From 43e84535fd1545b965d363bc46f2f3e5c509246c Mon Sep 17 00:00:00 2001 From: Sanskar Jaiswal Date: Thu, 20 Jul 2023 02:21:14 +0530 Subject: [PATCH] ocirepo: add cosign support for insecure http registries Add support for verifying insecure HTTP OCI repositories with cosign. If `.spec.insecure` set to true, then cosign uses plain HTTP connections to communicate with the registry. Signed-off-by: Sanskar Jaiswal --- internal/controller/ocirepository_controller.go | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/internal/controller/ocirepository_controller.go b/internal/controller/ocirepository_controller.go index 9ab36c748..6116d03b0 100644 --- a/internal/controller/ocirepository_controller.go +++ b/internal/controller/ocirepository_controller.go @@ -426,16 +426,6 @@ func (r *OCIRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch conditions.GetObservedGeneration(obj, sourcev1.SourceVerifiedCondition) != obj.Generation || conditions.IsFalse(obj, sourcev1.SourceVerifiedCondition) { - // Insecure is not supported for verification - if obj.Spec.Insecure { - e := serror.NewGeneric( - fmt.Errorf("cosign does not support insecure registries"), - sourcev1.VerificationError, - ) - conditions.MarkFalse(obj, sourcev1.SourceVerifiedCondition, e.Reason, e.Err.Error()) - return sreconcile.ResultEmpty, e - } - err := r.verifySignature(ctx, obj, url, opts.verifyOpts...) if err != nil { provider := obj.Spec.Verify.Provider @@ -634,7 +624,11 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv soci.WithRemoteOptions(opt...), } - ref, err := name.ParseReference(url) + var nameOpts []name.Option + if obj.Spec.Insecure { + nameOpts = append(nameOpts, name.Insecure) + } + ref, err := name.ParseReference(url, nameOpts...) if err != nil { return err }