From 1158025ef8d8e8d9d0d2157292d36b4d7392ea39 Mon Sep 17 00:00:00 2001 From: Flavio Castelli Date: Wed, 9 Sep 2020 12:33:11 +0200 Subject: Extend flags of `manifest add` Extend the flags of `podman manifest add` to include also: * cert-dir * auth-file * creds * tls-verify These options are useful when adding to a manifest an image that is not part of the local image store. The image resides on a remote registry that falls into one of these cases: it's not using tls termination, it requires authentication or it's secured with an unknown tls certificate. Consider the following scenario: a multi architecture manifest is created as part of a multi-step CI pipeline running in a containerized way. All the images referenced by the manifest live inside of a registry secured with a self-signed tls certificate. Without this patch the manifest creation step would have to pull all the multi-architecture images locally via `podman pull`. With this patch the usage of `podman pull` would not be needed because the images' digests can be requested straight to the registry. That means the execution of manifest creation step would be faster and result in less disk space and network bandwidth being used. Finally, this is a propagation of a similar fix done inside of buildah via https://github.com/containers/buildah/pull/2593 Signed-off-by: Flavio Castelli --- pkg/domain/entities/manifest.go | 21 +++++++++++++-------- pkg/domain/infra/abi/manifest.go | 19 ++++++++++++++++++- 2 files changed, 31 insertions(+), 9 deletions(-) (limited to 'pkg') diff --git a/pkg/domain/entities/manifest.go b/pkg/domain/entities/manifest.go index 853619b19..01180951a 100644 --- a/pkg/domain/entities/manifest.go +++ b/pkg/domain/entities/manifest.go @@ -9,14 +9,19 @@ type ManifestCreateOptions struct { } type ManifestAddOptions struct { - All bool `json:"all" schema:"all"` - Annotation []string `json:"annotation" schema:"annotation"` - Arch string `json:"arch" schema:"arch"` - Features []string `json:"features" schema:"features"` - Images []string `json:"images" schema:"images"` - OS string `json:"os" schema:"os"` - OSVersion string `json:"os_version" schema:"os_version"` - Variant string `json:"variant" schema:"variant"` + All bool `json:"all" schema:"all"` + Annotation []string `json:"annotation" schema:"annotation"` + Arch string `json:"arch" schema:"arch"` + Authfile string `json:"-" schema:"-"` + CertDir string `json:"-" schema:"-"` + Features []string `json:"features" schema:"features"` + Images []string `json:"images" schema:"images"` + OS string `json:"os" schema:"os"` + OSVersion string `json:"os_version" schema:"os_version"` + Password string `json:"-" schema:"-"` + SkipTLSVerify types.OptionalBool `json:"-" schema:"-"` + Username string `json:"-" schema:"-"` + Variant string `json:"variant" schema:"variant"` } type ManifestAnnotateOptions struct { diff --git a/pkg/domain/infra/abi/manifest.go b/pkg/domain/infra/abi/manifest.go index 6f3c6b902..540eff50b 100644 --- a/pkg/domain/infra/abi/manifest.go +++ b/pkg/domain/infra/abi/manifest.go @@ -102,7 +102,24 @@ func (ir *ImageEngine) ManifestAdd(ctx context.Context, opts entities.ManifestAd } manifestAddOpts.Annotation = annotations } - listID, err := listImage.AddManifest(*ir.Libpod.SystemContext(), manifestAddOpts) + + // Set the system context. + sys := ir.Libpod.SystemContext() + if sys != nil { + sys = &types.SystemContext{} + } + sys.AuthFilePath = opts.Authfile + sys.DockerInsecureSkipTLSVerify = opts.SkipTLSVerify + sys.DockerCertPath = opts.CertDir + + if opts.Username != "" && opts.Password != "" { + sys.DockerAuthConfig = &types.DockerAuthConfig{ + Username: opts.Username, + Password: opts.Password, + } + } + + listID, err := listImage.AddManifest(*sys, manifestAddOpts) if err != nil { return listID, err } -- cgit v1.2.3-54-g00ecf From f1df56a1016ba11aa97e7053e78c656bcb284523 Mon Sep 17 00:00:00 2001 From: Flavio Castelli Date: Wed, 9 Sep 2020 12:34:55 +0200 Subject: manifest push: handle cert-dir flag Prior to this commit the value of the `--cert-dir` flag specified for `podman manifest push` was not handled by the internal code. That resulted in `podman manifest push` not reading the certificates stored inside of the directory specified by the user. Signed-off-by: Flavio Castelli --- pkg/domain/infra/abi/manifest.go | 1 + 1 file changed, 1 insertion(+) (limited to 'pkg') diff --git a/pkg/domain/infra/abi/manifest.go b/pkg/domain/infra/abi/manifest.go index 540eff50b..55f73bf65 100644 --- a/pkg/domain/infra/abi/manifest.go +++ b/pkg/domain/infra/abi/manifest.go @@ -208,6 +208,7 @@ func (ir *ImageEngine) ManifestPush(ctx context.Context, names []string, opts en } sys.AuthFilePath = opts.Authfile sys.DockerInsecureSkipTLSVerify = opts.SkipTLSVerify + sys.DockerCertPath = opts.CertDir if opts.Username != "" && opts.Password != "" { sys.DockerAuthConfig = &types.DockerAuthConfig{ -- cgit v1.2.3-54-g00ecf