Support Insecure Registries (#2077)

* Support Insecure Registries

Signed-off-by: Prashant Rewar <108176843+prashantrewar@users.noreply.github.com>
Signed-off-by: Juan Bustamante <bustamantejj@gmail.com>
Signed-off-by: Juan Bustamante <juan.bustamante@broadcom.com>
Co-authored-by: Juan Bustamante <juan.bustamante@broadcom.com>
Co-authored-by: Juan Bustamante <bustamantejj@gmail.com>

Author: prashantrewar

internal/build/lifecycle_execution.go

@@ -382,6 +382,12 @@ func (l *LifecycleExecution) Create(ctx context.Context, buildCache, launchCache
 		flags = append(flags, "-uid", strconv.Itoa(l.opts.UID))
 	}
 
+	if l.platformAPI.AtLeast("0.13") {
+		for _, reg := range l.opts.InsecureRegistries {
+			flags = append(flags, "-insecure-registry", reg)
+		}
+	}
+
 	if l.opts.PreviousImage != "" {
 		if l.opts.Image == nil {
 			return errors.New("image can't be nil")
@@ -539,6 +545,12 @@ func (l *LifecycleExecution) Restore(ctx context.Context, buildCache Cache, kani
 		flags = append(flags, "-uid", strconv.Itoa(l.opts.UID))
 	}
 
+	if l.platformAPI.AtLeast("0.13") {
+		for _, reg := range l.opts.InsecureRegistries {
+			flags = append(flags, "-insecure-registry", reg)
+		}
+	}
+
 	// for kaniko
 	kanikoCacheBindOp := NullOp()
 	if (l.platformAPI.AtLeast("0.10") && l.hasExtensionsForBuild()) ||
@@ -646,6 +658,12 @@ func (l *LifecycleExecution) Analyze(ctx context.Context, buildCache, launchCach
 		flags = append(flags, "-uid", strconv.Itoa(l.opts.UID))
 	}
 
+	if l.platformAPI.AtLeast("0.13") {
+		for _, reg := range l.opts.InsecureRegistries {
+			flags = append(flags, "-insecure-registry", reg)
+		}
+	}
+
 	if l.opts.PreviousImage != "" {
 		if l.opts.Image == nil {
 			return errors.New("image can't be nil")
@@ -855,6 +873,12 @@ func (l *LifecycleExecution) Export(ctx context.Context, buildCache, launchCache
 		flags = append(flags, "-uid", strconv.Itoa(l.opts.UID))
 	}
 
+	if l.platformAPI.AtLeast("0.13") {
+		for _, reg := range l.opts.InsecureRegistries {
+			flags = append(flags, "-insecure-registry", reg)
+		}
+	}
+
 	cacheBindOp := NullOp()
 	switch buildCache.Type() {
 	case cache.Image:

internal/build/lifecycle_executor.go

@@ -94,6 +94,7 @@ type LifecycleOptions struct {
 	Network                         string
 	AdditionalTags                  []string
 	Volumes                         []string
+	InsecureRegistries              []string
 	DefaultProcessType              string
 	FileFilter                      func(string) bool
 	Workspace                       string

internal/commands/build.go

@@ -61,6 +61,7 @@ type BuildFlags struct {
 	DateTime               string
 	PreBuildpacks          []string
 	PostBuildpacks         []string
+	InsecureRegistries     []string
 }
 
 // Build an image from source code
@@ -219,6 +220,7 @@ func Build(logger logging.Logger, cfg config.Config, packClient PackClient) *cob
 					PreviousInputImage: inputPreviousImage,
 					LayoutRepoDir:      cfg.LayoutRepositoryDir,
 				},
+				InsecureRegistries: flags.InsecureRegistries,
 			}); err != nil {
 				return errors.Wrap(err, "failed to build")
 			}
@@ -252,6 +254,7 @@ func buildCommandFlags(cmd *cobra.Command, buildFlags *BuildFlags, cfg config.Co
 	cmd.Flags().StringVarP(&buildFlags.AppPath, "path", "p", "", "Path to app dir or zip-formatted file (defaults to current working directory)")
 	cmd.Flags().StringSliceVarP(&buildFlags.Buildpacks, "buildpack", "b", nil, "Buildpack to use. One of:\n  a buildpack by id and version in the form of '<buildpack>@<version>',\n  path to a buildpack directory (not supported on Windows),\n  path/URL to a buildpack .tar or .tgz file, or\n  a packaged buildpack image name in the form of '<hostname>/<repo>[:<tag>]'"+stringSliceHelp("buildpack"))
 	cmd.Flags().StringSliceVarP(&buildFlags.Extensions, "extension", "", nil, "Extension to use. One of:\n  an extension by id and version in the form of '<extension>@<version>',\n  path to an extension directory (not supported on Windows),\n  path/URL to an extension .tar or .tgz file, or\n  a packaged extension image name in the form of '<hostname>/<repo>[:<tag>]'"+stringSliceHelp("extension"))
+	cmd.Flags().StringArrayVar(&buildFlags.InsecureRegistries, "insecure-registry", []string{}, "List of insecure registries (only available for API >= 0.13)")
 	cmd.Flags().StringVarP(&buildFlags.Builder, "builder", "B", cfg.DefaultBuilder, "Builder image")
 	cmd.Flags().Var(&buildFlags.Cache, "cache",
 		`Cache options used to define cache techniques for build process.

internal/commands/build_test.go

@@ -982,6 +982,31 @@ builder = "my-builder"
 				h.AssertError(t, err, "Exporting to OCI layout is currently experimental.")
 			})
 		})
+
+		when("--insecure-registry is provided", func() {
+			it("sets one insecure registry", func() {
+				mockClient.EXPECT().
+					Build(gomock.Any(), EqBuildOptionsWithInsecureRegistries([]string{
+						"foo.bar",
+					})).
+					Return(nil)
+
+				command.SetArgs([]string{"image", "--builder", "my-builder", "--insecure-registry", "foo.bar"})
+				h.AssertNil(t, command.Execute())
+			})
+
+			it("sets more than one insecure registry", func() {
+				mockClient.EXPECT().
+					Build(gomock.Any(), EqBuildOptionsWithInsecureRegistries([]string{
+						"foo.bar",
+						"foo.com",
+					})).
+					Return(nil)
+
+				command.SetArgs([]string{"image", "--builder", "my-builder", "--insecure-registry", "foo.bar", "--insecure-registry", "foo.com"})
+				h.AssertNil(t, command.Execute())
+			})
+		})
 	})
 
 	when("export to OCI layout is expected", func() {
@@ -1243,6 +1268,18 @@ func EqBuildOptionsWithLayoutConfig(image, previousImage string, sparse bool, la
 	}
 }
 
+func EqBuildOptionsWithInsecureRegistries(insecureRegistries []string) gomock.Matcher {
+	return buildOptionsMatcher{
+		description: fmt.Sprintf("Insercure Registries=%s", insecureRegistries),
+		equals: func(o client.BuildOptions) bool {
+			if len(o.InsecureRegistries) != len(insecureRegistries) {
+				return false
+			}
+			return reflect.DeepEqual(o.InsecureRegistries, insecureRegistries)
+		},
+	}
+}
+
 type buildOptionsMatcher struct {
 	equals      func(client.BuildOptions) bool
 	description string

internal/commands/rebase.go

@@ -52,7 +52,7 @@ func Rebase(logger logging.Logger, cfg config.Config, pack PackClient) *cobra.Co
 	cmd.Flags().StringVar(&opts.PreviousImage, "previous-image", "", "Image to rebase. Set to a particular tag reference, digest reference, or (when performing a daemon build) image ID. Use this flag in combination with <image-name> to avoid replacing the original image.")
 	cmd.Flags().StringVar(&opts.ReportDestinationDir, "report-output-dir", "", "Path to export build report.toml.\nOmitting the flag yield no report file.")
 	cmd.Flags().BoolVar(&opts.Force, "force", false, "Perform rebase operation without target validation (only available for API >= 0.12)")
-
+	cmd.Flags().StringArrayVar(&opts.InsecureRegistries, "insecure-registry", []string{}, "List of insecure registries (only available for API >= 0.13)")
 	AddHelpFlag(cmd, "rebase")
 	return cmd
 }

internal/commands/rebase_test.go

@@ -50,6 +50,7 @@ func testRebaseCommand(t *testing.T, when spec.G, it spec.S) {
 	when("#RebaseCommand", func() {
 		when("no image is provided", func() {
 			it("fails to run", func() {
+				command.SetArgs([]string{})
 				err := command.Execute()
 				h.AssertError(t, err, "accepts 1 arg")
 			})
@@ -80,6 +81,7 @@ func testRebaseCommand(t *testing.T, when spec.G, it spec.S) {
 					AdditionalMirrors: map[string][]string{
 						runImage: {testMirror1, testMirror2},
 					},
+					InsecureRegistries: []string{},
 				}
 			})
 
@@ -122,6 +124,7 @@ func testRebaseCommand(t *testing.T, when spec.G, it spec.S) {
 					h.AssertError(t, command.Execute(), "parsing pull policy")
 				})
 			})
+
 			when("--pull-policy not set", func() {
 				when("no policy set in config", func() {
 					it("uses the default policy", func() {
@@ -158,6 +161,7 @@ func testRebaseCommand(t *testing.T, when spec.G, it spec.S) {
 					})
 				})
 			})
+
 			when("image name and previous image are provided", func() {
 				var expectedOpts client.RebaseOptions
 
@@ -182,7 +186,8 @@ func testRebaseCommand(t *testing.T, when spec.G, it spec.S) {
 						AdditionalMirrors: map[string][]string{
 							runImage: {testMirror1, testMirror2},
 						},
-						PreviousImage: previousImage,
+						PreviousImage:      previousImage,
+						InsecureRegistries: []string{},
 					}
 					expectedOpts = opts
 				})
@@ -196,6 +201,35 @@ func testRebaseCommand(t *testing.T, when spec.G, it spec.S) {
 					h.AssertNil(t, command.Execute())
 				})
 			})
+
+			when("--insecure-registry is provided", func() {
+				it("sets one insecure registry", func() {
+					opts.PullPolicy = image.PullAlways
+					opts.InsecureRegistries = []string{
+						"foo.bar",
+					}
+					mockClient.EXPECT().
+						Rebase(gomock.Any(), opts).
+						Return(nil)
+
+					command.SetArgs([]string{repoName, "--insecure-registry", "foo.bar"})
+					h.AssertNil(t, command.Execute())
+				})
+
+				it("sets more than one insecure registry", func() {
+					opts.PullPolicy = image.PullAlways
+					opts.InsecureRegistries = []string{
+						"foo.bar",
+						"foo.com",
+					}
+					mockClient.EXPECT().
+						Rebase(gomock.Any(), opts).
+						Return(nil)
+
+					command.SetArgs([]string{repoName, "--insecure-registry", "foo.bar", "--insecure-registry", "foo.com"})
+					h.AssertNil(t, command.Execute())
+				})
+			})
 		})
 	})
 }

pkg/client/build.go

@@ -231,6 +231,8 @@ type BuildOptions struct {
 
 	// Enable user namespace isolation for the build containers
 	EnableUsernsHost bool
+
+	InsecureRegistries []string
 }
 
 func (b *BuildOptions) Layout() bool {
@@ -366,9 +368,11 @@ func (c *Client) Build(ctx context.Context, opts BuildOptions) error {
 		ctx,
 		builderRef.Name(),
 		image.FetchOptions{
-			Daemon:     true,
-			Target:     requestedTarget,
-			PullPolicy: opts.PullPolicy},
+			Daemon:             true,
+			Target:             requestedTarget,
+			PullPolicy:         opts.PullPolicy,
+			InsecureRegistries: opts.InsecureRegistries,
+		},
 	)
 	if err != nil {
 		return errors.Wrapf(err, "failed to fetch builder image '%s'", builderRef.Name())
@@ -390,9 +394,10 @@ func (c *Client) Build(ctx context.Context, opts BuildOptions) error {
 	}
 
 	fetchOptions := image.FetchOptions{
-		Daemon:     !opts.Publish,
-		PullPolicy: opts.PullPolicy,
-		Target:     targetToUse,
+		Daemon:             !opts.Publish,
+		PullPolicy:         opts.PullPolicy,
+		Target:             targetToUse,
+		InsecureRegistries: opts.InsecureRegistries,
 	}
 	runImageName := c.resolveRunImage(opts.RunImage, imgRegistry, builderRef.Context().RegistryStr(), bldr.DefaultRunImage(), opts.AdditionalMirrors, opts.Publish, fetchOptions)
 
@@ -488,9 +493,10 @@ func (c *Client) Build(ctx context.Context, opts BuildOptions) error {
 				ctx,
 				lifecycleImageName,
 				image.FetchOptions{
-					Daemon:     true,
-					PullPolicy: opts.PullPolicy,
-					Target:     targetToUse,
+					Daemon:             true,
+					PullPolicy:         opts.PullPolicy,
+					Target:             targetToUse,
+					InsecureRegistries: opts.InsecureRegistries,
 				},
 			)
 			if err != nil {
@@ -661,6 +667,7 @@ func (c *Client) Build(ctx context.Context, opts BuildOptions) error {
 		Layout:                   opts.Layout(),
 		Keychain:                 c.keychain,
 		EnableUsernsHost:         opts.EnableUsernsHost,
+		InsecureRegistries:       opts.InsecureRegistries,
 	}
 
 	switch {
@@ -823,7 +830,7 @@ func (c *Client) Build(ctx context.Context, opts BuildOptions) error {
 	if err = c.lifecycleExecutor.Execute(ctx, lifecycleOpts); err != nil {
 		return fmt.Errorf("executing lifecycle: %w", err)
 	}
-	return c.logImageNameAndSha(ctx, opts.Publish, imageRef)
+	return c.logImageNameAndSha(ctx, opts.Publish, imageRef, opts.InsecureRegistries)
 }
 
 func usesContainerdStorage(docker DockerClient) bool {
@@ -1677,13 +1684,13 @@ func randString(n int) string {
 	return string(b)
 }
 
-func (c *Client) logImageNameAndSha(ctx context.Context, publish bool, imageRef name.Reference) error {
+func (c *Client) logImageNameAndSha(ctx context.Context, publish bool, imageRef name.Reference, insecureRegistries []string) error {
 	// The image name and sha are printed in the lifecycle logs, and there is no need to print it again, unless output is suppressed.
 	if !logging.IsQuiet(c.logger) {
 		return nil
 	}
 
-	img, err := c.imageFetcher.Fetch(ctx, imageRef.Name(), image.FetchOptions{Daemon: !publish, PullPolicy: image.PullNever})
+	img, err := c.imageFetcher.Fetch(ctx, imageRef.Name(), image.FetchOptions{Daemon: !publish, PullPolicy: image.PullNever, InsecureRegistries: insecureRegistries})
 	if err != nil {
 		return fmt.Errorf("fetching built image: %w", err)
 	}

pkg/client/client.go

@@ -1,5 +1,5 @@
 /*
-Package client provides all the functionally provided by pack as a library through a go api.
+Package client provides all the functionality provided by pack as a library through a go api.
 
 # Prerequisites
 

pkg/client/rebase.go

@@ -46,13 +46,16 @@ type RebaseOptions struct {
 	// validated (will not have any effect if API < 0.12).
 	Force bool
 
+	InsecureRegistries []string
+
 	// Image reference to use as the previous image for rebase.
 	PreviousImage string
 }
 
 // Rebase updates the run image layers in an app image.
 // This operation mutates the image specified in opts.
 func (c *Client) Rebase(ctx context.Context, opts RebaseOptions) error {
+	var flags = []string{"rebase"}
 	imageRef, err := c.parseTagReference(opts.RepoName)
 	if err != nil {
 		return errors.Wrapf(err, "invalid image name '%s'", opts.RepoName)
@@ -64,7 +67,7 @@ func (c *Client) Rebase(ctx context.Context, opts RebaseOptions) error {
 		repoName = opts.PreviousImage
 	}
 
-	appImage, err := c.imageFetcher.Fetch(ctx, repoName, image.FetchOptions{Daemon: !opts.Publish, PullPolicy: opts.PullPolicy})
+	appImage, err := c.imageFetcher.Fetch(ctx, repoName, image.FetchOptions{Daemon: !opts.Publish, PullPolicy: opts.PullPolicy, InsecureRegistries: opts.InsecureRegistries})
 	if err != nil {
 		return err
 	}
@@ -100,9 +103,10 @@ func (c *Client) Rebase(ctx context.Context, opts RebaseOptions) error {
 
 	target := &dist.Target{OS: appOS, Arch: appArch}
 	fetchOptions := image.FetchOptions{
-		Daemon:     !opts.Publish,
-		PullPolicy: opts.PullPolicy,
-		Target:     target,
+		Daemon:             !opts.Publish,
+		PullPolicy:         opts.PullPolicy,
+		Target:             target,
+		InsecureRegistries: opts.InsecureRegistries,
 	}
 
 	runImageName := c.resolveRunImage(
@@ -124,6 +128,10 @@ func (c *Client) Rebase(ctx context.Context, opts RebaseOptions) error {
 		return err
 	}
 
+	for _, reg := range opts.InsecureRegistries {
+		flags = append(flags, "-insecure-registry", reg)
+	}
+
 	c.logger.Infof("Rebasing %s on run image %s", style.Symbol(appImage.Name()), style.Symbol(baseImage.Name()))
 	rebaser := &phase.Rebaser{Logger: c.logger, PlatformAPI: build.SupportedPlatformAPIVersions.Latest(), Force: opts.Force}
 	report, err := rebaser.Rebase(appImage, baseImage, opts.RepoName, nil)