Merge pull request #402 from ankitathomas/skiptls

Bug 1866437: skip TLS option for pulling indexes

Author: openshift-merge-robot

cmd/opm/index/add.go

@@ -53,7 +53,6 @@ func addIndexAddCmd(parent *cobra.Command) {
 	if err := indexCmd.MarkFlagRequired("bundles"); err != nil {
 		logrus.Panic("Failed to set required `bundles` flag for `index add`")
 	}
-	indexCmd.Flags().Bool("skip-tls", false, "skip TLS certificate verification for container image registries while pulling bundles")
 	indexCmd.Flags().StringP("binary-image", "i", "", "container image for on-image `opm` command")
 	indexCmd.Flags().StringP("container-tool", "c", "", "tool to interact with container images (save, build, etc.). One of: [docker, podman]")
 	indexCmd.Flags().StringP("build-tool", "u", "", "tool to build container images. One of: [docker, podman]. Defaults to podman. Overrides part of container-tool.")

cmd/opm/index/cmd.go

@@ -18,9 +18,15 @@ func AddCommand(parent *cobra.Command) {
 			}
 			return nil
 		},
+		PersistentPreRun: func(cmd *cobra.Command, args []string) {
+			if skipTLS, err := cmd.Flags().GetBool("skip-tls"); err == nil && skipTLS {
+				logrus.Warn("--skip-tls flag is set: this mode is insecure and meant for development purposes only.")
+			}
+		},
 	}
 
 	parent.AddCommand(cmd)
+	parent.PersistentFlags().Bool("skip-tls", false, "skip TLS certificate verification for container image registries while pulling bundles or index")
 	cmd.AddCommand(newIndexDeleteCmd())
 	addIndexAddCmd(cmd)
 	cmd.AddCommand(newIndexExportCmd())

cmd/opm/index/delete.go

@@ -91,6 +91,11 @@ func runIndexDeleteCmdFunc(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	skipTLS, err := cmd.Flags().GetBool("skip-tls")
+	if err != nil {
+		return err
+	}
+
 	logger := logrus.WithFields(logrus.Fields{"operators": operators})
 
 	logger.Info("building the index")
@@ -108,6 +113,7 @@ func runIndexDeleteCmdFunc(cmd *cobra.Command, args []string) error {
 		Operators:         operators,
 		Tag:               tag,
 		Permissive:        permissive,
+		SkipTLS:           skipTLS,
 	}
 
 	err = indexDeleter.DeleteFromIndex(request)

cmd/opm/index/deprecate.go

@@ -105,6 +105,11 @@ func runIndexDeprecateTruncateCmdFunc(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	skipTLS, err := cmd.Flags().GetBool("skip-tls")
+	if err != nil {
+		return err
+	}
+
 	logger := logrus.WithFields(logrus.Fields{"bundles": bundles})
 
 	logger.Info("deprecating bundles from the index")
@@ -122,6 +127,7 @@ func runIndexDeprecateTruncateCmdFunc(cmd *cobra.Command, args []string) error {
 		Tag:               tag,
 		Bundles:           bundles,
 		Permissive:        permissive,
+		SkipTLS:           skipTLS,
 	}
 
 	err = indexDeprecator.DeprecateFromIndex(request)

cmd/opm/index/export.go

@@ -75,6 +75,11 @@ func runIndexExportCmdFunc(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	skipTLS, err := cmd.Flags().GetBool("skip-tls")
+	if err != nil {
+		return err
+	}
+
 	logger := logrus.WithFields(logrus.Fields{"index": index, "package": packageName})
 
 	logger.Info("export from the index")
@@ -86,6 +91,7 @@ func runIndexExportCmdFunc(cmd *cobra.Command, args []string) error {
 		Package:       packageName,
 		DownloadPath:  downloadPath,
 		ContainerTool: containertools.NewContainerTool(containerTool, containertools.NoneTool),
+		SkipTLS:       skipTLS,
 	}
 
 	err = indexExporter.ExportFromIndex(request)

cmd/opm/index/prune.go

@@ -95,6 +95,11 @@ func runIndexPruneCmdFunc(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	skipTLS, err := cmd.Flags().GetBool("skip-tls")
+	if err != nil {
+		return err
+	}
+
 	logger := logrus.WithFields(logrus.Fields{"packages": packages})
 
 	logger.Info("pruning the index")
@@ -109,6 +114,7 @@ func runIndexPruneCmdFunc(cmd *cobra.Command, args []string) error {
 		Packages:          packages,
 		Tag:               tag,
 		Permissive:        permissive,
+		SkipTLS:           skipTLS,
 	}
 
 	err = indexPruner.PruneFromIndex(request)

cmd/opm/index/prunestranded.go

@@ -80,6 +80,11 @@ func runIndexPruneStrandedCmdFunc(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	skipTLS, err := cmd.Flags().GetBool("skip-tls")
+	if err != nil {
+		return err
+	}
+
 	logger := logrus.WithFields(logrus.Fields{})
 
 	logger.Info("pruning stranded bundles from the index")
@@ -92,6 +97,7 @@ func runIndexPruneStrandedCmdFunc(cmd *cobra.Command, args []string) error {
 		BinarySourceImage: binaryImage,
 		OutDockerfile:     outDockerfile,
 		Tag:               tag,
+		SkipTLS:           skipTLS,
 	}
 
 	err = indexPruner.PruneStrandedFromIndex(request)

cmd/opm/registry/add.go

@@ -77,6 +77,10 @@ func addFunc(cmd *cobra.Command, args []string) error {
 
 	logger := logrus.WithFields(logrus.Fields{"bundles": bundleImages})
 
+	if skipTLS {
+		logger.Warn("--skip-tls flag is set: this mode is insecure and meant for development purposes only.")
+	}
+
 	logger.Info("adding to the registry")
 
 	registryAdder := registry.NewRegistryAdder(logger)

go.sum

@@ -358,11 +358,8 @@ github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
-github.com/grpc-ecosystem/grpc-health-probe v0.2.1-0.20181220223928-2bf0a5b182db h1:UxmGBzaBcWDQuQh9E1iT1dWKQFbizZ+SpTd1EL4MSqs=
-github.com/grpc-ecosystem/grpc-health-probe v0.2.1-0.20181220223928-2bf0a5b182db/go.mod h1:uBKkC2RbarFsvS5jMJHpVhTLvGlGQj9JJwkaePE3FWI=
 github.com/grpc-ecosystem/grpc-health-probe v0.3.2 h1:daShAySXI1DnGc8U9B1E4Qm6o7qzmFR4aRIJ4vY/TUo=
 github.com/grpc-ecosystem/grpc-health-probe v0.3.2/go.mod h1:izVOQ4RWbjUR6lm4nn+VLJyQ+FyaiGmprEYgI04Gs7U=
-github.com/grpc/grpc-go v1.30.0 h1:3ttCZRhSqhlKmQ6UrrTukz9LjJF/Bi8RuRo8rlyxKhA=
 github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed/go.mod h1:tMWxXQ9wFIaZeTI9F+hmhFiGpFmhOHzyShyFUhRm0H4=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=

pkg/containertools/runner.go

@@ -22,14 +22,53 @@ type CommandRunner interface {
 type ContainerCommandRunner struct {
 	logger        *logrus.Entry
 	containerTool ContainerTool
+	config        *RunnerConfig
+}
+
+type RunnerConfig struct {
+	SkipTLS bool
+}
+
+type RunnerOption func(config *RunnerConfig)
+
+func SkipTLS(skip bool) RunnerOption {
+	return func(config *RunnerConfig) {
+		config.SkipTLS = skip
+	}
+}
+
+func (r *RunnerConfig) apply(options []RunnerOption) {
+	for _, option := range options {
+		option(r)
+	}
+}
+
+func (r *ContainerCommandRunner) argsForCmd(cmd string, args ...string) []string {
+	cmdArgs := []string{cmd}
+	switch r.containerTool {
+	case PodmanTool:
+		switch cmd {
+		case "pull", "push", "login", "search":
+			// --tls-verify is a valid flag for these podman subcommands
+			if r.config.SkipTLS {
+				cmdArgs = append(cmdArgs, "--tls-verify=false")
+			}
+		}
+	default:
+	}
+	cmdArgs = append(cmdArgs, args...)
+	return cmdArgs
 }
 
 // NewCommandRunner takes the containerTool as an input string and returns a
 // CommandRunner to run commands with that cli tool
-func NewCommandRunner(containerTool ContainerTool, logger *logrus.Entry) *ContainerCommandRunner {
+func NewCommandRunner(containerTool ContainerTool, logger *logrus.Entry, opts ...RunnerOption) *ContainerCommandRunner {
+	var config RunnerConfig
+	config.apply(opts)
 	r := &ContainerCommandRunner{
 		logger:        logger,
 		containerTool: containerTool,
+		config:        &config,
 	}
 	return r
 }
@@ -42,7 +81,7 @@ func (r *ContainerCommandRunner) GetToolName() string {
 // Pull takes a container image path hosted on a container registry and runs the
 // pull command to download it onto the local environment
 func (r *ContainerCommandRunner) Pull(image string) error {
-	args := []string{"pull", image}
+	args := r.argsForCmd("pull", image)
 
 	command := exec.Command(r.containerTool.String(), args...)
 
@@ -84,7 +123,7 @@ func (r *ContainerCommandRunner) Build(dockerfile, tag string) error {
 
 // Unpack copies a directory from a local container image to a directory in the local filesystem.
 func (r *ContainerCommandRunner) Unpack(image, src, dst string) error {
-	args := []string{"create", image, ""}
+	args := r.argsForCmd("create", image, "")
 
 	command := exec.Command(r.containerTool.String(), args...)
 
@@ -98,7 +137,7 @@ func (r *ContainerCommandRunner) Unpack(image, src, dst string) error {
 	}
 
 	id := strings.TrimSuffix(string(out), "\n")
-	args = []string{"cp", id + ":" + src, dst}
+	args = r.argsForCmd("cp", id+":"+src, dst)
 	command = exec.Command(r.containerTool.String(), args...)
 
 	r.logger.Infof("running %s cp", r.containerTool)
@@ -110,7 +149,7 @@ func (r *ContainerCommandRunner) Unpack(image, src, dst string) error {
 		return fmt.Errorf("error copying container directory %s: %v", string(out), err)
 	}
 
-	args = []string{"rm", id}
+	args = r.argsForCmd("rm", id)
 	command = exec.Command(r.containerTool.String(), args...)
 
 	r.logger.Infof("running %s rm", r.containerTool)
@@ -128,7 +167,7 @@ func (r *ContainerCommandRunner) Unpack(image, src, dst string) error {
 // Inspect runs the 'inspect' command to get image metadata of a local container
 // image and returns a byte array of the command's output
 func (r *ContainerCommandRunner) Inspect(image string) ([]byte, error) {
-	args := []string{"inspect", image}
+	args := r.argsForCmd("inspect", image)
 
 	command := exec.Command(r.containerTool.String(), args...)