Skip to content

Commit

Permalink
image-rs: add support for self-signed image registry
Browse files Browse the repository at this point in the history 
Fixes #525

Signed-off-by: Xynnn007 <[email protected]>
  • Loading branch information
@Xynnn007
Xynnn007 committed Oct 14, 2024
1 parent 7c750ad commit ca0c52a
Show file tree
Hide file tree
Showing 7 changed files with 70 additions and 3 deletions.
1 change: 1 addition & 0 deletions confidential-data-hub/example.config.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
"authenticated_registry_credentials_uri": "kbs:///default/credential/test",
"image_pull_proxy": "http://127.0.0.1:5432",
"skip_proxy_ips": "192.168.0.1,localhost",
"extra_root_certificates": "-----BEGIN CERTIFICATE-----\nMIIFTDCCAvugAwIBAgIBADBGBgkqhkiG9w0BAQowOaAPMA0GCWCGSAFlAwQCAgUA\noRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAgUAogMCATCjAwIBATB7MRQwEgYD\nVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDASBgNVBAcMC1NhbnRhIENs\nYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5jZWQgTWljcm8gRGV2aWNl\nczESMBAGA1UEAwwJU0VWLU1pbGFuMB4XDTIzMDEyNDE3NTgyNloXDTMwMDEyNDE3\nNTgyNlowejEUMBIGA1UECwwLRW5naW5lZXJpbmcxCzAJBgNVBAYTAlVTMRQwEgYD\nVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExHzAdBgNVBAoMFkFkdmFuY2Vk\nIE1pY3JvIERldmljZXMxETAPBgNVBAMMCFNFVi1WQ0VLMHYwEAYHKoZIzj0CAQYF\nK4EEACIDYgAExmG1ZbuoAQK93USRyZQcsyobfbaAEoKEELf/jK39cOVJt1t4s83W\nXM3rqIbS7qHUHQw/FGyOvdaEUs5+wwxpCWfDnmJMAQ+ctgZqgDEKh1NqlOuuKcKq\n2YAWE5cTH7sHo4IBFjCCARIwEAYJKwYBBAGceAEBBAMCAQAwFwYJKwYBBAGceAEC\nBAoWCE1pbGFuLUIwMBEGCisGAQQBnHgBAwEEAwIBAzARBgorBgEEAZx4AQMCBAMC\nAQAwEQYKKwYBBAGceAEDBAQDAgEAMBEGCisGAQQBnHgBAwUEAwIBADARBgorBgEE\nAZx4AQMGBAMCAQAwEQYKKwYBBAGceAEDBwQDAgEAMBEGCisGAQQBnHgBAwMEAwIB\nCDARBgorBgEEAZx4AQMIBAMCAXMwTQYJKwYBBAGceAEEBEDDhCejDUx6+dlvehW5\ncmmCWmTLdqI1L/1dGBFdia1HP46MC82aXZKGYSutSq37RCYgWjueT+qCMBE1oXDk\nd1JOMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0B\nAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBA4ICAQACgCai9x8DAWzX/2IelNWm\nituEBSiq9C9eDnBEckQYikAhPasfagnoWFAtKu/ZWTKHi+BMbhKwswBS8W0G1ywi\ncUWGlzigI4tdxxf1YBJyCoTSNssSbKmIh5jemBfrvIBo1yEd+e56ZJMdhN8e+xWU\nbvovUC2/7Dl76fzAaACLSorZUv5XPJwKXwEOHo7FIcREjoZn+fKjJTnmdXce0LD6\n9RHr+r+ceyE79gmK31bI9DYiJoL4LeGdXZ3gMOVDR1OnDos5lOBcV+quJ6JujpgH\nd9g3Sa7Du7pusD9Fdap98ocZslRfFjFi//2YdVM4MKbq6IwpYNB+2PCEKNC7SfbO\nNgZYJuPZnM/wViES/cP7MZNJ1KUKBI9yh6TmlSsZZOclGJvrOsBZimTXpATjdNMt\ncluKwqAUUzYQmU7bf2TMdOXyA9iH5wIpj1kWGE1VuFADTKILkTc6LzLzOWCofLxf\nonhTtSDtzIv/uel547GZqq+rVRvmIieEuEvDETwuookfV6qu3D/9KuSr9xiznmEg\nxynud/f525jppJMcD/ofbQxUZuGKvb3f3zy+aLxqidoX7gca2Xd9jyUy5Y/83+ZN\nbz4PZx81UJzXVI9ABEh8/xilATh1ZxOePTBJjN7lgr0lXtKYjV/43yyxgUYrXNZS\noLSG2dLCK9mjjraPjau34Q==\n-----END CERTIFICATE-----",
"work_dir": "/run/image-rs"
}
}
41 changes: 41 additions & 0 deletions confidential-data-hub/example.config.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,47 @@ image_pull_proxy = "http://127.0.0.1:5432"
# By default this value is not set.
skip_proxy_ips = "192.168.0.1,localhost"

# To support registries with self signed certs. This config item
# is used to add extra trusted root certifications. The certificates
# must be encoded by PEM.
#
# By default this value is not set.
extra_root_certificates = [
"""
-----BEGIN CERTIFICATE-----
MIIFTDCCAvugAwIBAgIBADBGBgkqhkiG9w0BAQowOaAPMA0GCWCGSAFlAwQCAgUA
oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAgUAogMCATCjAwIBATB7MRQwEgYD
VQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDASBgNVBAcMC1NhbnRhIENs
YXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5jZWQgTWljcm8gRGV2aWNl
czESMBAGA1UEAwwJU0VWLU1pbGFuMB4XDTIzMDEyNDE3NTgyNloXDTMwMDEyNDE3
NTgyNlowejEUMBIGA1UECwwLRW5naW5lZXJpbmcxCzAJBgNVBAYTAlVTMRQwEgYD
VQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExHzAdBgNVBAoMFkFkdmFuY2Vk
IE1pY3JvIERldmljZXMxETAPBgNVBAMMCFNFVi1WQ0VLMHYwEAYHKoZIzj0CAQYF
K4EEACIDYgAExmG1ZbuoAQK93USRyZQcsyobfbaAEoKEELf/jK39cOVJt1t4s83W
XM3rqIbS7qHUHQw/FGyOvdaEUs5+wwxpCWfDnmJMAQ+ctgZqgDEKh1NqlOuuKcKq
2YAWE5cTH7sHo4IBFjCCARIwEAYJKwYBBAGceAEBBAMCAQAwFwYJKwYBBAGceAEC
BAoWCE1pbGFuLUIwMBEGCisGAQQBnHgBAwEEAwIBAzARBgorBgEEAZx4AQMCBAMC
AQAwEQYKKwYBBAGceAEDBAQDAgEAMBEGCisGAQQBnHgBAwUEAwIBADARBgorBgEE
AZx4AQMGBAMCAQAwEQYKKwYBBAGceAEDBwQDAgEAMBEGCisGAQQBnHgBAwMEAwIB
CDARBgorBgEEAZx4AQMIBAMCAXMwTQYJKwYBBAGceAEEBEDDhCejDUx6+dlvehW5
cmmCWmTLdqI1L/1dGBFdia1HP46MC82aXZKGYSutSq37RCYgWjueT+qCMBE1oXDk
d1JOMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0B
AQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBA4ICAQACgCai9x8DAWzX/2IelNWm
ituEBSiq9C9eDnBEckQYikAhPasfagnoWFAtKu/ZWTKHi+BMbhKwswBS8W0G1ywi
cUWGlzigI4tdxxf1YBJyCoTSNssSbKmIh5jemBfrvIBo1yEd+e56ZJMdhN8e+xWU
bvovUC2/7Dl76fzAaACLSorZUv5XPJwKXwEOHo7FIcREjoZn+fKjJTnmdXce0LD6
9RHr+r+ceyE79gmK31bI9DYiJoL4LeGdXZ3gMOVDR1OnDos5lOBcV+quJ6JujpgH
d9g3Sa7Du7pusD9Fdap98ocZslRfFjFi//2YdVM4MKbq6IwpYNB+2PCEKNC7SfbO
NgZYJuPZnM/wViES/cP7MZNJ1KUKBI9yh6TmlSsZZOclGJvrOsBZimTXpATjdNMt
cluKwqAUUzYQmU7bf2TMdOXyA9iH5wIpj1kWGE1VuFADTKILkTc6LzLzOWCofLxf
onhTtSDtzIv/uel547GZqq+rVRvmIieEuEvDETwuookfV6qu3D/9KuSr9xiznmEg
xynud/f525jppJMcD/ofbQxUZuGKvb3f3zy+aLxqidoX7gca2Xd9jyUy5Y/83+ZN
bz4PZx81UJzXVI9ABEh8/xilATh1ZxOePTBJjN7lgr0lXtKYjV/43yyxgUYrXNZS
oLSG2dLCK9mjjraPjau34Q==
-----END CERTIFICATE-----
"""
]

# The path to store the pulled image layer data.
#
# This value defaults to `/run/image-rs/`.
Expand Down
5 changes: 4 additions & 1 deletion confidential-data-hub/hub/src/config.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,8 @@ max_concurrent_layer_downloads_per_image = 3
sigstore_config_uri = "kbs:///default/sigstore-config/test"
image_security_policy_uri = "kbs:///default/security-policy/test"
authenticated_registry_credentials_uri = "kbs:///default/credential/test"
extra_root_certificates = ["cert1", "cert2"]
image_pull_proxy = "http://127.0.0.1:8080"
"#,
Some(CdhConfig {
kbc: KbsConfig {
Expand All @@ -197,8 +199,9 @@ authenticated_registry_credentials_uri = "kbs:///default/credential/test"
sigstore_config_uri: Some("kbs:///default/sigstore-config/test".to_string()),
image_security_policy_uri: Some("kbs:///default/security-policy/test".to_string()),
authenticated_registry_credentials_uri: Some("kbs:///default/credential/test".to_string()),
image_pull_proxy: None,
image_pull_proxy: Some("http://127.0.0.1:8080".into()),
skip_proxy_ips: None,
extra_root_certificates: vec!["cert1".into(), "cert2".into()],
..Default::default()
},
socket: "unix:///run/confidential-containers/cdh.sock".to_string(),
Expand Down
7 changes: 7 additions & 0 deletions image-rs/src/config.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,12 @@ pub struct ImageConfig {
/// This value defaults to `None`.
pub skip_proxy_ips: Option<String>,

/// To support registries with self signed certs. This config item
/// is used to add extra trusted root certifications. The certificates
/// must be encoded by PEM.
#[serde(default = "Vec::default")]
pub extra_root_certificates: Vec<String>,

/// Nydus services configuration
#[serde(rename = "nydus")]
pub nydus_config: Option<NydusConfig>,
Expand Down Expand Up @@ -164,6 +170,7 @@ impl Default for ImageConfig {
authenticated_registry_credentials_uri: None,
image_pull_proxy: None,
skip_proxy_ips: None,
extra_root_certificates: Vec::new(),

#[cfg(feature = "keywrap-native")]
kbc: default_kbc(),
Expand Down
1 change: 1 addition & 0 deletions image-rs/src/image.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,7 @@ impl ImageClient {
self.config.max_concurrent_layer_downloads_per_image,
self.config.skip_proxy_ips.as_deref(),
self.config.image_pull_proxy.as_deref(),
self.config.extra_root_certificates.clone(),
)?;
let (image_manifest, image_digest, image_config) = client.pull_manifest().await?;

Expand Down
16 changes: 15 additions & 1 deletion image-rs/src/pull.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

use anyhow::{anyhow, bail, Context, Result};
use futures_util::stream::{self, StreamExt, TryStreamExt};
use oci_client::client::ClientConfig;
use oci_client::client::{Certificate, CertificateEncoding, ClientConfig};
use oci_client::manifest::{OciDescriptor, OciImageManifest};
use oci_client::{secrets::RegistryAuth, Client, Reference};
use std::collections::BTreeMap;
Expand Down Expand Up @@ -48,6 +48,7 @@ impl<'a> PullClient<'a> {
max_concurrent_download: usize,
no_proxy: Option<&str>,
https_proxy: Option<&str>,
extra_root_certificates: Vec<String>,
) -> Result<PullClient<'a>> {
let mut client_config = ClientConfig::default();
if let Some(no_proxy) = no_proxy {
Expand All @@ -58,6 +59,14 @@ impl<'a> PullClient<'a> {
client_config.https_proxy = Some(https_proxy.to_string())
}

let certs = extra_root_certificates
.into_iter()
.map(|pem| pem.into_bytes())
.map(|data| Certificate {
encoding: CertificateEncoding::Pem,
data,
});
client_config.extra_root_certificates.extend(certs);
let client = Client::try_from(client_config)?;

Ok(PullClient {
Expand Down Expand Up @@ -241,6 +250,7 @@ mod tests {
DEFAULT_MAX_CONCURRENT_DOWNLOAD,
None,
None,
vec![],
)
.unwrap();
let (image_manifest, _image_digest, image_config) = client.pull_manifest().await.unwrap();
Expand Down Expand Up @@ -291,6 +301,7 @@ mod tests {
DEFAULT_MAX_CONCURRENT_DOWNLOAD,
None,
None,
vec![],
)
.unwrap();
let (image_manifest, _image_digest, image_config) =
Expand Down Expand Up @@ -329,6 +340,7 @@ mod tests {
DEFAULT_MAX_CONCURRENT_DOWNLOAD,
None,
None,
std::iter::empty::<&[u8]>(),

Check failure on line 343 in image-rs/src/pull.rs

View workflow job for this annotation

GitHub Actions / Check (1.76.0, s390x) 

mismatched types

Check failure on line 343 in image-rs/src/pull.rs

View workflow job for this annotation

GitHub Actions / Check (1.76.0, ubuntu-latest) 

mismatched types

Check failure on line 343 in image-rs/src/pull.rs

View workflow job for this annotation

GitHub Actions / Check (stable, ubuntu-latest) 

mismatched types

Check failure on line 343 in image-rs/src/pull.rs

View workflow job for this annotation

GitHub Actions / Check (stable, s390x) 

mismatched types
)
.unwrap();
let (image_manifest, _image_digest, image_config) =
Expand Down Expand Up @@ -396,6 +408,7 @@ mod tests {
DEFAULT_MAX_CONCURRENT_DOWNLOAD,
None,
None,
vec![],
)
.unwrap();

Expand Down Expand Up @@ -487,6 +500,7 @@ mod tests {
DEFAULT_MAX_CONCURRENT_DOWNLOAD,
None,
None,
vec![],
)
.unwrap();
let (image_manifest, _image_digest, image_config) =
Expand Down
2 changes: 1 addition & 1 deletion image-rs/src/signature/policy/cosign/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ impl CosignParameters {
RegistryAuth::Basic(username, pass) => Auth::Basic(username.clone(), pass.clone()),
};

// TODO: Add proxy for client
// TODO: Add proxy and extra_trusted_root_certificates for client
// Wait for https://github.com/sigstore/sigstore-rs/pull/392 to get merged.
let mut client = ClientBuilder::default().build()?;

Expand Down

0 comments on commit ca0c52a

Please sign in to comment.