(feature): add an insecure option for image sources

Signed-off-by: Bryce Palmer <everettraven@gmail.com>
operator-framework · Oct 25, 2023 · 584404c · 584404c
1 parent e078853
commit 584404c
Show file tree

Hide file tree

Showing 8 changed files with 56 additions and 55 deletions.
diff --git a/Makefile b/Makefile
@@ -67,8 +67,7 @@ test-e2e: $(GINKGO) ## Run the e2e tests
 	$(GINKGO) --tags $(GO_BUILD_TAGS) $(E2E_FLAGS) -trace -progress $(FOCUS) test/e2e
 
 e2e: KIND_CLUSTER_NAME=catalogd-e2e
-e2e: DEPLOY_TARGET=e2e
-e2e: kind-cluster image-registry install test-e2e kind-cluster-cleanup ## Run e2e test suite on local kind cluster
+e2e: run image-registry test-e2e kind-cluster-cleanup ## Run e2e test suite on local kind cluster
 
 image-registry: ## Setup in-cluster image registry
 	./test/tools/imageregistry/registry.sh
@@ -154,11 +153,10 @@ kind-load: $(KIND) ## Load the built images onto the local cluster
 .PHONY: install
 install: build-container kind-load deploy wait ## Install local catalogd
 
-DEPLOY_TARGET           ?= default
 .PHONY: deploy
 deploy: $(KUSTOMIZE) ## Deploy Catalogd to the K8s cluster specified in ~/.kube/config.
 	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMAGE)
-	$(KUSTOMIZE) build config/${DEPLOY_TARGET} | kubectl apply -f -
+	$(KUSTOMIZE) build config/default | kubectl apply -f -
 
 .PHONY: undeploy
 undeploy: $(KUSTOMIZE) ## Undeploy Catalogd from the K8s cluster specified in ~/.kube/config.

diff --git a/api/core/v1alpha1/catalog_types.go b/api/core/v1alpha1/catalog_types.go
@@ -134,6 +134,10 @@ type ImageSource struct {
 	// specified as a duration (e.g., "5m", "1h", "24h", "etc".). Note that PollInterval may not be
 	// specified for a catalog image referenced by a sha256 digest.
 	PollInterval *metav1.Duration `json:"pollInterval,omitempty"`
+	// TLSInsecureSkipVerify indicates that the registry is an insecure registry and that TLS verification
+	// should be skipped. This should not be used in a production environment.
+	// +optional
+	TLSInsecureSkipVerify bool `json:"tlsInsecureSkipVerify,omitempty"`
 }
 
 func init() {

diff --git a/config/crd/bases/catalogd.operatorframework.io_catalogs.yaml b/config/crd/bases/catalogd.operatorframework.io_catalogs.yaml
@@ -49,6 +49,10 @@ spec:
                     description: Image is the catalog image that backs the content
                       of this catalog.
                     properties:
+                      insecure:
+                        description: Insecure indicates that the registry is an insecure
+                          registry and that TLS verification should be skipped
+                        type: boolean
                       pollInterval:
                         description: PollInterval indicates the interval at which
                           the image source should be polled for new content, specified

diff --git a/config/e2e/kustomization.yaml b/config/e2e/kustomization.yaml
diff --git a/internal/source/image_registry_client.go b/internal/source/image_registry_client.go
@@ -3,9 +3,11 @@ package source
 import (
 	"archive/tar"
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"io/fs"
+	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
@@ -65,6 +67,14 @@ func (i *ImageRegistry) Unpack(ctx context.Context, catalog *catalogdv1alpha1.Ca
 		remoteOpts = append(remoteOpts, remote.WithAuthFromKeychain(authChain))
 	}
 
+	if catalog.Spec.Source.Image.TLSInsecureSkipVerify {
+		insecureTransport := remote.DefaultTransport.(*http.Transport).Clone()
+		insecureTransport.TLSClientConfig = &tls.Config{
+			InsecureSkipVerify: true,
+		}
+		remoteOpts = append(remoteOpts, remote.WithTransport(insecureTransport))
+	}
+
 	digest, isDigest := imgRef.(name.Digest)
 	if isDigest {
 		hexVal := strings.TrimPrefix(digest.DigestStr(), "sha256:")

diff --git a/internal/source/image_registry_client_test.go b/internal/source/image_registry_client_test.go
@@ -299,6 +299,40 @@ func TestImageRegistry(t *testing.T) {
 				return img
 			}(),
 		},
+		{
+			name: "digest ref, insecure specified, happy path",
+			catalog: &v1alpha1.Catalog{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test",
+				},
+				Spec: v1alpha1.CatalogSpec{
+					Source: v1alpha1.CatalogSource{
+						Type: v1alpha1.SourceTypeImage,
+						Image: &v1alpha1.ImageSource{
+							Ref:                   "",
+							TLSInsecureSkipVerify: true,
+						},
+					},
+				},
+			},
+			wantErr: false,
+			refType: "digest",
+			image: func() v1.Image {
+				img, err := random.Image(20, 3)
+				if err != nil {
+					panic(err)
+				}
+				img, err = mutate.Config(img, v1.Config{
+					Labels: map[string]string{
+						source.ConfigDirLabel: "/configs",
+					},
+				})
+				if err != nil {
+					panic(err)
+				}
+				return img
+			}(),
+		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
 			// Create context, temporary cache directory,

diff --git a/test/e2e/unpack_test.go b/test/e2e/unpack_test.go
@@ -58,7 +58,8 @@ var _ = Describe("Catalog Unpacking", func() {
 					Source: catalogd.CatalogSource{
 						Type: catalogd.SourceTypeImage,
 						Image: &catalogd.ImageSource{
-							Ref: catalogImageRef(),
+							Ref:                   catalogImageRef(),
+							TLSInsecureSkipVerify: true,
 						},
 					},
 				},

diff --git a/test/tools/imageregistry/registry.sh b/test/tools/imageregistry/registry.sh
@@ -6,7 +6,6 @@ set -e
 # of catalogd's unpacking process. It does a few things:
 # 1. Installs cert-manager for creating a self-signed certificate for the image registry
 # 2. Creates all the resources necessary for deploying the image registry in the catalogd-e2e namespace
-# 3. Creates a ConfigMap containing the CA cert for the image registry to be used by the catalogd-controller-manager
 # 4. Creates a ConfigMap containing the CA cert for the image registry to be used by the kaniko pod
 # 5. Creates ConfigMaps containing the test catalog + Dockerfile to be mounted to the kaniko pod
 # 6. Waits for kaniko pod to have Phase == Succeeded, indicating the test catalog image has been built + pushed
@@ -25,25 +24,6 @@ kubectl wait -n catalogd-e2e --for=condition=Available deployment/docker-registr
 # get cert value
 certval=$(kubectl -n catalogd-e2e get secret/catalogd-e2e-registry -o=jsonpath='{.data.ca\.crt}' | base64 -d | sed 's/^/    /')
 
-kubectl apply -f - << EOF
-apiVersion: v1
-kind: Namespace
-metadata: 
-  name: catalogd-system
-EOF
-# create a ConfigMap that contains the CA certs for the image registry
-# This one is created for the catalogd-controller-manager
-kubectl apply -f - << EOF
-apiVersion: v1
-kind: ConfigMap
-metadata: 
-  namespace: catalogd-system
-  name: docker-registry.catalogd-e2e.svc
-data:
-  "ca-certificates.crt": |
-${certval}
-EOF
-
 # create a ConfigMap that contains the CA certs for the image registry
 # this one is created for the kaniko pod
 kubectl apply -f - << EOF