From e0502c28b37939bc86362f8fa644f007a71b4421 Mon Sep 17 00:00:00 2001
From: Ilya Lesikov <ilya@lesikov.com>
Date: Fri, 15 Oct 2021 14:26:10 +0300
Subject: [PATCH] feat(buildah): communication with insecure registries

When $WERF_SKIP_TLS_VERIFY_REGISTRY or $WERF_INSECURE_REGISTRY
enabled, then buildah container runtime allows HTTP and unverified HTTPS
communication with registry
---
 cmd/werf/common/container_runtime.go         |  7 ++++++-
 pkg/buildah/base.go                          | 12 +++++++++---
 pkg/buildah/buildah.go                       |  3 ++-
 pkg/buildah/docker_with_fuse_buildah.go      | 15 ++++++++++-----
 pkg/buildah/native_rootless_buildah_linux.go | 18 +++++++++++++++++-
 5 files changed, 44 insertions(+), 11 deletions(-)

diff --git a/cmd/werf/common/container_runtime.go b/cmd/werf/common/container_runtime.go
index bf36f97ca1..1c564df49b 100644
--- a/cmd/werf/common/container_runtime.go
+++ b/cmd/werf/common/container_runtime.go
@@ -43,7 +43,12 @@ func InitProcessContainerRuntime(ctx context.Context, cmdData *CmdData) (contain
 			ctx = newCtx
 		}
 
-		b, err := buildah.NewBuildah(resolvedMode, buildah.BuildahOpts{})
+		insecure := *cmdData.InsecureRegistry || *cmdData.SkipTlsVerifyRegistry
+		b, err := buildah.NewBuildah(resolvedMode, buildah.BuildahOpts{
+			CommonBuildahOpts: buildah.CommonBuildahOpts{
+				Insecure: insecure,
+			},
+		})
 		if err != nil {
 			return nil, ctx, fmt.Errorf("unable to get buildah client: %s", err)
 		}
diff --git a/pkg/buildah/base.go b/pkg/buildah/base.go
index db2c9727b7..14de98d235 100644
--- a/pkg/buildah/base.go
+++ b/pkg/buildah/base.go
@@ -11,12 +11,18 @@ import (
 )
 
 type BaseBuildah struct {
-	TmpDir string
+	TmpDir   string
+	Insecure bool
 }
 
-func NewBaseBuildah(tmpDir string) (*BaseBuildah, error) {
+type BaseBuildahOpts struct {
+	Insecure bool
+}
+
+func NewBaseBuildah(tmpDir string, opts BaseBuildahOpts) (*BaseBuildah, error) {
 	b := &BaseBuildah{
-		TmpDir: tmpDir,
+		TmpDir:   tmpDir,
+		Insecure: opts.Insecure,
 	}
 
 	if err := os.MkdirAll(b.TmpDir, os.ModePerm); err != nil {
diff --git a/pkg/buildah/buildah.go b/pkg/buildah/buildah.go
index bb6dae705d..8432b70bce 100644
--- a/pkg/buildah/buildah.go
+++ b/pkg/buildah/buildah.go
@@ -84,7 +84,8 @@ func ProcessStartupHook(mode Mode) (bool, error) {
 }
 
 type CommonBuildahOpts struct {
-	TmpDir string
+	TmpDir   string
+	Insecure bool
 }
 
 type NativeRootlessModeOpts struct{}
diff --git a/pkg/buildah/docker_with_fuse_buildah.go b/pkg/buildah/docker_with_fuse_buildah.go
index 12e035f958..2a58b3f302 100644
--- a/pkg/buildah/docker_with_fuse_buildah.go
+++ b/pkg/buildah/docker_with_fuse_buildah.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"strconv"
 	"strings"
 	"time"
 
@@ -26,7 +27,7 @@ type DockerWithFuseBuildah struct {
 func NewDockerWithFuseBuildah(commonOpts CommonBuildahOpts, opts DockerWithFuseModeOpts) (*DockerWithFuseBuildah, error) {
 	b := &DockerWithFuseBuildah{}
 
-	baseBuildah, err := NewBaseBuildah(commonOpts.TmpDir)
+	baseBuildah, err := NewBaseBuildah(commonOpts.TmpDir, BaseBuildahOpts{Insecure: commonOpts.Insecure})
 	if err != nil {
 		return nil, fmt.Errorf("unable to create BaseBuildah: %s", err)
 	}
@@ -40,7 +41,9 @@ func (b *DockerWithFuseBuildah) Tag(ctx context.Context, ref, newRef string, opt
 	return err
 }
 func (b *DockerWithFuseBuildah) Push(ctx context.Context, ref string, opts PushOpts) error {
-	_, _, err := b.runBuildah(ctx, []string{}, []string{"push", ref, fmt.Sprintf("docker://%s", ref)}, opts.LogWriter)
+	_, _, err := b.runBuildah(ctx, []string{}, []string{
+		"push", fmt.Sprintf("--tls-verify=%s", strconv.FormatBool(!b.Insecure)), ref, fmt.Sprintf("docker://%s", ref),
+	}, opts.LogWriter)
 	return err
 }
 
@@ -65,7 +68,7 @@ func (b *DockerWithFuseBuildah) BuildFromDockerfile(ctx context.Context, dockerf
 			"--volume", fmt.Sprintf("%s:/.werf/buildah/tmp", sessionTmpDir),
 			"--workdir", "/.werf/buildah/tmp/context",
 		},
-		[]string{"bud", "-f", "/.werf/buildah/tmp/Dockerfile"}, opts.LogWriter,
+		[]string{"bud", "--format=docker", fmt.Sprintf("--tls-verify=%s", strconv.FormatBool(!b.Insecure)), "-f", "/.werf/buildah/tmp/Dockerfile"}, opts.LogWriter,
 	)
 	if err != nil {
 		return "", err
@@ -82,7 +85,9 @@ func (b *DockerWithFuseBuildah) RunCommand(ctx context.Context, container string
 }
 
 func (b *DockerWithFuseBuildah) FromCommand(ctx context.Context, container string, image string, opts FromCommandOpts) error {
-	_, _, err := b.runBuildah(ctx, []string{}, []string{"from", "--name", container, image}, opts.LogWriter)
+	_, _, err := b.runBuildah(ctx, []string{}, []string{
+		"from", fmt.Sprintf("--tls-verify=%s", strconv.FormatBool(!b.Insecure)), "--name", container, image,
+	}, opts.LogWriter)
 	return err
 }
 
@@ -105,7 +110,7 @@ func (b *DockerWithFuseBuildah) Inspect(ctx context.Context, ref string) (*types
 }
 
 func (b *DockerWithFuseBuildah) Pull(ctx context.Context, ref string, opts PullOpts) error {
-	_, _, err := b.runBuildah(ctx, []string{}, []string{"pull", ref}, opts.LogWriter)
+	_, _, err := b.runBuildah(ctx, []string{}, []string{"pull", fmt.Sprintf("--tls-verify=%s", strconv.FormatBool(!b.Insecure)), ref}, opts.LogWriter)
 	return err
 }
 
diff --git a/pkg/buildah/native_rootless_buildah_linux.go b/pkg/buildah/native_rootless_buildah_linux.go
index 90ab04e872..11e3c4d7c2 100644
--- a/pkg/buildah/native_rootless_buildah_linux.go
+++ b/pkg/buildah/native_rootless_buildah_linux.go
@@ -19,6 +19,7 @@ import (
 	"github.com/containers/image/v5/manifest"
 	is "github.com/containers/image/v5/storage"
 	"github.com/containers/image/v5/transports/alltransports"
+	imgtypes "github.com/containers/image/v5/types"
 	"github.com/containers/storage"
 	"github.com/containers/storage/pkg/reexec"
 	"github.com/containers/storage/pkg/unshare"
@@ -57,7 +58,7 @@ type NativeRootlessBuildah struct {
 func NewNativeRootlessBuildah(commonOpts CommonBuildahOpts, opts NativeRootlessModeOpts) (*NativeRootlessBuildah, error) {
 	b := &NativeRootlessBuildah{}
 
-	baseBuildah, err := NewBaseBuildah(commonOpts.TmpDir)
+	baseBuildah, err := NewBaseBuildah(commonOpts.TmpDir, BaseBuildahOpts{Insecure: commonOpts.Insecure})
 	if err != nil {
 		return nil, fmt.Errorf("unable to create BaseBuildah: %s", err)
 	}
@@ -117,6 +118,11 @@ func (b *NativeRootlessBuildah) Push(ctx context.Context, ref string, opts PushO
 		ManifestType: manifest.DockerV2Schema2MediaType,
 		MaxRetries:   MaxPullPushRetries,
 		RetryDelay:   PullPushRetryDelay,
+		SystemContext: &imgtypes.SystemContext{
+			OCIInsecureSkipTLSVerify:          b.Insecure,
+			DockerInsecureSkipTLSVerify:       imgtypes.NewOptionalBool(b.Insecure),
+			DockerDaemonInsecureSkipTLSVerify: b.Insecure,
+		},
 	}
 
 	if opts.LogWriter != nil {
@@ -142,6 +148,11 @@ func (b *NativeRootlessBuildah) BuildFromDockerfile(ctx context.Context, dockerf
 		CommonBuildOpts: &define.CommonBuildOptions{
 			ShmSize: DefaultShmSize,
 		},
+		SystemContext: &imgtypes.SystemContext{
+			OCIInsecureSkipTLSVerify:          b.Insecure,
+			DockerInsecureSkipTLSVerify:       imgtypes.NewOptionalBool(b.Insecure),
+			DockerDaemonInsecureSkipTLSVerify: b.Insecure,
+		},
 	}
 
 	errLog := &bytes.Buffer{}
@@ -214,6 +225,11 @@ func (b *NativeRootlessBuildah) Pull(ctx context.Context, ref string, opts PullO
 		MaxRetries: MaxPullPushRetries,
 		RetryDelay: PullPushRetryDelay,
 		PullPolicy: define.PullIfNewer,
+		SystemContext: &imgtypes.SystemContext{
+			OCIInsecureSkipTLSVerify:          b.Insecure,
+			DockerInsecureSkipTLSVerify:       imgtypes.NewOptionalBool(b.Insecure),
+			DockerDaemonInsecureSkipTLSVerify: b.Insecure,
+		},
 	}
 
 	if opts.LogWriter != nil {