diff --git a/README.md b/README.md index 65dc5d2c..17ee4dab 100644 --- a/README.md +++ b/README.md @@ -138,6 +138,8 @@ cp .arg.template .arg | UKI_BRING_YOUR_OWN_KEYS | Bring your own public/private key pairs if this is set to true. Otherwise, CanvOS will generate the key pair. | boolean | `false` | | INCLUDE_MS_SECUREBOOT_KEYS | Include Microsoft 3rd Party UEFI CA certificate in generated keys | boolean | `true` | | AUTO_ENROLL_SECUREBOOT_KEYS | Auto enroll SecureBoot keys when device boots up and is in setup mode of secure boot | boolean | `true` | +| EARTHLY_ADDITIONAL_BUILDKIT_CONFIG | Can be used to provide additional parameters to buildkit, use this when you need to retrieve your base image from a HTTP registry or a HTTPS registry with an untrusted certificate | string | | + 1. (Optional) If you are building the images behind a proxy server, you may need to modify your docker daemon settings to let it use your proxy server. You can refer this [tutorial](https://docs.docker.com/config/daemon/systemd/#httphttps-proxy). @@ -322,3 +324,25 @@ cp spectro-luet-auth.yaml.template spectro-luet-auth.yaml ```shell earthly --push +build-all-images ``` + +### Using untrusted or insecure registries for Base Images + +During execution process Earthly pulls Base Images (specified as `BASE_IMAGE` in .arg file) from external registries. By default, it connects to the registry via HTTPS protocol using trusted CA installed inside the container. For the cases where external registry exposed via plain HTTP or HTTPs with self-signed certificates, it is possible to configured Earthly buildkit to use HTTP or ignore untrusted certificates by using the environment variable `EARTHLY_ADDITIONAL_BUILDKIT_CONFIG`. + +For registries exposed via HTTP, set the EARTHLY_ADDITIONAL_BUILDKIT_CONFIG parameter in your .arg file as follows: +```shell +EARTHLY_ADDITIONAL_BUILDKIT_CONFIG=' +[registry."10.10.131.24:5000"] + http = true +' +``` + +For registries exposed via HTTPs with self-signed certificates, set the EARTHLY_ADDITIONAL_BUILDKIT_CONFIG parameter in your .arg file as follows: +```shell +EARTHLY_ADDITIONAL_BUILDKIT_CONFIG=' +[registry."10.10.131.24:5000"] + insecure = true +' +``` + +Replace `10.10.131.24:5000` with the actual FQDN or IP address of your registry. A port number is only necessary when using a non-standard port. \ No newline at end of file diff --git a/earthly.sh b/earthly.sh index 587faa1f..7cfa2d12 100755 --- a/earthly.sh +++ b/earthly.sh @@ -11,17 +11,17 @@ function build_with_proxy() { docker stop earthly-buildkitd fi # start earthly buildkitd - docker run -d --privileged --name earthly-buildkitd -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm -t -e GLOBAL_CONFIG="$global_config" -e BUILDKIT_TCP_TRANSPORT_ENABLED=true -e http_proxy=$HTTP_PROXY -e https_proxy=$HTTPS_PROXY -e HTTPS_PROXY=$HTTPS_PROXY -e HTTP_PROXY=$HTTP_PROXY -e NO_PROXY=$NO_PROXY -e no_proxy=$no_proxy -e EARTHLY_GIT_CONFIG=$gitconfig -v "$PROXY_CERT_PATH:/usr/local/share/ca-certificates/sc.crt:ro" -v earthly-tmp:/tmp/earthly:rw -p 8372:8372 $SPECTRO_PUB_REPO/earthly/buildkitd:$EARTHLY_VERSION + docker run -d --privileged --name earthly-buildkitd -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm -t -e GLOBAL_CONFIG="$global_config" -e EARTHLY_ADDITIONAL_BUILDKIT_CONFIG -e BUILDKIT_TCP_TRANSPORT_ENABLED=true -e http_proxy=$HTTP_PROXY -e https_proxy=$HTTPS_PROXY -e HTTPS_PROXY=$HTTPS_PROXY -e HTTP_PROXY=$HTTP_PROXY -e NO_PROXY=$NO_PROXY -e no_proxy=$no_proxy -e EARTHLY_GIT_CONFIG=$gitconfig -v "$PROXY_CERT_PATH:/usr/local/share/ca-certificates/sc.crt:ro" -v earthly-tmp:/tmp/earthly:rw -p 8372:8372 $SPECTRO_PUB_REPO/earthly/buildkitd:$EARTHLY_VERSION # Update the CA certificates in the container docker exec -it earthly-buildkitd update-ca-certificates # Run Earthly in Docker to create artifacts Variables are passed from the .arg file - docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -e EARTHLY_BUILDKIT_HOST=tcp://0.0.0.0:8372 -e BUILDKIT_TLS_ENABLED=false -v "$(pwd)":/workspace -v "$PROXY_CERT_PATH:/workspace/sc.crt:ro" $SPECTRO_PUB_REPO/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" + docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -e EARTHLY_ADDITIONAL_BUILDKIT_CONFIG -e EARTHLY_BUILDKIT_HOST=tcp://0.0.0.0:8372 -e BUILDKIT_TLS_ENABLED=false -v "$(pwd)":/workspace -v "$PROXY_CERT_PATH:/workspace/sc.crt:ro" $SPECTRO_PUB_REPO/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" } function build_without_proxy() { # Run Earthly in Docker to create artifacts Variables are passed from the .arg file - docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -v "$(pwd)":/workspace $SPECTRO_PUB_REPO/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" + docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -e EARTHLY_ADDITIONAL_BUILDKIT_CONFIG -v "$(pwd)":/workspace $SPECTRO_PUB_REPO/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" } global_config="{disable_analytics: true}" @@ -29,6 +29,7 @@ PE_VERSION=$(git describe --abbrev=0 --tags) SPECTRO_PUB_REPO=gcr.io/spectro-images-public EARTHLY_VERSION=v0.8.5 source .arg +export EARTHLY_ADDITIONAL_BUILDKIT_CONFIG="$EARTHLY_ADDITIONAL_BUILDKIT_CONFIG" ### Verify Depencies # Check if Docker is installed