Allow to pull/push artifacts without TLS

If applied, this commit will introduce a new `--insecure-repository` flag to the following commands: `push artifacts`, `pull artifact`, `diff artifact` and `list artifacts`. When used the flag will lead to the option `crane.Insecure` being passed to the `crane` client allowing the use of insecure repositories. Signed-off-by: Matthieu Mottet <m.mottet@outlook.com>
4 days ago · 3f4743037b
parent 7b551b0d35
commit 3f4743037b
4 changed files with 36 additions and 3 deletions
--- a/cmd/flux/diff_artifact.go
+++ b/cmd/flux/diff_artifact.go
@ -23,6 +23,7 @@ import (

 	oci "github.com/fluxcd/pkg/oci/client"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/spf13/cobra"

 	"github.com/fluxcd/flux2/v2/internal/flags"
@ -42,6 +43,7 @@ type diffArtifactFlags struct {
 	creds       string
 	provider    flags.SourceOCIProvider
 	ignorePaths []string
+	insecure    bool
 }

 var diffArtifactArgs = newDiffArtifactArgs()
@ -57,6 +59,7 @@ func init() {
 	diffArtifactCmd.Flags().StringVar(&diffArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	diffArtifactCmd.Flags().Var(&diffArtifactArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
 	diffArtifactCmd.Flags().StringSliceVar(&diffArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
+	diffArtifactCmd.Flags().BoolVar(&diffArtifactArgs.insecure, "insecure-registry", false, "allows the remote artifact to be pulled without TLS")
 	diffCmd.AddCommand(diffArtifactCmd)
 }

@ -82,7 +85,13 @@ func diffArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()

-	ociClient := oci.NewClient(oci.DefaultOptions())
+	opts := oci.DefaultOptions()
+
+	if diffArtifactArgs.insecure {
+		opts = append(opts, crane.Insecure)
+	}
+
+	ociClient := oci.NewClient(opts)

 	if diffArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && diffArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
--- a/cmd/flux/list_artifact.go
+++ b/cmd/flux/list_artifact.go
@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"

+	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/spf13/cobra"

 	oci "github.com/fluxcd/pkg/oci/client"
@ -34,6 +35,7 @@ type listArtifactFlags struct {
 	regexFilter  string
 	creds        string
 	provider     flags.SourceOCIProvider
+	insecure     bool
 }

 var listArtifactArgs = newListArtifactFlags()
@ -60,6 +62,7 @@ func init() {
 	listArtifactsCmd.Flags().StringVar(&listArtifactArgs.regexFilter, "filter-regex", "", "filter tags returned from the oci repository using regex")
 	listArtifactsCmd.Flags().StringVar(&listArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	listArtifactsCmd.Flags().Var(&listArtifactArgs.provider, "provider", listArtifactArgs.provider.Description())
+	listArtifactsCmd.Flags().BoolVar(&listArtifactArgs.insecure, "insecure-registry", false, "allows the remote artifacts list to be fetched without TLS")

 	listCmd.AddCommand(listArtifactsCmd)
 }
@ -78,7 +81,13 @@ func listArtifactsCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

-	ociClient := oci.NewClient(oci.DefaultOptions())
+	ociOpts := oci.DefaultOptions()
+
+	if listArtifactArgs.insecure {
+		ociOpts = append(ociOpts, crane.Insecure)
+	}
+
+	ociClient := oci.NewClient(ociOpts)

 	if listArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && listArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
--- a/cmd/flux/pull_artifact.go
+++ b/cmd/flux/pull_artifact.go
@ -22,6 +22,7 @@ import (
 	"os"

 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/spf13/cobra"

 	"github.com/fluxcd/flux2/v2/internal/flags"
@ -43,6 +44,7 @@ The command can read the credentials from '~/.docker/config.json' but they can a
 type pullArtifactFlags struct {
 	output   string
 	creds    string
+	insecure bool
 	provider flags.SourceOCIProvider
 }

@ -58,6 +60,7 @@ func init() {
 	pullArtifactCmd.Flags().StringVarP(&pullArtifactArgs.output, "output", "o", "", "path where the artifact content should be extracted.")
 	pullArtifactCmd.Flags().StringVar(&pullArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	pullArtifactCmd.Flags().Var(&pullArtifactArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
+	pullArtifactCmd.Flags().BoolVar(&pullArtifactArgs.insecure, "insecure-registry", false, "allows artifacts to be pulled without TLS")
 	pullCmd.AddCommand(pullArtifactCmd)
 }

@ -83,7 +86,13 @@ func pullArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()

-	ociClient := oci.NewClient(oci.DefaultOptions())
+	opts := oci.DefaultOptions()
+
+	if pullArtifactArgs.insecure {
+		opts = append(opts, crane.Insecure)
+	}
+
+	ociClient := oci.NewClient(opts)

 	if pullArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && pullArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
--- a/cmd/flux/push_artifact.go
+++ b/cmd/flux/push_artifact.go
@ -115,6 +115,7 @@ type pushArtifactFlags struct {
 	output       string
 	debug        bool
 	reproducible bool
+	insecure     bool
 }

 var pushArtifactArgs = newPushArtifactFlags()
@ -137,6 +138,7 @@ func init() {
 		"the format in which the artifact digest should be printed, can be 'json' or 'yaml'")
 	pushArtifactCmd.Flags().BoolVarP(&pushArtifactArgs.debug, "debug", "", false, "display logs from underlying library")
 	pushArtifactCmd.Flags().BoolVar(&pushArtifactArgs.reproducible, "reproducible", false, "ensure reproducible image digests by setting the created timestamp to '1970-01-01T00:00:00Z'")
+	pushArtifactCmd.Flags().BoolVar(&pushArtifactArgs.insecure, "insecure-registry", false, "allows artifacts to be pushed without TLS")

 	pushCmd.AddCommand(pushArtifactCmd)
 }
@ -266,6 +268,10 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Actionf("pushing artifact to %s", url)
 	}

+	if pushArtifactArgs.insecure {
+		opts = append(opts, crane.Insecure)
+	}
+
 	ociClient := client.NewClient(opts)
 	digestURL, err := ociClient.Push(ctx, url, path,
 		client.WithPushMetadata(meta),