Add --insecure-registry to porter build command

When porter builds a bundle, we lookup the repository digest of any referenced images. Previously we did that with Pull, which always allowed connections to insecure registries. Now that we are executing a HEAD request instead to get the digest, instead of pulling the image with PullImage, we can be more explicit like we are with the publish commnad.

I have added --insecure-registry to porter build, so that the bundle author can decide when building if they want to allow connections to an insecure registry (http or self-signed certificates).

Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com>

cmd/porter/bundle.go

@@ -91,6 +91,8 @@ The docker driver builds the bundle image using the local Docker host. To use a
 		"Do not use the Docker cache when building the bundle's invocation image.")
 	f.StringArrayVar(&opts.Customs, "custom", nil,
 		"Define an individual key-value pair for the custom section in the form of NAME=VALUE. Use dot notation to specify a nested custom field. May be specified multiple times. Max length is 5,000 characters when used as a build argument.")
+	f.BoolVar(&opts.InsecureRegistry, "insecure-registry", false,
+		"Don't require TLS when pulling referenced images")
 
 	// Allow configuring the --driver flag with build-driver, to avoid conflicts with other commands
 	cmd.Flag("driver").Annotations = map[string][]string{

docs/content/cli/build.md

@@ -42,6 +42,7 @@ porter build [flags]
   -d, --dir string              Path to the build context directory where all bundle assets are located. Defaults to the current directory.
   -f, --file string             Path to the Porter manifest. The path is relative to the build context directory. Defaults to porter.yaml in the current directory.
   -h, --help                    help for build
+      --insecure-registry       Don't require TLS when pulling referenced images
       --name string             Override the bundle name
       --no-cache                Do not use the Docker cache when building the bundle's invocation image.
       --no-lint                 Do not run the linter

docs/content/cli/bundles_build.md

@@ -42,6 +42,7 @@ porter bundles build [flags]
   -d, --dir string              Path to the build context directory where all bundle assets are located. Defaults to the current directory.
   -f, --file string             Path to the Porter manifest. The path is relative to the build context directory. Defaults to porter.yaml in the current directory.
   -h, --help                    help for build
+      --insecure-registry       Don't require TLS when pulling referenced images
       --name string             Override the bundle name
       --no-cache                Do not use the Docker cache when building the bundle's invocation image.
       --no-lint                 Do not run the linter

pkg/porter/build.go

@@ -35,6 +35,9 @@ type BuildOptions struct {
 	// Custom is the unparsed list of NAME=VALUE custom inputs set on the command line.
 	Customs []string
 
+	// InsecureRegistry allows connecting to an unsecured registry or one without verifiable certificates.
+	InsecureRegistry bool
+
 	// parsedCustoms is the parsed set of custom inputs from Customs.
 	parsedCustoms map[string]string
 }

pkg/porter/generateManifest.go

@@ -64,6 +64,10 @@ func (p *Porter) generateInternalManifest(ctx context.Context, opts BuildOptions
 		}
 	}
 
+	regOpts := cnabtooci.RegistryOptions{
+		InsecureRegistry: opts.InsecureRegistry,
+	}
+
 	// find all referenced images that does not have digest specified
 	// get the image digest for all of them and update the manifest with the digest
 	err = e.WalkNodes(ctx, "images.*", func(ctx context.Context, nc *yqlib.NodeContext) error {
@@ -88,7 +92,7 @@ func (p *Porter) generateInternalManifest(ctx context.Context, opts BuildOptions
 			return span.Errorf("failed to parse image %s reference: %w", img.Repository, err)
 		}
 
-		digest, err := p.getImageDigest(ctx, ref)
+		digest, err := p.getImageDigest(ctx, ref, regOpts)
 		if err != nil {
 			return span.Error(err)
 		}
@@ -117,7 +121,7 @@ func (p *Porter) generateInternalManifest(ctx context.Context, opts BuildOptions
 }
 
 // getImageDigest retrieves the repository digest associated with the specified image reference.
-func (p *Porter) getImageDigest(ctx context.Context, img cnab.OCIReference) (digest.Digest, error) {
+func (p *Porter) getImageDigest(ctx context.Context, img cnab.OCIReference, regOpts cnabtooci.RegistryOptions) (digest.Digest, error) {
 	ctx, span := tracing.StartSpan(ctx, attribute.String("image", img.String()))
 	defer span.EndSpan()
 
@@ -130,7 +134,6 @@ func (p *Porter) getImageDigest(ctx context.Context, img cnab.OCIReference) (dig
 		img = refWithTag
 	}
 
-	regOpts := cnabtooci.RegistryOptions{}
 	imgSummary, err := p.Registry.GetImageMetadata(ctx, img, regOpts)
 	if err != nil {
 		return "", err

pkg/porter/generateManifest_test.go

@@ -173,7 +173,8 @@ func Test_getImageLatestDigest(t *testing.T) {
 				p.TestRegistry.MockGetImageMetadata = tc.mockGetImageMetadata
 			}
 
-			digest, err := p.getImageDigest(context.Background(), ref)
+			regOpts := cnabtooci.RegistryOptions{}
+			digest, err := p.getImageDigest(context.Background(), ref, regOpts)
 			if tc.wantErr != "" {
 				require.ErrorContains(t, err, tc.wantErr)
 				return

tests/smoke/airgap_test.go

@@ -83,7 +83,7 @@ func TestAirgappedEnvironment(t *testing.T) {
 			})
 
 			// Build the test bundle separate from publish so we best validate that we aren't pulling referenced images during build anymore
-			test.RequirePorter("build")
+			test.RequirePorter("build", insecureFlag)
 
 			// Validate that the referenced bundle is not in the local docker cache and that build did not pull it
 			err = shx.RunE("docker", "image", "inspect", localRefWithDigest)