Skip to content

Commit

Permalink
ocirepo: add cosign support for insecure http registries
Browse files Browse the repository at this point in the history
Add support for verifying insecure HTTP OCI repositories with cosign. If
`.spec.insecure` set to true, then cosign uses plain HTTP connections to
communicate with the registry.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
  • Loading branch information
aryan9600 committed Jul 19, 2023
1 parent d141456 commit 43e8453
Showing 1 changed file with 5 additions and 11 deletions.
16 changes: 5 additions & 11 deletions internal/controller/ocirepository_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -426,16 +426,6 @@ func (r *OCIRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch
conditions.GetObservedGeneration(obj, sourcev1.SourceVerifiedCondition) != obj.Generation ||
conditions.IsFalse(obj, sourcev1.SourceVerifiedCondition) {

// Insecure is not supported for verification
if obj.Spec.Insecure {
e := serror.NewGeneric(
fmt.Errorf("cosign does not support insecure registries"),
sourcev1.VerificationError,
)
conditions.MarkFalse(obj, sourcev1.SourceVerifiedCondition, e.Reason, e.Err.Error())
return sreconcile.ResultEmpty, e
}

err := r.verifySignature(ctx, obj, url, opts.verifyOpts...)
if err != nil {
provider := obj.Spec.Verify.Provider
Expand Down Expand Up @@ -634,7 +624,11 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
soci.WithRemoteOptions(opt...),
}

ref, err := name.ParseReference(url)
var nameOpts []name.Option
if obj.Spec.Insecure {
nameOpts = append(nameOpts, name.Insecure)
}
ref, err := name.ParseReference(url, nameOpts...)
if err != nil {
return err
}
Expand Down

0 comments on commit 43e8453

Please sign in to comment.