image: add http_proxy for image pull

Note that now we have both http_proxy and https_proxy configurations for
image-rs. We use this widely acceptable variable name to replace the old
names.

Signed-off-by: Xynnn007 <[email protected]>

Author: Xynnn007

image-rs/src/builder.rs

@@ -133,8 +133,9 @@ impl ClientBuilder {
                     &policy_bytes,
                     sigstore_config,
                     &self.config.work_dir,
-                    self.config.skip_proxy_ips.clone(),
-                    self.config.image_pull_proxy.clone(),
+                    self.config.no_proxy.clone(),
+                    self.config.https_proxy.clone(),
+                    self.config.http_proxy.clone(),
                     self.config.extra_root_certificates.clone(),
                     resource_provider.clone(),
                 )

image-rs/src/config.rs

@@ -100,13 +100,21 @@ pub struct ImageConfig {
     #[serde(default = "default_max_concurrent_layer_downloads_per_image")]
     pub max_concurrent_layer_downloads_per_image: usize,
 
-    /// Proxy that will be used to pull image
+    /// HTTPS proxy that will be used to pull image
     ///
     /// If a registry is not accessible to the guest, you can try
     /// pulling an image through a proxy specified here.
     ///
     /// This value defaults to `None`.
-    pub image_pull_proxy: Option<String>,
+    pub https_proxy: Option<String>,
+
+    /// HTTP proxy that will be used to pull image
+    ///
+    /// If a registry is not accessible to the guest, you can try
+    /// pulling an image through a proxy specified here.
+    ///
+    /// This value defaults to `None`.
+    pub http_proxy: Option<String>,
 
     /// If the above proxy is enabled, this field can be used to list IPs
     /// that will bypass the proxy.
@@ -117,7 +125,7 @@ pub struct ImageConfig {
     /// If `image_pull_proxy` is not set, this field will do nothing.
     ///
     /// This value defaults to `None`.
-    pub skip_proxy_ips: Option<String>,
+    pub no_proxy: Option<String>,
 
     /// To pull an image from a registry with a self-signed ceritifcate,
     /// supply the corresponding trusted root cert (in PEM format) here.
@@ -174,8 +182,9 @@ impl Default for ImageConfig {
             sigstore_config_uri: None,
             authenticated_registry_credentials_uri: None,
             registry_configuration_uri: None,
-            image_pull_proxy: None,
-            skip_proxy_ips: None,
+            http_proxy: None,
+            https_proxy: None,
+            no_proxy: None,
             extra_root_certificates: Vec::new(),
 
             #[cfg(feature = "keywrap-native")]
@@ -190,6 +199,7 @@ impl Default for ImageConfig {
 #[derive(PartialEq, Debug)]
 struct KernelParameterConfigs {
     https_proxy: Option<String>,
+    http_proxy: Option<String>,
     no_proxy: Option<String>,
     authenticated_registry_credentials_uri: Option<String>,
     image_security_policy_uri: Option<String>,
@@ -205,6 +215,7 @@ impl KernelParameterConfigs {
 
         Self {
             https_proxy: cmdline.get("agent.https_proxy").map(|s| s.to_string()),
+            http_proxy: cmdline.get("agent.http_proxy").map(|s| s.to_string()),
             no_proxy: cmdline.get("agent.no_proxy").map(|s| s.to_string()),
             authenticated_registry_credentials_uri: cmdline
                 .get("agent.image_registry_auth")
@@ -259,8 +270,9 @@ impl ImageConfig {
             sigstore_config_uri: None,
             authenticated_registry_credentials_uri: None,
             registry_configuration_uri: None,
-            image_pull_proxy: None,
-            skip_proxy_ips: None,
+            http_proxy: None,
+            https_proxy: None,
+            no_proxy: None,
             extra_root_certificates: Vec::new(),
 
             #[cfg(feature = "keywrap-native")]
@@ -273,8 +285,9 @@ impl ImageConfig {
         if let Ok(kernel_cmdline) = fs::read_to_string("/proc/cmdline") {
             debug!("Try read image pull parameters from kernel cmdline");
             let parameters_from_kernel = KernelParameterConfigs::new(&kernel_cmdline);
-            res.image_pull_proxy = parameters_from_kernel.https_proxy;
-            res.skip_proxy_ips = parameters_from_kernel.no_proxy;
+            res.https_proxy = parameters_from_kernel.https_proxy;
+            res.http_proxy = parameters_from_kernel.http_proxy;
+            res.no_proxy = parameters_from_kernel.no_proxy;
             res.authenticated_registry_credentials_uri =
                 parameters_from_kernel.authenticated_registry_credentials_uri;
             if parameters_from_kernel.enable_signature_verification {
@@ -449,6 +462,7 @@ mod tests {
         "BOOT_IMAGE=/boot/vmlinuz-6.2.0-060200-generic root=UUID=f601123 ro vga=792 console=tty0 console=ttyS0,115200n8 agent.https_proxy=http://1.2.3.4:1234",
         KernelParameterConfigs {
             https_proxy: Some("http://1.2.3.4:1234".into()),
+            http_proxy: None,
             no_proxy: None,
             authenticated_registry_credentials_uri: None,
             image_security_policy_uri: None,
@@ -459,6 +473,7 @@ mod tests {
         BOOT_IMAGE=/boot/vmlinuz-6.2.0-060200-generic agent.no_proxy=localhost root=UUID=f601123 ro vga=792 console=tty0 console=ttyS0,115200n8 agent.https_proxy=http://1.2.3.4:1234",
         KernelParameterConfigs {
             https_proxy: Some("http://1.2.3.4:1234".into()),
+            http_proxy: None,
             no_proxy: Some("localhost".into()),
             authenticated_registry_credentials_uri: None,
             image_security_policy_uri: None,
@@ -469,6 +484,7 @@ mod tests {
         BOOT_IMAGE=/boot/vmlinuz-6.2.0-060200-generic agent.no_proxy=localhost   \n agent.image_registry_auth=kbs:///default/credentials/test root=UUID=f601123 ro vga=792 console=tty0 console=ttyS0,115200n8 agent.https_proxy=http://1.2.3.4:1234",
         KernelParameterConfigs {
             https_proxy: Some("http://1.2.3.4:1234".into()),
+            http_proxy: None,
             no_proxy: Some("localhost".into()),
             authenticated_registry_credentials_uri: Some("kbs:///default/credentials/test".into()),
             image_security_policy_uri: None,
@@ -479,6 +495,7 @@ mod tests {
         agent.no_proxy=localhost   \n agent.image_registry_auth=file:///root/.docker/config.json agent.https_proxy=http://1.2.3.4:1234",
         KernelParameterConfigs {
             https_proxy: Some("http://1.2.3.4:1234".into()),
+            http_proxy: None,
             no_proxy: Some("localhost".into()),
             authenticated_registry_credentials_uri: Some("file:///root/.docker/config.json".into()),
             image_security_policy_uri: None,
@@ -489,6 +506,7 @@ mod tests {
         BOOT_IMAGE=/boot/vmlinuz-6.2.0-060200-generic agent.no_proxy=localhost agent.image_policy_file=kbs:///default/image-policy/test  \n agent.image_registry_auth=kbs:///a/b/c root=UUID=f601123 ro vga=792 console=tty0 console=ttyS0,115200n8 agent.https_proxy=http://1.2.3.4:1234",
         KernelParameterConfigs {
             https_proxy: Some("http://1.2.3.4:1234".into()),
+            http_proxy: None,
             no_proxy: Some("localhost".into()),
             authenticated_registry_credentials_uri: Some("kbs:///a/b/c".into()),
             image_security_policy_uri: Some("kbs:///default/image-policy/test".into()),
@@ -499,6 +517,7 @@ mod tests {
         BOOT_IMAGE=/boot/vmlinuz-6.2.0-060200-generic agent.no_proxy=localhost agent.image_policy_file=file:///etc/image-policy.json  \n agent.image_registry_auth=kbs:///a/b/c root=UUID=f601123 ro vga=792 console=tty0 console=ttyS0,115200n8 agent.https_proxy=http://1.2.3.4:1234",
         KernelParameterConfigs {
             https_proxy: Some("http://1.2.3.4:1234".into()),
+            http_proxy: None,
             no_proxy: Some("localhost".into()),
             authenticated_registry_credentials_uri: Some("kbs:///a/b/c".into()),
             image_security_policy_uri: Some("file:///etc/image-policy.json".into()),
@@ -509,6 +528,18 @@ mod tests {
         agent.enable_signature_verification=true agent.no_proxy=localhost agent.image_policy_file=file:///etc/image-policy.json  \n agent.image_registry_auth=kbs:///a/b/c agent.https_proxy=http://1.2.3.4:1234",
         KernelParameterConfigs {
             https_proxy: Some("http://1.2.3.4:1234".into()),
+            http_proxy: None,
+            no_proxy: Some("localhost".into()),
+            authenticated_registry_credentials_uri: Some("kbs:///a/b/c".into()),
+            image_security_policy_uri: Some("file:///etc/image-policy.json".into()),
+            enable_signature_verification: true
+        }
+    )]
+    #[case("
+        agent.enable_signature_verification=true agent.no_proxy=localhost agent.image_policy_file=file:///etc/image-policy.json  \n agent.image_registry_auth=kbs:///a/b/c agent.https_proxy=http://1.2.3.4:1234 agent.http_proxy=http://1.2.3.4:1234",
+        KernelParameterConfigs {
+            https_proxy: Some("http://1.2.3.4:1234".into()),
+            http_proxy: Some("http://1.2.3.4:1234".into()),
             no_proxy: Some("localhost".into()),
             authenticated_registry_credentials_uri: Some("kbs:///a/b/c".into()),
             image_security_policy_uri: Some("file:///etc/image-policy.json".into()),

image-rs/src/image.rs

@@ -351,11 +351,11 @@ impl ImageClient {
             client_config.protocol = ClientProtocol::Http;
         }
 
-        if let Some(no_proxy) = &self.config.skip_proxy_ips {
+        if let Some(no_proxy) = &self.config.no_proxy {
             client_config.no_proxy = Some(no_proxy.clone())
         }
 
-        if let Some(https_proxy) = &self.config.image_pull_proxy {
+        if let Some(https_proxy) = &self.config.https_proxy {
             client_config.https_proxy = Some(https_proxy.clone());
             if task.task_type != TaskType::Origininal && !task.use_http {
                 warn!(
@@ -365,6 +365,16 @@ impl ImageClient {
             }
         }
 
+        if let Some(http_proxy) = &self.config.http_proxy {
+            client_config.http_proxy = Some(http_proxy.clone());
+            if task.task_type != TaskType::Origininal && task.use_http {
+                warn!(
+                    "The image pull try from {} will use the configured http proxy",
+                    task.image_reference
+                );
+            }
+        }
+
         let certs = self
             .config
             .extra_root_certificates

image-rs/src/signature/mod.rs

@@ -64,6 +64,7 @@ pub struct SignatureValidator {
 
     no_proxy: Option<String>,
     https_proxy: Option<String>,
+    http_proxy: Option<String>,
 
     #[cfg(feature = "signature-simple")]
     simple_signing_sigstore_config: Option<policy::SigstoreConfig>,
@@ -159,6 +160,7 @@ impl SignatureValidator {
         workdir: &Path,
         no_proxy: Option<String>,
         https_proxy: Option<String>,
+        http_proxy: Option<String>,
         certificates: Vec<String>,
         resource_provider: Arc<ResourceProvider>,
     ) -> SignatureResult<Self> {
@@ -202,6 +204,7 @@ impl SignatureValidator {
             resource_provider,
             no_proxy,
             https_proxy,
+            http_proxy,
             certificates,
             #[cfg(feature = "signature-simple")]
             simple_signing_sigstore_config,

image-rs/src/signature/policy/cosign/mod.rs

@@ -44,6 +44,7 @@ impl SignatureValidator {
                 self.certificates.iter().collect(),
                 self.no_proxy.as_ref(),
                 self.https_proxy.as_ref(),
+                self.http_proxy.as_ref(),
             )
             .await
     }
@@ -58,6 +59,7 @@ impl CosignParameters {
         certificates: Vec<&Certificate>,
         no_proxy: Option<&String>,
         https_proxy: Option<&String>,
+        http_proxy: Option<&String>,
     ) -> Result<()> {
         // Check before we access the network
         self.check_reference_rule_types()?;
@@ -72,7 +74,15 @@ impl CosignParameters {
 
         // Verification, will access the network
         let payloads = self
-            .verify_signature_and_get_payload(image, auth, key, certificates, no_proxy, https_proxy)
+            .verify_signature_and_get_payload(
+                image,
+                auth,
+                key,
+                certificates,
+                no_proxy,
+                https_proxy,
+                http_proxy,
+            )
             .await?;
 
         // check the reference rules (signed identity)
@@ -120,6 +130,7 @@ impl CosignParameters {
         certificates: Vec<&Certificate>,
         no_proxy: Option<&String>,
         https_proxy: Option<&String>,
+        http_proxy: Option<&String>,
     ) -> Result<Vec<SigPayload>> {
         let image_ref = OciReference::from_str(&image.reference.whole())?;
         let auth = match auth {
@@ -131,6 +142,7 @@ impl CosignParameters {
         let config = ClientConfig {
             no_proxy: no_proxy.cloned(),
             https_proxy: https_proxy.cloned(),
+            http_proxy: http_proxy.cloned(),
             extra_root_certificates: certificates.into_iter().cloned().collect(),
             ..Default::default()
         };
@@ -245,6 +257,7 @@ mod tests {
                 vec![],
                 None,
                 None,
+                None,
             )
             .await;
         assert!(
@@ -361,6 +374,7 @@ mod tests {
                     vec![],
                     None,
                     None,
+                    None,
                 )
                 .await;
             assert_eq!(