opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-10-25 02:04:43 +08:00
Code Issues Packages Projects Releases Wiki Activity

Adding encryption decryption feature

Browse Source 
Signed-off-by: Tarun1 Gupta <gupttaru@deshaw.com>
This commit is contained in:
gupttaru
2022-08-18 20:26:48 +05:30
committed by Tarun1 Gupta
parent f50ce4aea4
commit 3bb9ed4f09
19 changed files with 391 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
pkg/domain/entities/images.go
View File

@ -8,6 +8,7 @@ import (
"github.com/containers/common/pkg/config"
"github.com/containers/image/v5/manifest"
"github.com/containers/image/v5/types"
encconfig "github.com/containers/ocicrypt/config"
"github.com/containers/podman/v4/pkg/inspect"
"github.com/containers/podman/v4/pkg/trust"
"github.com/docker/docker/api/types/container"
@ -158,6 +159,9 @@ type ImagePullOptions struct {
PullPolicy config.PullPolicy
// Writer is used to display copy information including progress bars.
Writer io.Writer
// OciDecryptConfig contains the config that can be used to decrypt an image if it is
// encrypted if non-nil. If nil, it does not attempt to decrypt an image.
OciDecryptConfig *encconfig.DecryptConfig
}
// ImagePullReport is the response from pulling one or more images.
@ -227,6 +231,15 @@ type ImagePushOptions struct {
CompressionFormat string
// Writer is used to display copy information including progress bars.
Writer io.Writer
// OciEncryptConfig when non-nil indicates that an image should be encrypted.
// The encryption options is derived from the construction of EncryptConfig object.
OciEncryptConfig *encconfig.EncryptConfig
// OciEncryptLayers represents the list of layers to encrypt.
// If nil, don't encrypt any layers.
// If non-nil and len==0, denotes encrypt all layers.
// integers in the slice represent 0-indexed layer indices, with support for negative
// indexing. i.e. 0 is the first layer, -1 is the last (top-most) layer.
OciEncryptLayers *[]int
}
// ImagePushReport is the response from pushing an image.

1
pkg/domain/entities/pods.go
View File

@ -290,6 +290,7 @@ type ContainerCreateOptions struct {
ChrootDirs []string
IsInfra bool
IsClone bool
DecryptionKeys []string
Net *NetOptions `json:"net,omitempty"`

3
pkg/domain/infra/abi/images.go
View File

@ -236,6 +236,7 @@ func (ir *ImageEngine) Pull(ctx context.Context, rawImage string, options entiti
pullOptions.SignaturePolicyPath = options.SignaturePolicy
pullOptions.InsecureSkipTLSVerify = options.SkipTLSVerify
pullOptions.Writer = options.Writer
pullOptions.OciDecryptConfig = options.OciDecryptConfig
if !options.Quiet && pullOptions.Writer == nil {
pullOptions.Writer = os.Stderr
@ -309,6 +310,8 @@ func (ir *ImageEngine) Push(ctx context.Context, source string, destination stri
pushOptions.SignSigstorePrivateKeyPassphrase = options.SignSigstorePrivateKeyPassphrase
pushOptions.InsecureSkipTLSVerify = options.SkipTLSVerify
pushOptions.Writer = options.Writer
pushOptions.OciEncryptConfig = options.OciEncryptConfig
pushOptions.OciEncryptLayers = options.OciEncryptLayers
compressionFormat := options.CompressionFormat
if compressionFormat == "" {

8
pkg/domain/infra/tunnel/images.go
View File

@ -105,6 +105,10 @@ func (ir *ImageEngine) Prune(ctx context.Context, opts entities.ImagePruneOption
}
func (ir *ImageEngine) Pull(ctx context.Context, rawImage string, opts entities.ImagePullOptions) (*entities.ImagePullReport, error) {
if opts.OciDecryptConfig != nil {
return nil, fmt.Errorf("decryption is not supported for remote clients")
}
options := new(images.PullOptions)
options.WithAllTags(opts.AllTags).WithAuthfile(opts.Authfile).WithArch(opts.Arch).WithOS(opts.OS)
options.WithVariant(opts.Variant).WithPassword(opts.Password)
@ -240,6 +244,10 @@ func (ir *ImageEngine) Import(ctx context.Context, opts entities.ImageImportOpti
}
func (ir *ImageEngine) Push(ctx context.Context, source string, destination string, opts entities.ImagePushOptions) error {
if opts.OciEncryptConfig != nil {
return fmt.Errorf("encryption is not supported for remote clients")
}
options := new(images.PushOptions)
options.WithAll(opts.All).WithCompress(opts.Compress).WithUsername(opts.Username).WithPassword(opts.Password).WithAuthfile(opts.Authfile).WithFormat(opts.Format).WithRemoveSignatures(opts.RemoveSignatures).WithQuiet(opts.Quiet).WithCompressionFormat(opts.CompressionFormat).WithProgressWriter(opts.Writer)