Add insecure repository support (#1403)

fahhem · web-flow · commit 64827560cbbe · 2022-11-08T13:48:23.000-08:00
diff --git a/container/go/cmd/pusher/pusher.go b/container/go/cmd/pusher/pusher.go
@@ -46,6 +46,7 @@ var (
 	skipUnchangedDigest = flag.Bool("skip-unchanged-digest", false, "If set to true, will only push images where the digest has changed.")
 	layers              utils.ArrayStringFlags
 	stampInfoFile       utils.ArrayStringFlags
+	insecureRepository  = flag.Bool("insecure-repository", false, "If set to true, the repository is assumed to be insecure (http vs https)")
 )
 
 type dockerHeaders struct {
@@ -126,7 +127,12 @@ func main() {
 		log.Printf("Failed to digest image: %v", err)
 	}
 
-	if err := push(stamped, img); err != nil {
+	var opts []name.Option
+	if *insecureRepository {
+		opts = append(opts, name.Insecure)
+	}
+
+	if err := push(stamped, img, opts...); err != nil {
 		log.Fatalf("Error pushing image to %s: %v", stamped, err)
 	}
 
@@ -163,9 +169,9 @@ func digestExists(dst string, img v1.Image) (bool, error) {
 // NOTE: This function is adapted from https://github.com/google/go-containerregistry/blob/master/pkg/crane/push.go
 // with modification for option to push OCI layout, legacy layout or Docker tarball format.
 // Push the given image to destination <dst>.
-func push(dst string, img v1.Image) error {
+func push(dst string, img v1.Image, opts ...name.Option) error {
 	// Push the image to dst.
-	ref, err := name.ParseReference(dst)
+	ref, err := name.ParseReference(dst, opts...)
 	if err != nil {
 		return errors.Wrapf(err, "error parsing %q as an image reference", dst)
 	}
@@ -237,4 +243,3 @@ func newTransport() http.RoundTripper {
 
 	return tr
 }
-
diff --git a/container/push.bzl b/container/push.bzl
@@ -92,6 +92,8 @@ def _impl(ctx):
 
     if ctx.attr.skip_unchanged_digest:
         pusher_args.append("-skip-unchanged-digest")
+    if ctx.attr.insecure_repository:
+        pusher_args.append("-insecure-repository")
     digester_args += ["--dst", str(ctx.outputs.digest.path), "--format", str(ctx.attr.format)]
     ctx.actions.run(
         inputs = digester_input,
@@ -156,6 +158,10 @@ container_push_ = rule(
             mandatory = True,
             doc = "The label of the image to push.",
         ),
+        "insecure_repository": attr.bool(
+            default = False,
+            doc = "Whether the repository is insecure or not (http vs https)",
+        ),
         "registry": attr.string(
             mandatory = True,
             doc = "The registry to which we are pushing.",
diff --git a/docs/container.md b/docs/container.md
@@ -220,9 +220,9 @@ please use the bazel startup flag `--loading_phase_threads=1` in your bazel invo
 ## container_push
 
 <pre>
-container_push(<a href="#container_push-name">name</a>, <a href="#container_push-extension">extension</a>, <a href="#container_push-extract_config">extract_config</a>, <a href="#container_push-format">format</a>, <a href="#container_push-image">image</a>, <a href="#container_push-incremental_load_template">incremental_load_template</a>, <a href="#container_push-registry">registry</a>,
-               <a href="#container_push-repository">repository</a>, <a href="#container_push-repository_file">repository_file</a>, <a href="#container_push-skip_unchanged_digest">skip_unchanged_digest</a>, <a href="#container_push-stamp">stamp</a>, <a href="#container_push-tag">tag</a>, <a href="#container_push-tag_file">tag_file</a>, <a href="#container_push-tag_tpl">tag_tpl</a>,
-               <a href="#container_push-windows_paths">windows_paths</a>)
+container_push(<a href="#container_push-name">name</a>, <a href="#container_push-extension">extension</a>, <a href="#container_push-extract_config">extract_config</a>, <a href="#container_push-format">format</a>, <a href="#container_push-image">image</a>, <a href="#container_push-incremental_load_template">incremental_load_template</a>,
+               <a href="#container_push-insecure_repository">insecure_repository</a>, <a href="#container_push-registry">registry</a>, <a href="#container_push-repository">repository</a>, <a href="#container_push-repository_file">repository_file</a>, <a href="#container_push-skip_unchanged_digest">skip_unchanged_digest</a>,
+               <a href="#container_push-stamp">stamp</a>, <a href="#container_push-tag">tag</a>, <a href="#container_push-tag_file">tag_file</a>, <a href="#container_push-tag_tpl">tag_tpl</a>, <a href="#container_push-windows_paths">windows_paths</a>)
 </pre>
 
 
@@ -238,6 +238,7 @@ container_push(<a href="#container_push-name">name</a>, <a href="#container_push
 | <a id="container_push-format"></a>format |  The form to push: Docker or OCI, default to 'Docker'.   | String | required |  |
 | <a id="container_push-image"></a>image |  The label of the image to push.   | <a href="https://bazel.build/docs/build-ref.html#labels">Label</a> | required |  |
 | <a id="container_push-incremental_load_template"></a>incremental_load_template |  -   | <a href="https://bazel.build/docs/build-ref.html#labels">Label</a> | optional | //container:incremental_load_template |
+| <a id="container_push-insecure_repository"></a>insecure_repository |  Whether the repository is insecure or not (http vs https)   | Boolean | optional | False |
 | <a id="container_push-registry"></a>registry |  The registry to which we are pushing.   | String | required |  |
 | <a id="container_push-repository"></a>repository |  The name of the image.   | String | required |  |
 | <a id="container_push-repository_file"></a>repository_file |  The label of the file with repository value. Overrides 'repository'.   | <a href="https://bazel.build/docs/build-ref.html#labels">Label</a> | optional | None |
diff --git a/testing/e2e/pusher.sh b/testing/e2e/pusher.sh
@@ -32,4 +32,14 @@ function test_pusher_client_config_errors() {
   echo "test_pusher_client_config_errors PASSED!"
 }
 
-test_pusher_client_config_errors
+function test_pusher_insecure_repository() {
+  # Ensure the pusher validates a given client config path is a valid directory.
+  cd "${ROOT}"
+  common_opts="--dst=foo:latest --format=Docker --config=foo.json"
+  # Test that flag is accepted and the image is attempted
+  EXPECT_CONTAINS "$(bazel run //container/go/cmd/pusher -- --insecure-repository ${common_opts} 2>&1)" "unable to load image metadata"
+  echo "test_pusher_insecure_repository PASSED!"
+}
+
+test_pusher_insecure_repository
+# test_pusher_client_config_errors
