg/executor/push.go b/pkg/executor/push.go index ea7441285..19147a4f4 100644 --- a/pkg/executor/push.go +++ b/pkg/executor/push.go @@ -67,7 +67,7 @@ func DoPush(image v1.Image, opts *options.KanikoOptions) error { // continue pushing unless an error occurs for _, destRef := range destRefs { - if opts.DockerInsecureSkipTLSVerify { + if opts.DockerInsecure { newReg, err := name.NewInsecureRegistry(destRef.Repository.Registry.Name(), name.WeakValidation) if err != nil { return errors.Wrap(err, "getting new insecure registry") @@ -87,7 +87,7 @@ func DoPush(image v1.Image, opts *options.KanikoOptions) error { // Create a transport to set our user-agent. tr := http.DefaultTransport - if opts.DockerInsecureSkipTLSVerify { + if opts.SkipTlsVerify { tr.(*http.Transport).TLSClientConfig = &tls.Config{ InsecureSkipVerify: true, } diff --git a/pkg/options/options.go b/pkg/options/options.go index 9f9d59354..bffd9c964 100644 --- a/pkg/options/options.go +++ b/pkg/options/options.go @@ -18,16 +18,17 @@ package options // KanikoOptions are options that are set by command line arguments type KanikoOptions struct { - DockerfilePath string - Destinations multiArg - SrcContext string - SnapshotMode string - Bucket string - DockerInsecureSkipTLSVerify bool - BuildArgs multiArg - TarPath string - SingleSnapshot bool - Reproducible bool - Target string - NoPush bool + DockerfilePath string + Destinations multiArg + SrcContext string + SnapshotMode string + Bucket string + DockerInsecure bool + SkipTlsVerify bool + BuildArgs multiArg + TarPath string + SingleSnapshot bool + Reproducible bool + Target string + NoPush bool } From 3a58f209278dab0011a8359fcdd4e23d8091ea5b Mon Sep 17 00:00:00 2001 From: Sebastian Jackel Date: Wed, 29 Aug 2018 09:25:19 +0200 Subject: [PATCH 2/3] Added --insecure and --skip-tls-verify flag to README --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index e8e91be46..15775d916 100644 --- a/README.md +++ b/README.md @@ -285,6 +285,14 @@ Set this flag to indicate which build stage is the target build stage. Set this flag if you only want to build the image, without pushing to a registry. +#### --insecure + +Set this flag if you want to connect to a plain HTTP registry. It is supposed to be used for testing purposes only and should not be used in production! + +#### --skip-tls-verify + +Set this flag to skip TLS certificate validation when connecting to a registry. It is supposed to be used for testing purposes only and should not be used in production! + ### Debug Image The kaniko executor image is based off of scratch and doesn't contain a shell. From 1a7de69f3ea1f2434b65e8756eecbe586c92aedd Mon Sep 17 00:00:00 2001 From: Sebastian Jackel Date: Wed, 29 Aug 2018 09:28:00 +0200 Subject: [PATCH 3/3] Rename DockerInsecure field to InsecurePush --- cmd/executor/cmd/root.go | 2 +- pkg/executor/push.go | 2 +- pkg/options/options.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/executor/cmd/root.go b/cmd/executor/cmd/root.go index ecfc986b8..856b4cdb7 100644 --- a/cmd/executor/cmd/root.go +++ b/cmd/executor/cmd/root.go @@ -85,7 +85,7 @@ func addKanikoOptionsFlags(cmd *cobra.Command) { RootCmd.PersistentFlags().VarP(&opts.Destinations, "destination", "d", "Registry the final image should be pushed to. Set it repeatedly for multiple destinations.") RootCmd.PersistentFlags().StringVarP(&opts.SnapshotMode, "snapshotMode", "", "full", "Change the file attributes inspected during snapshotting") RootCmd.PersistentFlags().VarP(&opts.BuildArgs, "build-arg", "", "This flag allows you to pass in ARG values at build time. Set it repeatedly for multiple values.") - RootCmd.PersistentFlags().BoolVarP(&opts.DockerInsecure, "insecure", "", false, "Push to insecure registry using plain HTTP") + RootCmd.PersistentFlags().BoolVarP(&opts.InsecurePush, "insecure", "", false, "Push to insecure registry using plain HTTP") RootCmd.PersistentFlags().BoolVarP(&opts.SkipTlsVerify, "skip-tls-verify", "", false, "Push to insecure registry ignoring TLS verify") RootCmd.PersistentFlags().StringVarP(&opts.TarPath, "tarPath", "", "", "Path to save the image in as a tarball instead of pushing") RootCmd.PersistentFlags().BoolVarP(&opts.SingleSnapshot, "single-snapshot", "", false, "Take a single snapshot at the end of the build.") diff --git a/pkg/executor/push.go b/pkg/executor/push.go index 19147a4f4..4b0810ae4 100644 --- a/pkg/executor/push.go +++ b/pkg/executor/push.go @@ -67,7 +67,7 @@ func DoPush(image v1.Image, opts *options.KanikoOptions) error { // continue pushing unless an error occurs for _, destRef := range destRefs { - if opts.DockerInsecure { + if opts.InsecurePush { newReg, err := name.NewInsecureRegistry(destRef.Repository.Registry.Name(), name.WeakValidation) if err != nil { return errors.Wrap(err, "getting new insecure registry") diff --git a/pkg/options/options.go b/pkg/options/options.go index bffd9c964..dbbea2afb 100644 --- a/pkg/options/options.go +++ b/pkg/options/options.go @@ -23,7 +23,7 @@ type KanikoOptions struct { SrcContext string SnapshotMode string Bucket string - DockerInsecure bool + InsecurePush bool SkipTlsVerify bool BuildArgs multiArg TarPath string