feat: add skip tls verify configuration when fetching token from slef…

…-signed certificate registry

Signed-off-by: chwetion <chwetion@foxmail.com>

cmd/buildctl/build.go

@@ -38,6 +38,10 @@ var buildCommand = cli.Command{
 	`,
 	Action: buildAction,
 	Flags: []cli.Flag{
+		cli.BoolFlag{
+			Name:  "skip-token-tls-verify",
+			Usage: "Skip TLS verify when fetching token.",
+		},
 		cli.StringSliceFlag{
 			Name:  "output,o",
 			Usage: "Define exports for build result, e.g. --output type=image,name=docker.io/username/image,push=true",
@@ -148,7 +152,7 @@ func buildAction(clicontext *cli.Context) error {
 	}
 
 	dockerConfig := config.LoadDefaultConfigFile(os.Stderr)
-	attachable := []session.Attachable{authprovider.NewDockerAuthProvider(dockerConfig)}
+	attachable := []session.Attachable{authprovider.NewDockerAuthProvider(dockerConfig, clicontext.Bool("skip-token-tls-verify"))}
 
 	if ssh := clicontext.StringSlice("ssh"); len(ssh) > 0 {
 		configs, err := build.ParseSSH(ssh)

session/auth/authprovider/authprovider.go

@@ -6,7 +6,6 @@ import (
 	"crypto/hmac"
 	"crypto/sha256"
 	"fmt"
-	"net/http"
 	"os"
 	"strconv"
 	"strings"
@@ -20,6 +19,7 @@ import (
 	"github.com/docker/cli/cli/config/types"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/session/auth"
+	"github.com/moby/buildkit/util/httputil"
 	"github.com/moby/buildkit/util/progress/progresswriter"
 	"github.com/pkg/errors"
 	"golang.org/x/crypto/nacl/sign"
@@ -30,8 +30,9 @@ import (
 
 const defaultExpiration = 60
 
-func NewDockerAuthProvider(cfg *configfile.ConfigFile) session.Attachable {
+func NewDockerAuthProvider(cfg *configfile.ConfigFile, insecure bool) session.Attachable {
 	return &authProvider{
+		insecure:        insecure,
 		authConfigCache: map[string]*types.AuthConfig{},
 		config:          cfg,
 		seeds:           &tokenSeeds{dir: config.Dir()},
@@ -40,6 +41,7 @@ func NewDockerAuthProvider(cfg *configfile.ConfigFile) session.Attachable {
 }
 
 type authProvider struct {
+	insecure        bool
 	authConfigCache map[string]*types.AuthConfig
 	config          *configfile.ConfigFile
 	seeds           *tokenSeeds
@@ -101,15 +103,15 @@ func (ap *authProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequ
 		}
 		ap.mu.Unlock()
 		// credential information is provided, use oauth POST endpoint
-		resp, err := authutil.FetchTokenWithOAuth(ctx, http.DefaultClient, nil, "buildkit-client", to)
+		resp, err := authutil.FetchTokenWithOAuth(ctx, httputil.SkipTLSClient(ap.insecure), nil, "buildkit-client", to)
 		if err != nil {
 			var errStatus remoteserrors.ErrUnexpectedStatus
 			if errors.As(err, &errStatus) {
 				// Registries without support for POST may return 404 for POST /v2/token.
 				// As of September 2017, GCR is known to return 404.
 				// As of February 2018, JFrog Artifactory is known to return 401.
 				if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 {
-					resp, err := authutil.FetchToken(ctx, http.DefaultClient, nil, to)
+					resp, err := authutil.FetchToken(ctx, httputil.SkipTLSClient(ap.insecure), nil, to)
 					if err != nil {
 						return nil, err
 					}
@@ -121,7 +123,7 @@ func (ap *authProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequ
 		return toTokenResponse(resp.AccessToken, resp.IssuedAt, resp.ExpiresIn), nil
 	}
 	// do request anonymously
-	resp, err := authutil.FetchToken(ctx, http.DefaultClient, nil, to)
+	resp, err := authutil.FetchToken(ctx, httputil.SkipTLSClient(ap.insecure), nil, to)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to fetch anonymous token")
 	}

util/httputil/httputil.go

@@ -0,0 +1,17 @@
+package httputil
+
+import (
+	"crypto/tls"
+	"net/http"
+)
+
+func SkipTLSClient(insecure bool) *http.Client {
+	if !insecure {
+		return http.DefaultClient
+	}
+	return &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		},
+	}
+}