image-rs: use proxy config rather than env

New dependency oci-client version supports to set HTTPS_PROXY and
NO_PROXY without setting env of the whole process.

Also, this commit marks the cosign module's client TODO to add a proxy
configuration.

Signed-off-by: Xynnn007 <[email protected]>

confidential-data-hub/hub/src/hub.rs

@@ -8,8 +8,7 @@ use std::{collections::HashMap, path::Path};
 use async_trait::async_trait;
 use image_rs::{builder::ClientBuilder, config::ImageConfig, image::ImageClient};
 use kms::{Annotations, ProviderSettings};
-use log::{debug, info, warn};
-use std::env;
+use log::{debug, info};
 use storage::volume_type::Storage;
 use tokio::sync::{Mutex, OnceCell};
 
@@ -98,29 +97,6 @@ impl DataHub for Hub {
 
 async fn initialize_image_client(config: ImageConfig) -> Result<Mutex<ImageClient>> {
     debug!("Image client lazy initializing...");
-    // TODO: move the proxy envs to image-rs' PullClient once it supports
-    // Current the whole process of CDH would be influenced by the HTTPS_PROXY env
-    if let Some(https_proxy) = &config.image_pull_proxy {
-        match env::var("HTTPS_PROXY") {
-                Ok(e) => warn!("`image_pull_proxy` is given from config but the current process has a `HTTPS_PROXY` env value {e}, skip override."),
-                Err(env::VarError::NotPresent) => {
-                    info!("image_pull_proxy is set to: {}", https_proxy);
-                    env::set_var("HTTPS_PROXY", https_proxy);
-                }
-                Err(env::VarError::NotUnicode(_)) => warn!("`image_pull_proxy` is given from config but the current process has a non-unicode `HTTPS_PROXY`, skip override."),
-            }
-    }
-
-    if let Some(no_proxy) = &config.skip_proxy_ips {
-        match env::var("NO_PROXY") {
-                Ok(e) => warn!("`skip_proxy_ips` is given from config but the current process has one `NO_PROXY` env value {e}, skip override."),
-                Err(env::VarError::NotPresent) => {
-                    info!("no_proxy is set to: {}", no_proxy);
-                    env::set_var("NO_PROXY", no_proxy);
-                }
-                Err(env::VarError::NotUnicode(_)) => warn!("`skip_proxy_ips` is given from config but the current process has a non-unicode env `NO_PROXY`, skip override."),
-            }
-    }
 
     let image_client = Into::<ClientBuilder>::into(config)
         .build()

image-rs/Cargo.toml

@@ -32,7 +32,7 @@ lazy_static = { workspace = true, optional = true }
 log = "0.4.22"
 loopdev = { git = "https://github.com/mdaffin/loopdev", rev = "c9f91e8f0326ce8a3364ac911e81eb32328a5f27" }
 nix = { workspace = true, optional = true, features = ["mount", "fs"] }
-oci-client = { version = "0.12", default-features = false, optional = true }
+oci-client = { version = "0.13", default-features = false, optional = true }
 oci-spec = "0.6.7"
 ocicrypt-rs = { path = "../ocicrypt-rs", default-features = false, features = [
     "async-io",

image-rs/src/image.rs

@@ -210,6 +210,8 @@ impl ImageClient {
             &self.config.work_dir.join("layers"),
             &auth,
             self.config.max_concurrent_layer_downloads_per_image,
+            self.config.skip_proxy_ips.as_deref(),
+            self.config.image_pull_proxy.as_deref(),
         )?;
         let (image_manifest, image_digest, image_config) = client.pull_manifest().await?;
 

image-rs/src/pull.rs

@@ -4,6 +4,7 @@
 
 use anyhow::{anyhow, bail, Context, Result};
 use futures_util::stream::{self, StreamExt, TryStreamExt};
+use oci_client::client::ClientConfig;
 use oci_client::manifest::{OciDescriptor, OciImageManifest};
 use oci_client::{secrets::RegistryAuth, Client, Reference};
 use std::collections::BTreeMap;
@@ -45,8 +46,19 @@ impl<'a> PullClient<'a> {
         data_dir: &Path,
         auth: &'a RegistryAuth,
         max_concurrent_download: usize,
+        no_proxy: Option<&str>,
+        https_proxy: Option<&str>,
     ) -> Result<PullClient<'a>> {
-        let client = Client::default();
+        let mut client_config = ClientConfig::default();
+        if let Some(no_proxy) = no_proxy {
+            client_config.no_proxy = Some(no_proxy.to_string())
+        }
+
+        if let Some(https_proxy) = https_proxy {
+            client_config.https_proxy = Some(https_proxy.to_string())
+        }
+
+        let client = Client::try_from(client_config)?;
 
         Ok(PullClient {
             client,
@@ -227,6 +239,8 @@ mod tests {
             tempdir.path(),
             &RegistryAuth::Anonymous,
             DEFAULT_MAX_CONCURRENT_DOWNLOAD,
+            None,
+            None,
         )
         .unwrap();
         let (image_manifest, _image_digest, image_config) = client.pull_manifest().await.unwrap();
@@ -275,6 +289,8 @@ mod tests {
                 tempdir.path(),
                 &RegistryAuth::Anonymous,
                 DEFAULT_MAX_CONCURRENT_DOWNLOAD,
+                None,
+                None,
             )
             .unwrap();
             let (image_manifest, _image_digest, image_config) =
@@ -376,6 +392,8 @@ mod tests {
             tempdir.path(),
             &RegistryAuth::Anonymous,
             DEFAULT_MAX_CONCURRENT_DOWNLOAD,
+            None,
+            None,
         )
         .unwrap();
 

image-rs/src/signature/policy/cosign/mod.rs

@@ -113,6 +113,8 @@ impl CosignParameters {
             RegistryAuth::Basic(username, pass) => Auth::Basic(username.clone(), pass.clone()),
         };
 
+        // TODO: Add proxy for client
+        // Wait for https://github.com/sigstore/sigstore-rs/pull/392 to get merged.
         let mut client = ClientBuilder::default().build()?;
 
         // Get the cosign signature "image"'s uri and the signed image's digest