Add insecure-registry and tls-skip-verify-registry flags (#537)

README.md

@@ -355,6 +355,16 @@ If `--destination=gcr.io/kaniko-project/test`, then cached layers will be stored
 
 _This flag must be used in conjunction with the `--cache=true` flag._
 
+#### --insecure-registry
+
+Set this flag to use plain HTTP requests when accessing a registry. It is supposed to be useed for testing purposes only and should not be used in production!
+You can set it multiple times for multiple registries.
+
+#### --skip-tls-verify-registry
+
+Set this flag to skip TLS cerificate validation when accessing a registry. It is supposed to be useed for testing purposes only and should not be used in production!
+You can set it multiple times for multiple registries.
+
 #### --cleanup
 
 Set this flag to clean the filesystem at the end of the build.

cmd/executor/cmd/root.go

@@ -129,6 +129,8 @@ func addKanikoOptionsFlags(cmd *cobra.Command) {
 	RootCmd.PersistentFlags().BoolVarP(&opts.Cache, "cache", "", false, "Use cache when building image")
 	RootCmd.PersistentFlags().BoolVarP(&opts.Cleanup, "cleanup", "", false, "Clean the filesystem at the end")
 	RootCmd.PersistentFlags().DurationVarP(&opts.CacheTTL, "cache-ttl", "", time.Hour*336, "Cache timeout in hours. Defaults to two weeks.")
+	RootCmd.PersistentFlags().VarP(&opts.InsecureRegistries, "insecure-registry", "", "Insecure registry using plain HTTP to push and pull. Set it repeatedly for multiple registries.")
+	RootCmd.PersistentFlags().VarP(&opts.SkipTLSVerifyRegistries, "skip-tls-verify-registry", "", "Insecure registry ignoring TLS verify to push and pull. Set it repeatedly for multiple registries.")
 }
 
 // addHiddenFlags marks certain flags as hidden from the executor help text

pkg/cache/cache.go

@@ -17,7 +17,9 @@ limitations under the License.
 package cache
 
 import (
+	"crypto/tls"
 	"fmt"
+	"net/http"
 	"os"
 	"path"
 	"path/filepath"
@@ -55,7 +57,24 @@ func (rc *RegistryCache) RetrieveLayer(ck string) (v1.Image, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, fmt.Sprintf("getting reference for %s", cache))
 	}
-	img, err := remote.Image(cacheRef, remote.WithAuthFromKeychain(creds.GetKeychain()))
+
+	registryName := cacheRef.Repository.Registry.Name()
+	if rc.Opts.InsecureRegistries.Contains(registryName) {
+		newReg, err := name.NewInsecureRegistry(registryName, name.WeakValidation)
+		if err != nil {
+			return nil, err
+		}
+		cacheRef.Repository.Registry = newReg
+	}
+
+	tr := http.DefaultTransport.(*http.Transport)
+	if rc.Opts.SkipTLSVerifyRegistries.Contains(registryName) {
+		tr.TLSClientConfig = &tls.Config{
+			InsecureSkipVerify: true,
+		}
+	}
+
+	img, err := remote.Image(cacheRef, remote.WithTransport(tr), remote.WithAuthFromKeychain(creds.GetKeychain()))
 	if err != nil {
 		return nil, err
 	}

pkg/config/args.go

@@ -42,3 +42,12 @@ func (b *multiArg) Set(value string) error {
 func (b *multiArg) Type() string {
 	return "multi-arg type"
 }
+
+func (b *multiArg) Contains(v string) bool {
+	for _, s := range *b {
+		if s == v {
+			return true
+		}
+	}
+	return false
+}

pkg/config/options.go

@@ -42,6 +42,8 @@ type KanikoOptions struct {
 	Cache                   bool
 	Cleanup                 bool
 	CacheTTL                time.Duration
+	InsecureRegistries      multiArg
+	SkipTLSVerifyRegistries multiArg
 }
 
 // WarmerOptions are options that are set by command line arguments to the cache warmer.

pkg/executor/build.go

@@ -145,6 +145,7 @@ func (s *stageBuilder) optimize(compositeKey CompositeCache, cfg v1.Config, cmds
 		if command.ShouldCacheOutput() {
 			img, err := layerCache.RetrieveLayer(ck)
 			if err != nil {
+				logrus.Debugf("Failed to retrieve layer: %s", err)
 				logrus.Infof("No cached layer found for cmd %s", command.String())
 				logrus.Debugf("Key missing was: %s", compositeKey.Key())
 				break

pkg/executor/push.go

@@ -73,8 +73,9 @@ func DoPush(image v1.Image, opts *config.KanikoOptions) error {
 
 	// continue pushing unless an error occurs
 	for _, destRef := range destRefs {
-		if opts.Insecure {
+		registryName := destRef.Repository.Registry.Name()
-			newReg, err := name.NewInsecureRegistry(destRef.Repository.Registry.Name(), name.WeakValidation)
+		if opts.Insecure || opts.InsecureRegistries.Contains(registryName) {
+			newReg, err := name.NewInsecureRegistry(registryName, name.WeakValidation)
 			if err != nil {
 				return errors.Wrap(err, "getting new insecure registry")
 			}
@@ -88,7 +89,7 @@ func DoPush(image v1.Image, opts *config.KanikoOptions) error {
 
 		// Create a transport to set our user-agent.
 		tr := http.DefaultTransport
-		if opts.SkipTLSVerify {
+		if opts.SkipTLSVerify || opts.SkipTLSVerifyRegistries.Contains(registryName) {
 			tr.(*http.Transport).TLSClientConfig = &tls.Config{
 				InsecureSkipVerify: true,
 			}
@@ -135,5 +136,7 @@ func pushLayerToCache(opts *config.KanikoOptions, cacheKey string, tarPath strin
 	}
 	cacheOpts := *opts
 	cacheOpts.Destinations = []string{cache}
+	cacheOpts.InsecureRegistries = opts.InsecureRegistries
+	cacheOpts.SkipTLSVerifyRegistries = opts.SkipTLSVerifyRegistries
 	return DoPush(empty, &cacheOpts)
 }

pkg/util/image_util.go

@@ -100,8 +100,9 @@ func remoteImage(image string, opts *config.KanikoOptions) (v1.Image, error) {
 		return nil, err
 	}
 
-	if opts.InsecurePull {
+	registryName := ref.Context().RegistryStr()
-		newReg, err := name.NewInsecureRegistry(ref.Context().RegistryStr(), name.WeakValidation)
+	if opts.InsecurePull || opts.InsecureRegistries.Contains(registryName) {
+		newReg, err := name.NewInsecureRegistry(registryName, name.WeakValidation)
 		if err != nil {
 			return nil, err
 		}
@@ -116,7 +117,7 @@ func remoteImage(image string, opts *config.KanikoOptions) (v1.Image, error) {
 	}
 
 	tr := http.DefaultTransport.(*http.Transport)
-	if opts.SkipTLSVerifyPull {
+	if opts.SkipTLSVerifyPull || opts.SkipTLSVerifyRegistries.Contains(registryName) {
 		tr.TLSClientConfig = &tls.Config{
 			InsecureSkipVerify: true,
 		}