From e04a922dc34189a32c501065cc23e9b3d8393de4 Mon Sep 17 00:00:00 2001 From: Daisuke Taniwaki Date: Thu, 25 Oct 2018 06:33:58 +0900 Subject: [PATCH 1/2] Separate insecure pull options --- cmd/executor/cmd/root.go | 4 +++- pkg/config/options.go | 36 +++++++++++++++++++----------------- pkg/util/image_util.go | 4 ++-- 3 files changed, 24 insertions(+), 20 deletions(-) diff --git a/cmd/executor/cmd/root.go b/cmd/executor/cmd/root.go index eef088ade6..b43a85b682 100644 --- a/cmd/executor/cmd/root.go +++ b/cmd/executor/cmd/root.go @@ -91,8 +91,10 @@ func addKanikoOptionsFlags(cmd *cobra.Command) { RootCmd.PersistentFlags().VarP(&opts.Destinations, "destination", "d", "Registry the final image should be pushed to. Set it repeatedly for multiple destinations.") RootCmd.PersistentFlags().StringVarP(&opts.SnapshotMode, "snapshotMode", "", "full", "Change the file attributes inspected during snapshotting") RootCmd.PersistentFlags().VarP(&opts.BuildArgs, "build-arg", "", "This flag allows you to pass in ARG values at build time. Set it repeatedly for multiple values.") - RootCmd.PersistentFlags().BoolVarP(&opts.Insecure, "insecure", "", false, "Pull and push to insecure registry using plain HTTP") + RootCmd.PersistentFlags().BoolVarP(&opts.Insecure, "insecure", "", false, "Push to insecure registry using plain HTTP") RootCmd.PersistentFlags().BoolVarP(&opts.SkipTLSVerify, "skip-tls-verify", "", false, "Push to insecure registry ignoring TLS verify") + RootCmd.PersistentFlags().BoolVarP(&opts.InsecurePull, "insecure-pull", "", false, "Pull from insecure registry using plain HTTP") + RootCmd.PersistentFlags().BoolVarP(&opts.SkipTLSVerifyPull, "skip-tls-verify-pull", "", false, "Pull from insecure registry ignoring TLS verify") RootCmd.PersistentFlags().StringVarP(&opts.TarPath, "tarPath", "", "", "Path to save the image in as a tarball instead of pushing") RootCmd.PersistentFlags().BoolVarP(&opts.SingleSnapshot, "single-snapshot", "", false, "Take a single snapshot at the end of the build.") RootCmd.PersistentFlags().BoolVarP(&opts.Reproducible, "reproducible", "", false, "Strip timestamps out of the image to make it reproducible") diff --git a/pkg/config/options.go b/pkg/config/options.go index 7cf6c07d24..a9a57c9e48 100644 --- a/pkg/config/options.go +++ b/pkg/config/options.go @@ -18,23 +18,25 @@ package config // KanikoOptions are options that are set by command line arguments type KanikoOptions struct { - DockerfilePath string - SrcContext string - SnapshotMode string - Bucket string - TarPath string - Target string - CacheRepo string - CacheDir string - Destinations multiArg - BuildArgs multiArg - Insecure bool - SkipTLSVerify bool - SingleSnapshot bool - Reproducible bool - NoPush bool - Cache bool - Cleanup bool + DockerfilePath string + SrcContext string + SnapshotMode string + Bucket string + TarPath string + Target string + CacheRepo string + CacheDir string + Destinations multiArg + BuildArgs multiArg + Insecure bool + SkipTLSVerify bool + InsecurePull bool + SkipTLSVerifyPull bool + SingleSnapshot bool + Reproducible bool + NoPush bool + Cache bool + Cleanup bool } // WarmerOptions are options that are set by command line arguments to the cache warmer. diff --git a/pkg/util/image_util.go b/pkg/util/image_util.go index 8c2c301415..d0db223210 100644 --- a/pkg/util/image_util.go +++ b/pkg/util/image_util.go @@ -102,7 +102,7 @@ func remoteImage(image string, opts *config.KanikoOptions) (v1.Image, error) { return nil, err } - if opts.Insecure { + if opts.InsecurePull { newReg, err := name.NewInsecureRegistry(ref.Context().RegistryStr(), name.WeakValidation) if err != nil { return nil, err @@ -118,7 +118,7 @@ func remoteImage(image string, opts *config.KanikoOptions) (v1.Image, error) { } tr := http.DefaultTransport.(*http.Transport) - if opts.SkipTLSVerify { + if opts.SkipTLSVerifyPull { tr.TLSClientConfig = &tls.Config{ InsecureSkipVerify: true, } From e8aab7e17e1d8baab5da91543fcf7e5a32231144 Mon Sep 17 00:00:00 2001 From: Daisuke Taniwaki Date: Fri, 26 Oct 2018 12:20:54 +0900 Subject: [PATCH 2/2] Update README --- README.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 39c24e310b..aad3bdc713 100644 --- a/README.md +++ b/README.md @@ -298,11 +298,19 @@ Set this flag if you only want to build the image, without pushing to a registry #### --insecure -Set this flag if you want to connect to a plain HTTP registry. It is supposed to be used for testing purposes only and should not be used in production! +Set this flag if you want to push images to a plain HTTP registry. It is supposed to be used for testing purposes only and should not be used in production! #### --skip-tls-verify -Set this flag to skip TLS certificate validation when connecting to a registry. It is supposed to be used for testing purposes only and should not be used in production! +Set this flag to skip TLS certificate validation when pushing images to a registry. It is supposed to be used for testing purposes only and should not be used in production! + +#### --insecure-pull + +Set this flag if you want to pull images from a plain HTTP registry. It is supposed to be used for testing purposes only and should not be used in production! + +#### --skip-tls-verify-pull + +Set this flag to skip TLS certificate validation when pulling images from a registry. It is supposed to be used for testing purposes only and should not be used in production! #### --cache @@ -413,4 +421,4 @@ file are made and when the `mtime` is updated. This means: which will still be correct, but it does affect the number of layers. _Note that these issues are currently theoretical only. If you see this issue occur, please -[open an issue](https://github.com/GoogleContainerTools/kaniko/issues)._ \ No newline at end of file +[open an issue](https://github.com/GoogleContainerTools/kaniko/issues)._