using existing skip tls flag available

Signed-off-by: sethiyash <[email protected]>
carvel-dev · Jan 5, 2024 · e1470ed · e1470ed
1 parent a438f0d
commit e1470ed
Show file tree

Hide file tree

Showing 7 changed files with 220 additions and 239 deletions.
diff --git a/config/config/crds.yml b/config/config/crds.yml
@@ -209,9 +209,6 @@ spec:
                             git:
                               description: Uses git to clone repository
                               properties:
-                                dangerousSkipTLSVerify:
-                                  description: Skip TLS verification (optional)
-                                  type: boolean
                                 lfsSkipSmudge:
                                   description: Skip lfs download (optional)
                                   type: boolean
@@ -828,9 +825,6 @@ spec:
                     git:
                       description: Uses git to clone repository
                       properties:
-                        dangerousSkipTLSVerify:
-                          description: Skip TLS verification (optional)
-                          type: boolean
                         lfsSkipSmudge:
                           description: Skip lfs download (optional)
                           type: boolean
@@ -1653,9 +1647,6 @@ spec:
                   git:
                     description: Uses git to clone repository containing package list
                     properties:
-                      dangerousSkipTLSVerify:
-                        description: Skip TLS verification (optional)
-                        type: boolean
                       lfsSkipSmudge:
                         description: Skip lfs download (optional)
                         type: boolean

diff --git a/pkg/apis/kappctrl/v1alpha1/generated.pb.go b/pkg/apis/kappctrl/v1alpha1/generated.pb.go
diff --git a/pkg/apis/kappctrl/v1alpha1/generated.proto b/pkg/apis/kappctrl/v1alpha1/generated.proto
diff --git a/pkg/apis/kappctrl/v1alpha1/types_fetch.go b/pkg/apis/kappctrl/v1alpha1/types_fetch.go
@@ -106,9 +106,6 @@ type AppFetchGit struct {
 	// Skip lfs download (optional)
 	// +optional
 	LFSSkipSmudge bool `json:"lfsSkipSmudge,omitempty" protobuf:"varint,5,opt,name=lfsSkipSmudge"`
-	// Skip TLS verification (optional)
-	// +optional
-	DangerousSkipTLSVerify bool `json:"dangerousSkipTLSVerify,omitempty" protobuf:"varint,7,opt,name=dangerousSkipTLSVerify"`
 }
 
 // +k8s:openapi-gen=true

diff --git a/pkg/apiserver/openapi/zz_generated.openapi.go b/pkg/apiserver/openapi/zz_generated.openapi.go
diff --git a/pkg/fetch/vendir.go b/pkg/fetch/vendir.go
@@ -7,6 +7,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"net/url"
 	"os"
 	goexec "os/exec"
 	"path/filepath"
@@ -122,7 +123,7 @@ func (v *Vendir) imageConf(image v1alpha1.AppFetchImage) vendirconf.DirectoryCon
 			URL:                    image.URL,
 			TagSelection:           image.TagSelection,
 			SecretRef:              v.localRefConf(image.SecretRef),
-			DangerousSkipTLSVerify: v.shouldSkipTLSVerify(image.URL),
+			DangerousSkipTLSVerify: v.shouldSkipTLSVerify(image.URL, false),
 		},
 	}
 }
@@ -134,7 +135,7 @@ func (v *Vendir) imgpkgBundleConf(imgpkgBundle v1alpha1.AppFetchImgpkgBundle) ve
 			Image:                  imgpkgBundle.Image,
 			TagSelection:           imgpkgBundle.TagSelection,
 			SecretRef:              v.localRefConf(imgpkgBundle.SecretRef),
-			DangerousSkipTLSVerify: v.shouldSkipTLSVerify(imgpkgBundle.Image),
+			DangerousSkipTLSVerify: v.shouldSkipTLSVerify(imgpkgBundle.Image, false),
 		},
 	}
 }
@@ -161,7 +162,7 @@ func (v *Vendir) gitConf(git v1alpha1.AppFetchGit) vendirconf.DirectoryContents
 			Ref:                    git.Ref,
 			SecretRef:              v.localRefConf(git.SecretRef),
 			LFSSkipSmudge:          git.LFSSkipSmudge,
-			DangerousSkipTLSVerify: git.DangerousSkipTLSVerify,
+			DangerousSkipTLSVerify: v.shouldSkipTLSVerify(git.URL, true),
 		},
 	}
 }
@@ -377,11 +378,9 @@ func (v *Vendir) configMapBytes(configMapRef vendirconf.DirectoryContentsLocalRe
 	return kyaml.Marshal(configMap)
 }
 
-// This function only works on image refs. If in the future we decide to
-// expand this option to other fetch options, we will need to add hostname
-// extraction for those
-func (v *Vendir) shouldSkipTLSVerify(url string) bool {
-	return v.opts.SkipTLSConfig.ShouldSkipTLSForAuthority(ExtractImageRegistry(url))
+// This function works on image refs and hostname extraction using isGitURL flag
+func (v *Vendir) shouldSkipTLSVerify(url string, isGitURL bool) bool {
+	return v.opts.SkipTLSConfig.ShouldSkipTLSForAuthority(ExtractHost(url, isGitURL))
 }
 
 // Run executes vendir command based on given configuration.
@@ -411,8 +410,8 @@ func (v *Vendir) ClearCache(cacheID string) error {
 	return os.RemoveAll(filepath.Join(v.opts.BaseCacheFolder, cacheID))
 }
 
-// ExtractImageRegistry returns the registry portion of a Docker image reference
-func ExtractImageRegistry(name string) string {
+// extractImageRegistry returns the registry portion of a Docker image reference
+func extractImageRegistry(name string) string {
 	parts := strings.SplitN(name, "/", 2)
 	var registry string
 	if len(parts) == 2 && (strings.ContainsRune(parts[0], '.') || strings.ContainsRune(parts[0], ':')) {
@@ -422,3 +421,20 @@ func ExtractImageRegistry(name string) string {
 	}
 	return registry
 }
+
+// extractGitHostname extracts the hostname from the git URL.
+func extractGitHostname(input string) string {
+	u, err := url.Parse(input)
+	if err != nil {
+		return "github.com"
+	}
+	return u.Hostname()
+}
+
+// ExtractHost return registry for Docker Image and Host for git url
+func ExtractHost(input string, isGitURL bool) string {
+	if !isGitURL {
+		extractImageRegistry(input)
+	}
+	return extractGitHostname(input)
+}
diff --git a/pkg/fetch/vendir_test.go b/pkg/fetch/vendir_test.go
@@ -58,32 +58,52 @@ func Test_AddDir_skipsTLS(t *testing.T) {
 	}
 }
 
-func TestExtractImageRegistry(t *testing.T) {
+func TestExtractHost(t *testing.T) {
 	tests := []struct {
-		name string
-		want string
+		name     string
+		isGitURL bool
+		want     string
 	}{
 		{
-			name: "ubuntu:latest",
-			want: "index.docker.io",
+			name:     "ubuntu:latest",
+			isGitURL: false,
+			want:     "index.docker.io",
 		},
 		{
-			name: "foo/bar:v1.2.3",
-			want: "index.docker.io",
+			name:     "foo/bar:v1.2.3",
+			isGitURL: false,
+			want:     "index.docker.io",
 		},
 		{
-			name: "ghcr.io/foo/bar:foo",
-			want: "ghcr.io",
+			name:     "ghcr.io/foo/bar:foo",
+			isGitURL: false,
+			want:     "ghcr.io",
 		},
 		{
-			name: "foo.domain:5426/foo/bar@sha256:blah",
-			want: "foo.domain:5426",
+			name:     "foo.domain:5426/foo/bar@sha256:blah",
+			isGitURL: false,
+			want:     "foo.domain:5426",
+		},
+		{
+			name:     "https://github.com/bitnami/charts/",
+			isGitURL: true,
+			want:     "github.com",
+		},
+		{
+			name:     "http://github.com/bitnami/charts/",
+			isGitURL: true,
+			want:     "github.com",
+		},
+		{
+			name:     "ssh://[email protected]:/path/to/repo.git",
+			isGitURL: true,
+			want:     "hostname.com",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if got := fetch.ExtractImageRegistry(tt.name); got != tt.want {
-				t.Errorf("ExtractDockerImageRepo() = %v, want %v", got, tt.want)
+			if got := fetch.ExtractHost(tt.name, tt.isGitURL); got != tt.want {
+				t.Errorf("ExtractHost() = %v, want %v", got, tt.want)
 			}
 		})
 	}