ocirepo: add cosign support for insecure http registries

Add support for verifying insecure HTTP OCI repositories with cosign. If `.spec.insecure` set to true, then cosign uses plain HTTP connections to communicate with the registry. Signed-off-by: Sanskar Jaiswal <[email protected]>
fluxcd · Jul 19, 2023 · 43e8453 · 43e8453
1 parent d141456
commit 43e8453
Showing 1 changed file with 5 additions and 11 deletions.
diff --git a/internal/controller/ocirepository_controller.go b/internal/controller/ocirepository_controller.go
@@ -426,16 +426,6 @@ func (r *OCIRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch
 		conditions.GetObservedGeneration(obj, sourcev1.SourceVerifiedCondition) != obj.Generation ||
 		conditions.IsFalse(obj, sourcev1.SourceVerifiedCondition) {
 
-		// Insecure is not supported for verification
-		if obj.Spec.Insecure {
-			e := serror.NewGeneric(
-				fmt.Errorf("cosign does not support insecure registries"),
-				sourcev1.VerificationError,
-			)
-			conditions.MarkFalse(obj, sourcev1.SourceVerifiedCondition, e.Reason, e.Err.Error())
-			return sreconcile.ResultEmpty, e
-		}
-
 		err := r.verifySignature(ctx, obj, url, opts.verifyOpts...)
 		if err != nil {
 			provider := obj.Spec.Verify.Provider
@@ -634,7 +624,11 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
 			soci.WithRemoteOptions(opt...),
 		}
 
-		ref, err := name.ParseReference(url)
+		var nameOpts []name.Option
+		if obj.Spec.Insecure {
+			nameOpts = append(nameOpts, name.Insecure)
+		}
+		ref, err := name.ParseReference(url, nameOpts...)
 		if err != nil {
 			return err
 		}