diff --git a/docs/docs/100-reference/01-command-line/acorn_pull.md b/docs/docs/100-reference/01-command-line/acorn_pull.md index f0a73d1296..9707e6a54f 100644 --- a/docs/docs/100-reference/01-command-line/acorn_pull.md +++ b/docs/docs/100-reference/01-command-line/acorn_pull.md @@ -12,7 +12,10 @@ acorn pull [flags] IMAGE ### Options ``` - -h, --help help for pull + -a, --annotation strings Annotations to check for during verification + -h, --help help for pull + -k, --key string Key to use for verifying (default "./cosign.pub") + -v, --verify Verify the image signature BEFORE pulling and only pull on success ``` ### Options inherited from parent commands diff --git a/pkg/cli/pull.go b/pkg/cli/pull.go index bf9a51c50c..88dbe62bfa 100644 --- a/pkg/cli/pull.go +++ b/pkg/cli/pull.go @@ -1,6 +1,8 @@ package cli import ( + "fmt" + cli "github.com/acorn-io/runtime/pkg/cli/builder" "github.com/acorn-io/runtime/pkg/client" "github.com/acorn-io/runtime/pkg/config" @@ -20,7 +22,10 @@ func NewPull(c CommandContext) *cobra.Command { } type Pull struct { - client ClientFactory + client ClientFactory + Verify bool `usage:"Verify the image signature BEFORE pulling and only pull on success" short:"v" local:"true" default:"false"` + Key string `usage:"Key to use for verifying" short:"k" local:"true" default:"./cosign.pub"` + Annotations map[string]string `usage:"Annotations to check for during verification" short:"a" local:"true" name:"annotation"` } func (s *Pull) Run(cmd *cobra.Command, args []string) error { @@ -49,6 +54,17 @@ func (s *Pull) Run(cmd *cobra.Command, args []string) error { return err } + if s.Verify { + v := ImageVerify{ + client: s.client, + Key: s.Key, + Annotations: s.Annotations, + } + if err := v.Run(cmd, args); err != nil { + return fmt.Errorf("NOT pulling image: %w", err) + } + } + progress, err := c.ImagePull(cmd.Context(), args[0], &client.ImagePullOptions{ Auth: auth, })