Skip to content

Commit

Permalink
Merge pull request containers#8042 from rhatdan/tlsverify
Browse files Browse the repository at this point in the history
--tls-verify and --authfile should work for all remote commands
  • Loading branch information
openshift-merge-robot authored Oct 20, 2020
2 parents 6961b94 + 3d2ad0f commit 4822cc8
Show file tree
Hide file tree
Showing 23 changed files with 75 additions and 38 deletions.
1 change: 0 additions & 1 deletion cmd/podman/containers/create.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,6 @@ func createFlags(flags *pflag.FlagSet) {

_ = flags.MarkHidden("signature-policy")
if registry.IsRemote() {
_ = flags.MarkHidden("authfile")
_ = flags.MarkHidden("http-proxy")
}
}
Expand Down
1 change: 0 additions & 1 deletion cmd/podman/containers/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,6 @@ func runFlags(flags *pflag.FlagSet) {

_ = flags.MarkHidden("signature-policy")
if registry.IsRemote() {
_ = flags.MarkHidden("authfile")
_ = flags.MarkHidden("http-proxy")
_ = flags.MarkHidden("preserve-fds")
}
Expand Down
4 changes: 2 additions & 2 deletions cmd/podman/images/pull.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,11 +84,11 @@ func pullFlags(flags *pflag.FlagSet) {
flags.Bool("disable-content-trust", false, "This is a Docker specific option and is a NOOP")
flags.BoolVarP(&pullOptions.Quiet, "quiet", "q", false, "Suppress output information when pulling images")
flags.StringVar(&pullOptions.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)")
flags.BoolVar(&pullOptions.TLSVerifyCLI, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries")
flags.StringVar(&pullOptions.Authfile, "authfile", auth.GetDefaultAuthFile(), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override")

if !registry.IsRemote() {
flags.StringVar(&pullOptions.Authfile, "authfile", auth.GetDefaultAuthFile(), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override")
flags.StringVar(&pullOptions.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys")
flags.BoolVar(&pullOptions.TLSVerifyCLI, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries")
}
_ = flags.MarkHidden("signature-policy")
}
Expand Down
2 changes: 0 additions & 2 deletions cmd/podman/images/push.go
Original file line number Diff line number Diff line change
Expand Up @@ -88,11 +88,9 @@ func pushFlags(flags *pflag.FlagSet) {
flags.BoolVar(&pushOptions.TLSVerifyCLI, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries")

if registry.IsRemote() {
_ = flags.MarkHidden("authfile")
_ = flags.MarkHidden("cert-dir")
_ = flags.MarkHidden("compress")
_ = flags.MarkHidden("quiet")
_ = flags.MarkHidden("tls-verify")
}
_ = flags.MarkHidden("signature-policy")
}
Expand Down
2 changes: 0 additions & 2 deletions cmd/podman/manifest/add.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,9 +56,7 @@ func init() {
flags.StringVar(&manifestAddOpts.Variant, "variant", "", "override the `Variant` of the specified image")

if registry.IsRemote() {
_ = flags.MarkHidden("authfile")
_ = flags.MarkHidden("cert-dir")
_ = flags.MarkHidden("tls-verify")
}
}

Expand Down
2 changes: 0 additions & 2 deletions cmd/podman/manifest/push.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,9 +51,7 @@ func init() {
flags.BoolVarP(&manifestPushOpts.Quiet, "quiet", "q", false, "don't output progress information when pushing lists")

if registry.IsRemote() {
_ = flags.MarkHidden("authfile")
_ = flags.MarkHidden("cert-dir")
_ = flags.MarkHidden("tls-verify")
}
}

Expand Down
4 changes: 2 additions & 2 deletions cmd/podman/play/kube.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,10 +54,10 @@ func init() {
flags.StringVar(&kubeOptions.CredentialsCLI, "creds", "", "`Credentials` (USERNAME:PASSWORD) to use for authenticating to a registry")
flags.StringVar(&kubeOptions.Network, "network", "", "Connect pod to CNI network(s)")
flags.BoolVarP(&kubeOptions.Quiet, "quiet", "q", false, "Suppress output information when pulling images")
flags.BoolVar(&kubeOptions.TLSVerifyCLI, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries")
flags.StringVar(&kubeOptions.Authfile, "authfile", auth.GetDefaultAuthFile(), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override")
if !registry.IsRemote() {
flags.StringVar(&kubeOptions.Authfile, "authfile", auth.GetDefaultAuthFile(), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override")
flags.StringVar(&kubeOptions.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys")
flags.BoolVar(&kubeOptions.TLSVerifyCLI, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries")
flags.StringVar(&kubeOptions.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)")
flags.StringVar(&kubeOptions.SeccompProfileRoot, "seccomp-profile-root", defaultSeccompRoot, "Directory path for seccomp profiles")
flags.StringSliceVar(&kubeOptions.ConfigMaps, "configmap", []string{}, "`Pathname` of a YAML file containing a kubernetes configmap")
Expand Down
2 changes: 1 addition & 1 deletion docs/source/markdown/podman-auto-update.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ Systemd units that start and stop a container cannot run a new image.
**--authfile**=*path*

Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`.
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. (Not available for remote commands)
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.

Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
environment variable. `export REGISTRY_AUTH_FILE=path`
Expand Down
4 changes: 2 additions & 2 deletions docs/source/markdown/podman-build.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ Set the ARCH of the image to the provided value instead of the architecture of t
**--authfile**=*path*

Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`.
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. (Not available for remote commands)
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.

Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
environment variable. `export REGISTRY_AUTH_FILE=path`
Expand Down Expand Up @@ -470,7 +470,7 @@ When --timestamp is set, the created timestamp is always set to the time specifi

**--tls-verify**=*true|false*

Require HTTPS and verify certificates when talking to container registries (defaults to true). (Not available for remote commands)
Require HTTPS and verify certificates when talking to container registries (defaults to true).

**--ulimit**=*type*=*soft-limit*[:*hard-limit*]

Expand Down
4 changes: 2 additions & 2 deletions docs/source/markdown/podman-container-runlabel.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ Any additional arguments will be appended to the command.
**--authfile**=*path*

Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`.
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. (Not available for remote commands)
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.

Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
environment variable. `export REGISTRY_AUTH_FILE=path`
Expand Down Expand Up @@ -85,7 +85,7 @@ created from this image.

Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified,
TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf (Not available for remote commands)
TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf.

## EXAMPLES

Expand Down
2 changes: 1 addition & 1 deletion docs/source/markdown/podman-create.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ each of stdin, stdout, and stderr.
Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json

Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
environment variable. `export REGISTRY_AUTH_FILE=path` (Not available for remote commands)
environment variable. `export REGISTRY_AUTH_FILE=path`

**--blkio-weight**=*weight*

Expand Down
4 changes: 2 additions & 2 deletions docs/source/markdown/podman-login.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ Username for registry

**--authfile**=*path*

Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json (Not available for remote commands)
Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json.

Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
environment variable. `export REGISTRY_AUTH_FILE=path`
Expand All @@ -60,7 +60,7 @@ Default certificates directory is _/etc/containers/certs.d_. (Not available for

Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified,
TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf. (Not available for remote commands)
TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf.

**--help**, **-h**

Expand Down
2 changes: 1 addition & 1 deletion docs/source/markdown/podman-logout.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ All the cached credentials can be removed by setting the **all** flag.

**--authfile**=*path*

Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json (Not available for remote commands)
Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json.

Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
environment variable. `export REGISTRY_AUTH_FILE=path`
Expand Down
4 changes: 2 additions & 2 deletions docs/source/markdown/podman-manifest-add.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ retrieved from the image's configuration information.
**--authfile**=*path*

Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`.
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. (Not available for remote commands)
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.

Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
environment variable. `export REGISTRY_AUTH_FILE=path`
Expand Down Expand Up @@ -71,7 +71,7 @@ image. This option is rarely used.

**--tls-verify**

Require HTTPS and verify certificates when talking to container registries (defaults to true). (Not available for remote commands)
Require HTTPS and verify certificates when talking to container registries (defaults to true).

**--variant**

Expand Down
4 changes: 2 additions & 2 deletions docs/source/markdown/podman-manifest-push.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ the list or index itself.
**--authfile**=*path*

Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`.
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. (Not available for remote commands)
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.

Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
environment variable. `export REGISTRY_AUTH_FILE=path`
Expand Down Expand Up @@ -64,7 +64,7 @@ Sign the pushed images using the GPG key that matches the specified fingerprint.

**--tls-verify**

Require HTTPS and verify certificates when talking to container registries (defaults to true) (Not available for remote commands)
Require HTTPS and verify certificates when talking to container registries. (defaults to true)

## EXAMPLE

Expand Down
4 changes: 2 additions & 2 deletions docs/source/markdown/podman-play-kube.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Note: HostPath volume types created by play kube will be given an SELinux privat
**--authfile**=*path*

Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`.
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. (Not available for remote commands)
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.

Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
environment variable. `export REGISTRY_AUTH_FILE=path`
Expand Down Expand Up @@ -58,7 +58,7 @@ Directory path for seccomp profiles (default: "/var/lib/kubelet/seccomp"). (Not

Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified,
TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf. (Not available for remote commands)
TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf.

**--help**, **-h**

Expand Down
4 changes: 2 additions & 2 deletions docs/source/markdown/podman-pull.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ Note: When using the all-tags flag, Podman will not iterate over the search regi
**--authfile**=*path*

Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`.
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. (Not available for remote commands)
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.

Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
environment variable. `export REGISTRY_AUTH_FILE=path`
Expand Down Expand Up @@ -97,7 +97,7 @@ Suppress output information when pulling images

Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified,
TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf. (Not available for remote commands)
TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf.

**--help**, **-h**

Expand Down
4 changes: 2 additions & 2 deletions docs/source/markdown/podman-push.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ Images are pushed from those stored in local image storage.
**--authfile**=*path*

Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`.
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. (Not available for remote commands)
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.

Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
environment variable. `export REGISTRY_AUTH_FILE=path`
Expand Down Expand Up @@ -98,7 +98,7 @@ Add a signature at the destination using the specified key

Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified,
TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf. (Not available for remote commands)
TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf.

## EXAMPLE

Expand Down
2 changes: 1 addition & 1 deletion docs/source/markdown/podman-run.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ each of **stdin**, **stdout**, and **stderr**.

**--authfile**[=*path*]

Path to the authentication file. Default is *${XDG_RUNTIME_DIR}/containers/auth.json*. (Not available for remote commands)
Path to the authentication file. Default is *${XDG_RUNTIME_DIR}/containers/auth.json*.

Note: You can also override the default path of the authentication file by setting the **REGISTRY_AUTH_FILE**
environment variable.
Expand Down
20 changes: 17 additions & 3 deletions pkg/api/handlers/compat/images_search.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,16 +7,18 @@ import (
"github.com/containers/image/v5/types"
"github.com/containers/podman/v2/libpod/image"
"github.com/containers/podman/v2/pkg/api/handlers/utils"
"github.com/containers/podman/v2/pkg/auth"
"github.com/gorilla/schema"
"github.com/pkg/errors"
)

func SearchImages(w http.ResponseWriter, r *http.Request) {
decoder := r.Context().Value("decoder").(*schema.Decoder)
query := struct {
Term string `json:"term"`
Limit int `json:"limit"`
Filters map[string][]string `json:"filters"`
Term string `json:"term"`
Limit int `json:"limit"`
Filters map[string][]string `json:"filters"`
TLSVerify bool `json:"tlsVerify"`
}{
// This is where you can override the golang default value for one of fields
}
Expand Down Expand Up @@ -58,6 +60,18 @@ func SearchImages(w http.ResponseWriter, r *http.Request) {
Limit: query.Limit,
}

if _, found := r.URL.Query()["tlsVerify"]; found {
options.InsecureSkipTLSVerify = types.NewOptionalBool(!query.TLSVerify)
}

_, authfile, key, err := auth.GetCredentials(r)
if err != nil {
utils.Error(w, "failed to retrieve repository credentials", http.StatusBadRequest, errors.Wrapf(err, "failed to parse %q header for %s", key, r.URL.String()))
return
}
defer auth.RemoveAuthfile(authfile)
options.Authfile = authfile

results, err := image.SearchImages(query.Term, options)
if err != nil {
utils.BadRequest(w, "term", query.Term, err)
Expand Down
8 changes: 8 additions & 0 deletions pkg/api/handlers/libpod/images.go
Original file line number Diff line number Diff line change
Expand Up @@ -636,6 +636,14 @@ func SearchImages(w http.ResponseWriter, r *http.Request) {
options.Filter = *filter
}

_, authfile, key, err := auth.GetCredentials(r)
if err != nil {
utils.Error(w, "failed to retrieve repository credentials", http.StatusBadRequest, errors.Wrapf(err, "failed to parse %q header for %s", key, r.URL.String()))
return
}
defer auth.RemoveAuthfile(authfile)
options.Authfile = authfile

searchResults, err := image.SearchImages(query.Term, options)
if err != nil {
utils.BadRequest(w, "term", query.Term, err)
Expand Down
6 changes: 6 additions & 0 deletions test/e2e/common_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -666,3 +666,9 @@ func (p *PodmanTestIntegration) PodmanAsUser(args []string, uid, gid uint32, cwd
podmanSession := p.PodmanAsUserBase(args, uid, gid, cwd, env, false, false, nil)
return &PodmanSessionIntegration{podmanSession}
}

// We don't support running Varlink when local
func (p *PodmanTestIntegration) RestartRemoteService() {
p.StopRemoteService()
p.StartRemoteService()
}
Loading

0 comments on commit 4822cc8

Please sign in to comment.