-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add encryption decryption feature #16329
Add encryption decryption feature #16329
Conversation
e778c76
to
01ba20f
Compare
cmd/podman/common/create.go
Outdated
"*Experimental* key needed to decrypt the image (e.g. /path/to/key.pem)", | ||
) | ||
_ = cmd.RegisterFlagCompletionFunc(annotationFlagName, completion.AutocompleteNone) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove this blank line to make linter happy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
I am fine with this. podman build --decryption-key is already supported. |
cmd/podman/common/create.go
Outdated
createFlags.StringSliceVar( | ||
&cf.DecryptionKeys, | ||
decryptionKeysFlagName, []string{}, | ||
"*Experimental* key needed to decrypt the image (e.g. /path/to/key.pem)", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this Experimental? It is not in Buildah?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed "Experimental"
cmd/podman/images/pull.go
Outdated
@@ -107,6 +108,9 @@ func pullFlags(cmd *cobra.Command) { | |||
flags.StringVar(&pullOptions.Authfile, authfileFlagName, auth.GetDefaultAuthFile(), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") | |||
_ = cmd.RegisterFlagCompletionFunc(authfileFlagName, completion.AutocompleteDefault) | |||
|
|||
decryptionKeysFlagName := "decryption-key" | |||
flags.StringSliceVar(&pullOptions.DecryptionKeys, decryptionKeysFlagName, nil, "*Experimental* key needed to decrypt the image (e.g. /path/to/key.pem)") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove "Experimental"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
cmd/podman/images/push.go
Outdated
@@ -121,6 +124,14 @@ func pushFlags(cmd *cobra.Command) { | |||
flags.StringVar(&pushOptions.CompressionFormat, compressionFormat, "", "compression format to use") | |||
_ = cmd.RegisterFlagCompletionFunc(compressionFormat, common.AutocompleteCompressionFormat) | |||
|
|||
encryptionKeysFlagName := "encryption-key" | |||
flags.StringSliceVar(&pushOptions.EncryptionKeys, encryptionKeysFlagName, nil, "*Experimental* key with the encryption protocol to use needed to encrypt the image (e.g. jwe:/path/to/key.pem)") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove Experimental
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
cmd/podman/images/push.go
Outdated
_ = cmd.RegisterFlagCompletionFunc(encryptionKeysFlagName, completion.AutocompleteDefault) | ||
|
||
encryptLayersFlagName := "encrypt-layer" | ||
flags.IntSliceVar(&pushOptions.EncryptLayers, encryptLayersFlagName, nil, "*Experimental* layers to encrypt, 0-indexed layer indices with support for negative indexing (e.g. 0 is the first layer, -1 is the last layer). If not defined, will encrypt all layers if encryption-key flag is specified") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove Experimental
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
Needs tests. |
Overall @gupttaru this looks good, thanks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed comments by @rhatdan , and added tests
cmd/podman/common/create.go
Outdated
createFlags.StringSliceVar( | ||
&cf.DecryptionKeys, | ||
decryptionKeysFlagName, []string{}, | ||
"*Experimental* key needed to decrypt the image (e.g. /path/to/key.pem)", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed "Experimental"
cmd/podman/common/create.go
Outdated
"*Experimental* key needed to decrypt the image (e.g. /path/to/key.pem)", | ||
) | ||
_ = cmd.RegisterFlagCompletionFunc(annotationFlagName, completion.AutocompleteNone) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
cmd/podman/images/pull.go
Outdated
@@ -107,6 +108,9 @@ func pullFlags(cmd *cobra.Command) { | |||
flags.StringVar(&pullOptions.Authfile, authfileFlagName, auth.GetDefaultAuthFile(), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") | |||
_ = cmd.RegisterFlagCompletionFunc(authfileFlagName, completion.AutocompleteDefault) | |||
|
|||
decryptionKeysFlagName := "decryption-key" | |||
flags.StringSliceVar(&pullOptions.DecryptionKeys, decryptionKeysFlagName, nil, "*Experimental* key needed to decrypt the image (e.g. /path/to/key.pem)") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
cmd/podman/images/push.go
Outdated
@@ -121,6 +124,14 @@ func pushFlags(cmd *cobra.Command) { | |||
flags.StringVar(&pushOptions.CompressionFormat, compressionFormat, "", "compression format to use") | |||
_ = cmd.RegisterFlagCompletionFunc(compressionFormat, common.AutocompleteCompressionFormat) | |||
|
|||
encryptionKeysFlagName := "encryption-key" | |||
flags.StringSliceVar(&pushOptions.EncryptionKeys, encryptionKeysFlagName, nil, "*Experimental* key with the encryption protocol to use needed to encrypt the image (e.g. jwe:/path/to/key.pem)") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
cmd/podman/images/push.go
Outdated
_ = cmd.RegisterFlagCompletionFunc(encryptionKeysFlagName, completion.AutocompleteDefault) | ||
|
||
encryptLayersFlagName := "encrypt-layer" | ||
flags.IntSliceVar(&pushOptions.EncryptLayers, encryptLayersFlagName, nil, "*Experimental* layers to encrypt, 0-indexed layer indices with support for negative indexing (e.g. 0 is the first layer, -1 is the last layer). If not defined, will encrypt all layers if encryption-key flag is specified") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
bd272da
to
c942994
Compare
In the Cirrus CI pipeline, some of the tests related to things I haven't touched are failing:
Could someone help with the above errors? Also the tests I have added for checking the encryption-decryption feature are passing except one: podman-remote is able to pull encrypted image without providing decryption key (link to CI logs). So the following is NOT throwing an error:
I am unable to at the moment exactly find the reason for this. Trying to debug this at the moment. |
First can you squash your commits git rebase -i origin @mtrmac @vrothberg PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK to the non-test code, based on a fairly cursory skim.
podman-remote is able to pull encrypted image without providing decryption key
That sounds like a blocker for now. It might not be a bug at all, but it does need to be understood, so that we are certain we are not publishing unencrypted images when the user asks for encrypted. (OTOH I didn’t now read any part of the tests — this is admittedly just an emphasis of the known without contributing anything new.)
abd03e1
to
c284455
Compare
Most probably there might be a problem with test code (link), which might be pushing unencrypted images somehow, even though I am passing the --encryption-key flag. Though I am unable to exactly see why this problem is occurring only in podman-remote, and not podman. Also, what could be the reason for failing of other unit-tests not related to this added feature, as mentioned above? |
> which might be pushing unencrypted images somehow… I am unable to exactly see why this problem is occurring only in podman-remote, I can’t see any new fields added in Does it even make sense to support this on remote? Compare #15163 (comment) . (But if it is not supported, the request to push with encryption must fail instead of pushing without encryption.) |
Yes you need to change pkg/api and maybe pkg/bindings to pass the option accross the protocol to the server. |
Thanks, I am not well acquainted with the podman-remote mode, so missed this.
I do agree with this comment. Sending the key over a protocol would be risky. The keys are usually made available on the machine which is pushing/pulling the image, in a secure manner, using some KMS (Key Management Service) or some Secret Manager. For example: Ocicrypt keyprovider protocol allows using a KMS for providing keys in a secure manner. Similar to other flags which are not supported on podman-remote, I think we could hide the encryption related flags for remote mode, for example as done here. If we hide the flag for remote mode, I don't think we would need any changes in |
I’d still like to see code in the remote client that makes sure that request fails: a field in Admittedly we apparently don’t do that in other cases, like |
SGTM |
Given that we need to make this change for all the options that are not supported by podman-remote (--sign-by, --encryption-key etc.) can we make that a part of a separate issue/PR? For now, I can make the encryption-key flag conform with how other flags are treated. Admittedly, currently I am not well acquainted with the remote side of Podman, and not sure how this change would look. |
Yes we can fix the others in a different commit, but for now you have to fix the new options to not run tests in remote mode. |
I think the encryption-key flag must cause an error at the API level (not just the CLI), as part of this PR. The consequences of silently ignoring it are materially worse than the others. |
c284455
to
a8680b6
Compare
a8680b6
to
613789a
Compare
Understood. Based on my current understanding of API code of Podman, this change would involve defining a query parameter for Likewise, defining query parameters for options So these would only involve changes in files I couldn't think of any changes in |
If you want to do all the work to add an actual query parameter to the HTTP API, send it and parse it, you might just as well hook it up right through to the actual server implementation (but, per the other discussion, I’m not sure that would actually work at all). Instead, just modify the client binary; the PR adds fields to If we don’t add the field to the HTTP API, the pkg/bindings clients to the HTTP API will remain unaffected, because there would be no new field to reject. (The package names are very confusing to me. I’m increasingly tempted to recommend renaming to |
613789a
to
788c486
Compare
Thanks @mtrmac for your help. I have made the requisite changes in
I also find them quite confusing because of which I was finding it hard to understand the changes requried which you mentioned above. Would it be possible add a small README.md file for such folders to explain what they do? For example, I don't know the full-form of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
The implementation seems reasonable. (I didn’t review the tests in detail.)
I’ll leave the final approval to actual Podman maintainers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So much for me reviewing…
The tests show actual failures that need fixing.
788c486
to
5822e39
Compare
Signed-off-by: Tarun1 Gupta <gupttaru@deshaw.com>
5822e39
to
3bb9ed4
Compare
Thanks @mtrmac. The tests are passing now. |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gupttaru, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This PR adds encryption decryption functionality, just like those present in buildah and skopeo.
containers/common/libimage
already supports encryption-decryption of images, so its a Podman only change.This would allow us to encrypt the image while pushing it to a registry and decrypt the image while pulling it from a registry.
The commands would be as follows:
Additionally,
podman run --decryption-key <key> IMAGE [command [arg …]]
would automatically pull the image from a registry, decrypt it using decryption key and run the container.
Signed-off-by: Tarun Gupta gupttaru@deshaw.com
Does this PR introduce a user-facing change?