Skip to content

Commit

Permalink
imagerepo: add .spec.insecure to ImageRepository
Browse files Browse the repository at this point in the history
Add a new boolean field `.spec.insecure` to the `ImageRepository` API.
This enables connecting to insecure registries hosted at an HTTP
endpoint.

Signed-off-by: Sanskar Jaiswal <[email protected]>
  • Loading branch information
aryan9600 committed Nov 22, 2023
1 parent 2da3af1 commit 45e1dad
Show file tree
Hide file tree
Showing 6 changed files with 73 additions and 14 deletions.
5 changes: 5 additions & 0 deletions api/v1beta2/imagerepository_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,11 @@ type ImageRepositorySpec struct {
// +kubebuilder:default:=generic
// +optional
Provider string `json:"provider,omitempty"`

// Insecure, if set to true indicates that the image registry is hosted at an
// HTTP endpoint.
// +optional
Insecure bool `json:"insecure,omitempty"`
}

type ScanResult struct {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -315,6 +315,10 @@ spec:
image:
description: Image is the name of the image repository
type: string
insecure:
description: Insecure, if set to true indicates that the image registry
is hosted at an HTTP endpoint.
type: boolean
interval:
description: Interval is the length of time to wait between scans
of the image repository.
Expand Down
26 changes: 26 additions & 0 deletions docs/api/v1beta2/image-reflector.md
Original file line number Diff line number Diff line change
Expand Up @@ -543,6 +543,19 @@ string
When not specified, defaults to &lsquo;generic&rsquo;.</p>
</td>
</tr>
<tr>
<td>
<code>insecure</code><br>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Insecure, if set to true indicates that the image registry is hosted at an
HTTP endpoint.</p>
</td>
</tr>
</table>
</td>
</tr>
Expand Down Expand Up @@ -731,6 +744,19 @@ string
When not specified, defaults to &lsquo;generic&rsquo;.</p>
</td>
</tr>
<tr>
<td>
<code>insecure</code><br>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Insecure, if set to true indicates that the image registry is hosted at an
HTTP endpoint.</p>
</td>
</tr>
</tbody>
</table>
</div>
Expand Down
6 changes: 6 additions & 0 deletions docs/spec/v1beta2/imagerepositories.md
Original file line number Diff line number Diff line change
Expand Up @@ -318,6 +318,12 @@ spec:
- "1.1.1|1.0.0"
```

### Insecure

`.spec.insecure` is an optional field to specify that the image registry is
hosted at a non-TLS endpoint and thus the controller should use plain HTTP
requests to communicate with the registry.

### Provider

`.spec.provider` is an optional field that allows specifying an OIDC provider
Expand Down
16 changes: 11 additions & 5 deletions internal/controller/imagerepository_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -249,7 +249,7 @@ func (r *ImageRepositoryReconciler) reconcile(ctx context.Context, sp *patch.Ser
}

// Parse image reference.
ref, err := parseImageReference(obj.Spec.Image)
ref, err := parseImageReference(obj.Spec.Image, obj.Spec.Insecure)
if err != nil {
conditions.MarkStalled(obj, imagev1.ImageURLInvalidReason, err.Error())
result, retErr = ctrl.Result{}, nil
Expand Down Expand Up @@ -468,7 +468,7 @@ func (r *ImageRepositoryReconciler) shouldScan(obj imagev1.ImageRepository, now

// If the canonical image name of the image is different from the last
// observed name, scan now.
ref, err := parseImageReference(obj.Spec.Image)
ref, err := parseImageReference(obj.Spec.Image, obj.Spec.Insecure)
if err != nil {
return false, scanInterval, "", err
}
Expand Down Expand Up @@ -570,13 +570,19 @@ func eventLogf(ctx context.Context, r kuberecorder.EventRecorder, obj runtime.Ob
}

// parseImageReference parses the given URL into a container registry repository
// reference.
func parseImageReference(url string) (name.Reference, error) {
// reference. If insecure is set to true, then the registry is deemed to be
// located at an HTTP endpoint.
func parseImageReference(url string, insecure bool) (name.Reference, error) {
if s := strings.Split(url, "://"); len(s) > 1 {
return nil, fmt.Errorf(".spec.image value should not start with URL scheme; remove '%s://'", s[0])
}

ref, err := name.ParseReference(url)
var opts []name.Option
if insecure {
opts = append(opts, name.Insecure)
}

ref, err := name.ParseReference(url, opts...)
if err != nil {
return nil, err
}
Expand Down
30 changes: 21 additions & 9 deletions internal/controller/imagerepository_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -580,7 +580,7 @@ func TestImageRepositoryReconciler_scan(t *testing.T) {
repo.SetAnnotations(map[string]string{meta.ReconcileRequestAnnotation: tt.annotation})
}

ref, err := parseImageReference(imgRepo)
ref, err := parseImageReference(imgRepo, false)
g.Expect(err).ToNot(HaveOccurred())

opts := []remote.Option{}
Expand Down Expand Up @@ -656,12 +656,13 @@ func TestGetLatestTags(t *testing.T) {
}
}

func TestParseImageReference(t *testing.T) {
func Test_parseImageReference(t *testing.T) {
tests := []struct {
name string
url string
wantErr bool
wantRef string
name string
url string
insecure bool
wantErr bool
wantRef string
}{
{
name: "simple valid url",
Expand All @@ -684,16 +685,27 @@ func TestParseImageReference(t *testing.T) {
wantErr: false,
wantRef: "example.com:9999/foo/bar",
},
{
name: "with insecure registry",
url: "example.com/foo/bar",
insecure: true,
wantRef: "example.com/foo/bar",
},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
g := NewWithT(t)

ref, err := parseImageReference(tt.url)
g.Expect(err != nil).To(Equal(tt.wantErr))
if err == nil {
ref, err := parseImageReference(tt.url, tt.insecure)
if tt.wantErr {
g.Expect(err).To(HaveOccurred())
} else {
g.Expect(err).ToNot(HaveOccurred())
g.Expect(ref.String()).To(Equal(tt.wantRef))
if tt.insecure {
g.Expect(ref.Context().Registry.Scheme()).To(Equal("http"))
}
}
})
}
Expand Down

0 comments on commit 45e1dad

Please sign in to comment.