Merge pull request #11205 from Shivkumar13/shivkumar-tls-fix

Support for --tls-verify flag in podman-run & podman-create

7 files changed, 55 insertions, 5 deletions

diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go
index 602ad5d94..401cf2e09 100644
--- a/cmd/podman/common/create.go
+++ b/cmd/podman/common/create.go
@@ -544,6 +544,15 @@ func DefineCreateFlags(cmd *cobra.Command, cf *ContainerCLIOpts) {
 	)
 	_ = cmd.RegisterFlagCompletionFunc(podIDFileFlagName, completion.AutocompleteDefault)
 
+	// Flag for TLS verification, so that `run` and `create` commands can make use of it.
+	// Make sure to use `=` while using this flag i.e `--tls-verify=false/true`
+	tlsVerifyFlagName := "tls-verify"
+	createFlags.BoolVar(
+		&cf.TLSVerify,
+		tlsVerifyFlagName, true,
+		"Require HTTPS and verify certificates when contacting registries for pulling images",
+	)
+
 	createFlags.BoolVar(
 		&cf.Privileged,
 		"privileged", false,
diff --git a/cmd/podman/common/create_opts.go b/cmd/podman/common/create_opts.go
index 0fdf3ce08..e046e5a19 100644
--- a/cmd/podman/common/create_opts.go
+++ b/cmd/podman/common/create_opts.go
@@ -112,6 +112,7 @@ type ContainerCLIOpts struct {
 	Sysctl            []string
 	Systemd           string
 	Timeout           uint
+	TLSVerify         bool
 	TmpFS             []string
 	TTY               bool
 	Timezone          string
diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go
index d16fa0865..7583a024e 100644
--- a/cmd/podman/containers/create.go
+++ b/cmd/podman/containers/create.go
@@ -10,6 +10,7 @@ import (
 	"github.com/containers/common/pkg/completion"
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/image/v5/transports/alltransports"
+	"github.com/containers/image/v5/types"
 	"github.com/containers/podman/v3/cmd/podman/common"
 	"github.com/containers/podman/v3/cmd/podman/registry"
 	"github.com/containers/podman/v3/cmd/podman/utils"
@@ -261,7 +262,7 @@ func createInit(c *cobra.Command) error {
 }
 
 func pullImage(imageName string) (string, error) {
-	pullPolicy, err := config.ValidatePullPolicy(cliVals.Pull)
+	pullPolicy, err := config.ParsePullPolicy(cliVals.Pull)
 	if err != nil {
 		return "", err
 	}
@@ -287,6 +288,7 @@ func pullImage(imageName string) (string, error) {
 		Variant:         cliVals.Variant,
 		SignaturePolicy: cliVals.SignaturePolicy,
 		PullPolicy:      pullPolicy,
+		SkipTLSVerify:   types.NewOptionalBool(!cliVals.TLSVerify), // If Flag changed for TLS Verification
 	})
 	if pullErr != nil {
 		return "", pullErr
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
index b73f6c05a..b5c324459 100644
--- a/docs/source/markdown/podman-create.1.md
+++ b/docs/source/markdown/podman-create.1.md
@@ -991,6 +991,10 @@ Maximum time a container is allowed to run before conmon sends it the kill
 signal.  By default containers will run until they exit or are stopped by
 `podman stop`.
 
+#### **--tls-verify**=**true**|**false**
+
+Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified, TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf.
+
 #### **--tmpfs**=*fs*
 
 Create a tmpfs mount
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
index afee64775..caff714d6 100644
--- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md
@@ -1048,6 +1048,10 @@ Maximum time a container is allowed to run before conmon sends it the kill
 signal.  By default containers will run until they exit or are stopped by
 `podman stop`.
 
+#### **--tls-verify**=**true**|**false**
+
+Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified, TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf.
+
 #### **--tmpfs**=*fs*
 
 Create a tmpfs mount.
diff --git a/test/e2e/create_test.go b/test/e2e/create_test.go
index 975596dee..32d98c2a9 100644
--- a/test/e2e/create_test.go
+++ b/test/e2e/create_test.go
@@ -60,10 +60,24 @@ var _ = Describe("Podman create", func() {
 	})
 
 	It("podman container create container based on a remote image", func() {
-		session := podmanTest.Podman([]string{"container", "create", BB_GLIBC, "ls"})
+		containerCreate := podmanTest.Podman([]string{"container", "create", BB_GLIBC, "ls"})
+		containerCreate.WaitWithDefaultTimeout()
+		Expect(containerCreate).Should(Exit(0))
+
+		lock := GetPortLock("5000")
+		defer lock.Unlock()
+		session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", "5000:5000", registry, "/entrypoint.sh", "/etc/docker/registry/config.yml"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
-		Expect(podmanTest.NumberOfContainers()).To(Equal(1))
+
+		if !WaitContainerReady(podmanTest, "registry", "listening on", 20, 1) {
+			Skip("Cannot start docker registry.")
+		}
+
+		create := podmanTest.Podman([]string{"container", "create", "--tls-verify=false", ALPINE})
+		create.WaitWithDefaultTimeout()
+		Expect(create).Should(Exit(0))
+		Expect(podmanTest.NumberOfContainers()).To(Equal(3))
 	})
 
 	It("podman create using short options", func() {
@@ -609,7 +623,7 @@ var _ = Describe("Podman create", func() {
 		Expect(session).Should(ExitWithError())
 	})
 
-	It("create container in pod ppublish ports should fail", func() {
+	It("create container in pod publish ports should fail", func() {
 		name := "createwithpublishports"
 		pod := podmanTest.RunTopContainerInPod("", "new:"+name)
 		pod.WaitWithDefaultTimeout()
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 1fb1a179a..6a2e2ed8d 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -166,9 +166,25 @@ var _ = Describe("Podman run", func() {
 	})
 
 	It("podman run a container based on remote image", func() {
-		session := podmanTest.Podman([]string{"run", "-dt", BB_GLIBC, "ls"})
+		// Changing session to rsession
+		rsession := podmanTest.Podman([]string{"run", "-dt", ALPINE, "ls"})
+		rsession.WaitWithDefaultTimeout()
+		Expect(rsession).Should(Exit(0))
+
+		lock := GetPortLock("5000")
+		defer lock.Unlock()
+		session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", "5000:5000", registry, "/entrypoint.sh", "/etc/docker/registry/config.yml"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
+
+		if !WaitContainerReady(podmanTest, "registry", "listening on", 20, 1) {
+			Skip("Cannot start docker registry.")
+		}
+
+		run := podmanTest.Podman([]string{"run", "--tls-verify=false", ALPINE})
+		run.WaitWithDefaultTimeout()
+		Expect(run).Should(Exit(0))
+		Expect(podmanTest.NumberOfContainers()).To(Equal(3))
 	})
 
 	It("podman run a container with a --rootfs", func() {