From d0493c7a7aed57d787266d31aab7fa643d431bf3 Mon Sep 17 00:00:00 2001 From: Vadim Zharov Date: Wed, 29 May 2024 21:24:13 +0000 Subject: [PATCH 1/2] Added environment variable to configure http/insecure registries using buildkit settings --- README.md | 28 ++++++++++++++++++++++++++++ earthly.sh | 6 +++--- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 65dc5d2c..434345c2 100644 --- a/README.md +++ b/README.md @@ -322,3 +322,31 @@ cp spectro-luet-auth.yaml.template spectro-luet-auth.yaml ```shell earthly --push +build-all-images ``` + +### Using untrusted or insecure registries for Base Images + +During execution process Earthly pulls Base Images (specified as `BASE_IMAGE` in .arg file) from external registries. By default, it connects to the registry via HTTPS protocol using trusted CA installed inside the container. For the cases where external registry exposed via plain HTTP or HTTPs with self-signed certificates, it is possible to configured Earthly buildkit to use HTTP or ignore untrusted certificates by using environment variable `EARTHLY_ADDITIONAL_BUILDKIT_CONFIG`. + +For registries exposed via HTTP, use the following commands: +```shell +$ export EARTHLY_ADDITIONAL_BUILDKIT_CONFIG=" +[registry.\"10.10.131.24:5000\"] + http = true +" +$ earthly --push +build-all-images +``` + +For registries exposed via HTTPs with self-signed certificates, use the following commands: +```shell +$ export EARTHLY_ADDITIONAL_BUILDKIT_CONFIG=" +[registry.\"10.10.131.24:5000\"] + insecure = true +" +$ earthly --push +build-all-images +``` + +If this configuration is no longer required, unset the variable: + +```shell +$ unset EARTHLY_ADDITIONAL_BUILDKIT_CONFIG +``` \ No newline at end of file diff --git a/earthly.sh b/earthly.sh index 587faa1f..7c6f5b54 100755 --- a/earthly.sh +++ b/earthly.sh @@ -11,17 +11,17 @@ function build_with_proxy() { docker stop earthly-buildkitd fi # start earthly buildkitd - docker run -d --privileged --name earthly-buildkitd -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm -t -e GLOBAL_CONFIG="$global_config" -e BUILDKIT_TCP_TRANSPORT_ENABLED=true -e http_proxy=$HTTP_PROXY -e https_proxy=$HTTPS_PROXY -e HTTPS_PROXY=$HTTPS_PROXY -e HTTP_PROXY=$HTTP_PROXY -e NO_PROXY=$NO_PROXY -e no_proxy=$no_proxy -e EARTHLY_GIT_CONFIG=$gitconfig -v "$PROXY_CERT_PATH:/usr/local/share/ca-certificates/sc.crt:ro" -v earthly-tmp:/tmp/earthly:rw -p 8372:8372 $SPECTRO_PUB_REPO/earthly/buildkitd:$EARTHLY_VERSION + docker run -d --privileged --name earthly-buildkitd -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm -t -e GLOBAL_CONFIG="$global_config" -e EARTHLY_ADDITIONAL_BUILDKIT_CONFIG -e BUILDKIT_TCP_TRANSPORT_ENABLED=true -e http_proxy=$HTTP_PROXY -e https_proxy=$HTTPS_PROXY -e HTTPS_PROXY=$HTTPS_PROXY -e HTTP_PROXY=$HTTP_PROXY -e NO_PROXY=$NO_PROXY -e no_proxy=$no_proxy -e EARTHLY_GIT_CONFIG=$gitconfig -v "$PROXY_CERT_PATH:/usr/local/share/ca-certificates/sc.crt:ro" -v earthly-tmp:/tmp/earthly:rw -p 8372:8372 $SPECTRO_PUB_REPO/earthly/buildkitd:$EARTHLY_VERSION # Update the CA certificates in the container docker exec -it earthly-buildkitd update-ca-certificates # Run Earthly in Docker to create artifacts Variables are passed from the .arg file - docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -e EARTHLY_BUILDKIT_HOST=tcp://0.0.0.0:8372 -e BUILDKIT_TLS_ENABLED=false -v "$(pwd)":/workspace -v "$PROXY_CERT_PATH:/workspace/sc.crt:ro" $SPECTRO_PUB_REPO/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" + docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -e EARTHLY_ADDITIONAL_BUILDKIT_CONFIG -e EARTHLY_BUILDKIT_HOST=tcp://0.0.0.0:8372 -e BUILDKIT_TLS_ENABLED=false -v "$(pwd)":/workspace -v "$PROXY_CERT_PATH:/workspace/sc.crt:ro" $SPECTRO_PUB_REPO/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" } function build_without_proxy() { # Run Earthly in Docker to create artifacts Variables are passed from the .arg file - docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -v "$(pwd)":/workspace $SPECTRO_PUB_REPO/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" + docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -e EARTHLY_ADDITIONAL_BUILDKIT_CONFIG -v "$(pwd)":/workspace $SPECTRO_PUB_REPO/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" } global_config="{disable_analytics: true}" From fa893ceec8927474a532154b29bbea28f8a0393e Mon Sep 17 00:00:00 2001 From: Kevin Reeuwijk Date: Fri, 7 Jun 2024 08:44:59 +0200 Subject: [PATCH 2/2] Adjusted so that parameter can be set through .arg --- README.md | 28 ++++++++++++---------------- earthly.sh | 1 + 2 files changed, 13 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 434345c2..17ee4dab 100644 --- a/README.md +++ b/README.md @@ -138,6 +138,8 @@ cp .arg.template .arg | UKI_BRING_YOUR_OWN_KEYS | Bring your own public/private key pairs if this is set to true. Otherwise, CanvOS will generate the key pair. | boolean | `false` | | INCLUDE_MS_SECUREBOOT_KEYS | Include Microsoft 3rd Party UEFI CA certificate in generated keys | boolean | `true` | | AUTO_ENROLL_SECUREBOOT_KEYS | Auto enroll SecureBoot keys when device boots up and is in setup mode of secure boot | boolean | `true` | +| EARTHLY_ADDITIONAL_BUILDKIT_CONFIG | Can be used to provide additional parameters to buildkit, use this when you need to retrieve your base image from a HTTP registry or a HTTPS registry with an untrusted certificate | string | | + 1. (Optional) If you are building the images behind a proxy server, you may need to modify your docker daemon settings to let it use your proxy server. You can refer this [tutorial](https://docs.docker.com/config/daemon/systemd/#httphttps-proxy). @@ -325,28 +327,22 @@ earthly --push +build-all-images ### Using untrusted or insecure registries for Base Images -During execution process Earthly pulls Base Images (specified as `BASE_IMAGE` in .arg file) from external registries. By default, it connects to the registry via HTTPS protocol using trusted CA installed inside the container. For the cases where external registry exposed via plain HTTP or HTTPs with self-signed certificates, it is possible to configured Earthly buildkit to use HTTP or ignore untrusted certificates by using environment variable `EARTHLY_ADDITIONAL_BUILDKIT_CONFIG`. +During execution process Earthly pulls Base Images (specified as `BASE_IMAGE` in .arg file) from external registries. By default, it connects to the registry via HTTPS protocol using trusted CA installed inside the container. For the cases where external registry exposed via plain HTTP or HTTPs with self-signed certificates, it is possible to configured Earthly buildkit to use HTTP or ignore untrusted certificates by using the environment variable `EARTHLY_ADDITIONAL_BUILDKIT_CONFIG`. -For registries exposed via HTTP, use the following commands: +For registries exposed via HTTP, set the EARTHLY_ADDITIONAL_BUILDKIT_CONFIG parameter in your .arg file as follows: ```shell -$ export EARTHLY_ADDITIONAL_BUILDKIT_CONFIG=" -[registry.\"10.10.131.24:5000\"] +EARTHLY_ADDITIONAL_BUILDKIT_CONFIG=' +[registry."10.10.131.24:5000"] http = true -" -$ earthly --push +build-all-images +' ``` -For registries exposed via HTTPs with self-signed certificates, use the following commands: +For registries exposed via HTTPs with self-signed certificates, set the EARTHLY_ADDITIONAL_BUILDKIT_CONFIG parameter in your .arg file as follows: ```shell -$ export EARTHLY_ADDITIONAL_BUILDKIT_CONFIG=" -[registry.\"10.10.131.24:5000\"] +EARTHLY_ADDITIONAL_BUILDKIT_CONFIG=' +[registry."10.10.131.24:5000"] insecure = true -" -$ earthly --push +build-all-images +' ``` -If this configuration is no longer required, unset the variable: - -```shell -$ unset EARTHLY_ADDITIONAL_BUILDKIT_CONFIG -``` \ No newline at end of file +Replace `10.10.131.24:5000` with the actual FQDN or IP address of your registry. A port number is only necessary when using a non-standard port. \ No newline at end of file diff --git a/earthly.sh b/earthly.sh index 7c6f5b54..7cfa2d12 100755 --- a/earthly.sh +++ b/earthly.sh @@ -29,6 +29,7 @@ PE_VERSION=$(git describe --abbrev=0 --tags) SPECTRO_PUB_REPO=gcr.io/spectro-images-public EARTHLY_VERSION=v0.8.5 source .arg +export EARTHLY_ADDITIONAL_BUILDKIT_CONFIG="$EARTHLY_ADDITIONAL_BUILDKIT_CONFIG" ### Verify Depencies # Check if Docker is installed