diff options
Diffstat (limited to 'cmd')
| -rw-r--r-- | cmd/podman/common/sign.go | 36 | ||||
| -rw-r--r-- | cmd/podman/images/push.go | 21 | ||||
| -rw-r--r-- | cmd/podman/kube/down.go | 39 | ||||
| -rw-r--r-- | cmd/podman/kube/play.go | 67 | ||||
| -rw-r--r-- | cmd/podman/manifest/push.go | 24 |
5 files changed, 159 insertions, 28 deletions
diff --git a/cmd/podman/common/sign.go b/cmd/podman/common/sign.go new file mode 100644 index 000000000..e8a90ed57 --- /dev/null +++ b/cmd/podman/common/sign.go @@ -0,0 +1,36 @@ +package common + +import ( + "fmt" + + "github.com/containers/image/v5/pkg/cli" + "github.com/containers/podman/v4/pkg/domain/entities" + "github.com/containers/podman/v4/pkg/terminal" +) + +// PrepareSigningPassphrase updates pushOpts.SignPassphrase and SignSigstorePrivateKeyPassphrase based on a --sign-passphrase-file value signPassphraseFile, +// and validates pushOpts.Sign* consistency. +// It may interactively prompt for a passphrase if one is required and wasn’t provided otherwise. +func PrepareSigningPassphrase(pushOpts *entities.ImagePushOptions, signPassphraseFile string) error { + // c/common/libimage.Image does allow creating both simple signing and sigstore signatures simultaneously, + // with independent passphrases, but that would make the CLI probably too confusing. + // For now, use the passphrase with either, but only one of them. + if signPassphraseFile != "" && pushOpts.SignBy != "" && pushOpts.SignBySigstorePrivateKeyFile != "" { + return fmt.Errorf("only one of --sign-by and sign-by-sigstore-private-key can be used with --sign-passphrase-file") + } + + var passphrase string + if signPassphraseFile != "" { + p, err := cli.ReadPassphraseFile(signPassphraseFile) + if err != nil { + return err + } + passphrase = p + } else if pushOpts.SignBySigstorePrivateKeyFile != "" { + p := terminal.ReadPassphrase() + passphrase = string(p) + } // pushOpts.SignBy triggers a GPG-agent passphrase prompt, possibly using a more secure channel, so we usually shouldn’t prompt ourselves if no passphrase was explicitly provided. + pushOpts.SignPassphrase = passphrase + pushOpts.SignSigstorePrivateKeyPassphrase = []byte(passphrase) + return nil +} diff --git a/cmd/podman/images/push.go b/cmd/podman/images/push.go index 1b3419014..1734900de 100644 --- a/cmd/podman/images/push.go +++ b/cmd/podman/images/push.go @@ -17,8 +17,9 @@ import ( // CLI-only fields into the API types. type pushOptionsWrapper struct { entities.ImagePushOptions - TLSVerifyCLI bool // CLI only - CredentialsCLI string + TLSVerifyCLI bool // CLI only + CredentialsCLI string + SignPassphraseFileCLI string } var ( @@ -106,6 +107,14 @@ func pushFlags(cmd *cobra.Command) { flags.StringVar(&pushOptions.SignBy, signByFlagName, "", "Add a signature at the destination using the specified key") _ = cmd.RegisterFlagCompletionFunc(signByFlagName, completion.AutocompleteNone) + signBySigstorePrivateKeyFlagName := "sign-by-sigstore-private-key" + flags.StringVar(&pushOptions.SignBySigstorePrivateKeyFile, signBySigstorePrivateKeyFlagName, "", "Sign the image using a sigstore private key at `PATH`") + _ = cmd.RegisterFlagCompletionFunc(signBySigstorePrivateKeyFlagName, completion.AutocompleteDefault) + + signPassphraseFileFlagName := "sign-passphrase-file" + flags.StringVar(&pushOptions.SignPassphraseFileCLI, signPassphraseFileFlagName, "", "Read a passphrase for signing an image from `PATH`") + _ = cmd.RegisterFlagCompletionFunc(signPassphraseFileFlagName, completion.AutocompleteDefault) + flags.BoolVar(&pushOptions.TLSVerifyCLI, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") compressionFormat := "compression-format" @@ -117,7 +126,9 @@ func pushFlags(cmd *cobra.Command) { _ = flags.MarkHidden("compress") _ = flags.MarkHidden("digestfile") _ = flags.MarkHidden("quiet") - _ = flags.MarkHidden("sign-by") + _ = flags.MarkHidden(signByFlagName) + _ = flags.MarkHidden(signBySigstorePrivateKeyFlagName) + _ = flags.MarkHidden(signPassphraseFileFlagName) } if !registry.IsRemote() { flags.StringVar(&pushOptions.SignaturePolicy, "signature-policy", "", "Path to a signature-policy file") @@ -153,6 +164,10 @@ func imagePush(cmd *cobra.Command, args []string) error { pushOptions.Password = creds.Password } + if err := common.PrepareSigningPassphrase(&pushOptions.ImagePushOptions, pushOptions.SignPassphraseFileCLI); err != nil { + return err + } + // Let's do all the remaining Yoga in the API to prevent us from scattering // logic across (too) many parts of the code. return registry.ImageEngine().Push(registry.GetContext(), source, destination, pushOptions.ImagePushOptions) diff --git a/cmd/podman/kube/down.go b/cmd/podman/kube/down.go new file mode 100644 index 000000000..b8c025928 --- /dev/null +++ b/cmd/podman/kube/down.go @@ -0,0 +1,39 @@ +package pods + +import ( + "github.com/containers/podman/v4/cmd/podman/common" + "github.com/containers/podman/v4/cmd/podman/registry" + "github.com/spf13/cobra" +) + +var ( + downDescription = `Reads in a structured file of Kubernetes YAML. + + Removes pods that have been based on the Kubernetes kind described in the YAML.` + + downCmd = &cobra.Command{ + Use: "down KUBEFILE|-", + Short: "Remove pods based on Kubernetes YAML.", + Long: downDescription, + RunE: down, + Args: cobra.ExactArgs(1), + ValidArgsFunction: common.AutocompleteDefaultOneArg, + Example: `podman kube down nginx.yml + cat nginx.yml | podman kube down -`, + } +) + +func init() { + registry.Commands = append(registry.Commands, registry.CliCommand{ + Command: downCmd, + Parent: kubeCmd, + }) +} + +func down(cmd *cobra.Command, args []string) error { + reader, err := readerFromArg(args[0]) + if err != nil { + return err + } + return teardown(reader) +} diff --git a/cmd/podman/kube/play.go b/cmd/podman/kube/play.go index 685cb521c..4811bcf4b 100644 --- a/cmd/podman/kube/play.go +++ b/cmd/podman/kube/play.go @@ -1,8 +1,10 @@ package pods import ( + "bytes" "errors" "fmt" + "io" "net" "os" "strings" @@ -37,9 +39,9 @@ var ( // https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ defaultSeccompRoot = "/var/lib/kubelet/seccomp" playOptions = playKubeOptionsWrapper{} - playDescription = `Command reads in a structured file of Kubernetes YAML. + playDescription = `Reads in a structured file of Kubernetes YAML. - It creates pods or volumes based on the Kubernetes kind described in the YAML. Supported kinds are Pods, Deployments and PersistentVolumeClaims.` + Creates pods or volumes based on the Kubernetes kind described in the YAML. Supported kinds are Pods, Deployments and PersistentVolumeClaims.` playCmd = &cobra.Command{ Use: "play [options] KUBEFILE|-", @@ -139,6 +141,7 @@ func playFlags(cmd *cobra.Command) { downFlagName := "down" flags.BoolVar(&playOptions.Down, downFlagName, false, "Stop pods defined in the YAML file") + _ = flags.MarkHidden("down") replaceFlagName := "replace" flags.BoolVar(&playOptions.Replace, replaceFlagName, false, "Delete and recreate pods defined in the YAML file") @@ -223,10 +226,6 @@ func Play(cmd *cobra.Command, args []string) error { } playOptions.Annotations[splitN[0]] = annotation } - yamlfile := args[0] - if yamlfile == "-" { - yamlfile = "/dev/stdin" - } for _, mac := range playOptions.macs { m, err := net.ParseMAC(mac) @@ -235,36 +234,62 @@ func Play(cmd *cobra.Command, args []string) error { } playOptions.StaticMACs = append(playOptions.StaticMACs, m) } + + reader, err := readerFromArg(args[0]) + if err != nil { + return err + } + if playOptions.Down { - return teardown(yamlfile) + return teardown(reader) } + if playOptions.Replace { - if err := teardown(yamlfile); err != nil && !errorhandling.Contains(err, define.ErrNoSuchPod) { + if err := teardown(reader); err != nil && !errorhandling.Contains(err, define.ErrNoSuchPod) { + return err + } + if _, err := reader.Seek(0, 0); err != nil { return err } } - return kubeplay(yamlfile) + return kubeplay(reader) } func playKube(cmd *cobra.Command, args []string) error { return Play(cmd, args) } -func teardown(yamlfile string) error { +func readerFromArg(fileName string) (*bytes.Reader, error) { + if fileName == "-" { // Read from stdin + data, err := io.ReadAll(os.Stdin) + if err != nil { + return nil, err + } + return bytes.NewReader(data), nil + } + f, err := os.Open(fileName) + if err != nil { + return nil, err + } + defer f.Close() + + data, err := io.ReadAll(f) + if err != nil { + return nil, err + } + return bytes.NewReader(data), nil +} + +func teardown(body io.Reader) error { var ( podStopErrors utils.OutputErrors podRmErrors utils.OutputErrors ) options := new(entities.PlayKubeDownOptions) - f, err := os.Open(yamlfile) + reports, err := registry.ContainerEngine().PlayKubeDown(registry.GetContext(), body, *options) if err != nil { return err } - defer f.Close() - reports, err := registry.ContainerEngine().PlayKubeDown(registry.GetContext(), f, *options) - if err != nil { - return fmt.Errorf("%v: %w", yamlfile, err) - } // Output stopped pods fmt.Println("Pods stopped:") @@ -290,19 +315,15 @@ func teardown(yamlfile string) error { podRmErrors = append(podRmErrors, removed.Err) } } + return podRmErrors.PrintErrors() } -func kubeplay(yamlfile string) error { - f, err := os.Open(yamlfile) +func kubeplay(body io.Reader) error { + report, err := registry.ContainerEngine().PlayKube(registry.GetContext(), body, playOptions.PlayKubeOptions) if err != nil { return err } - defer f.Close() - report, err := registry.ContainerEngine().PlayKube(registry.GetContext(), f, playOptions.PlayKubeOptions) - if err != nil { - return fmt.Errorf("%s: %w", yamlfile, err) - } // Print volumes report for i, volume := range report.Volumes { if i == 0 { diff --git a/cmd/podman/manifest/push.go b/cmd/podman/manifest/push.go index 9479e79a3..756ed2a74 100644 --- a/cmd/podman/manifest/push.go +++ b/cmd/podman/manifest/push.go @@ -20,8 +20,9 @@ import ( type manifestPushOptsWrapper struct { entities.ImagePushOptions - TLSVerifyCLI bool // CLI only - CredentialsCLI string + TLSVerifyCLI bool // CLI only + CredentialsCLI string + SignPassphraseFileCLI string } var ( @@ -72,12 +73,27 @@ func init() { flags.StringVar(&manifestPushOpts.SignBy, signByFlagName, "", "sign the image using a GPG key with the specified `FINGERPRINT`") _ = pushCmd.RegisterFlagCompletionFunc(signByFlagName, completion.AutocompleteNone) + signBySigstorePrivateKeyFlagName := "sign-by-sigstore-private-key" + flags.StringVar(&manifestPushOpts.SignBySigstorePrivateKeyFile, signBySigstorePrivateKeyFlagName, "", "Sign the image using a sigstore private key at `PATH`") + _ = pushCmd.RegisterFlagCompletionFunc(signBySigstorePrivateKeyFlagName, completion.AutocompleteDefault) + + signPassphraseFileFlagName := "sign-passphrase-file" + flags.StringVar(&manifestPushOpts.SignPassphraseFileCLI, signPassphraseFileFlagName, "", "Read a passphrase for signing an image from `PATH`") + _ = pushCmd.RegisterFlagCompletionFunc(signPassphraseFileFlagName, completion.AutocompleteDefault) + flags.BoolVar(&manifestPushOpts.TLSVerifyCLI, "tls-verify", true, "require HTTPS and verify certificates when accessing the registry") flags.BoolVarP(&manifestPushOpts.Quiet, "quiet", "q", false, "don't output progress information when pushing lists") flags.SetNormalizeFunc(utils.AliasFlags) + compressionFormat := "compression-format" + flags.StringVar(&manifestPushOpts.CompressionFormat, compressionFormat, "", "compression format to use") + _ = pushCmd.RegisterFlagCompletionFunc(compressionFormat, common.AutocompleteCompressionFormat) + if registry.IsRemote() { _ = flags.MarkHidden("cert-dir") + _ = flags.MarkHidden(signByFlagName) + _ = flags.MarkHidden(signBySigstorePrivateKeyFlagName) + _ = flags.MarkHidden(signPassphraseFileFlagName) } } @@ -103,6 +119,10 @@ func push(cmd *cobra.Command, args []string) error { manifestPushOpts.Password = creds.Password } + if err := common.PrepareSigningPassphrase(&manifestPushOpts.ImagePushOptions, manifestPushOpts.SignPassphraseFileCLI); err != nil { + return err + } + // TLS verification in c/image is controlled via a `types.OptionalBool` // which allows for distinguishing among set-true, set-false, unspecified // which is important to implement a sane way of dealing with defaults of |