I believe we should add the same flags to duffle export. I'll create a separate issue for that.
As part of this PR, I added a bunch of unit tests. Since I didn't see any end-to-end tests in this repo, I manually verified that relocation actually works as expected using the script in this gist. If you would like to run the same e2e tests, simply build duffle, put it in your path, and then run sudo ./tls-test.sh setup followed by sudo ./tls-test.sh duffle.
Just for the record, following is the output from running my e2e test script.
try to relocate to private registry without specifying CA cert path, should fail
writing cnab/helloworld:latest to my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest
Error: failed to write image docker.io/cnab/helloworld:latest to my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest: failed to write image my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest: Get https://my-registry-1:5000/v2/: x509: certificate signed by unknown authority
PASSED
try to relocate to private registry with specifying correct CA cert path, should succeed
writing cnab/helloworld:latest to my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest
PASSED
try to relocate to private registry with specifying incorrect CA cert path, should fail
writing cnab/helloworld:latest to my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest
Error: failed to write image docker.io/cnab/helloworld:latest to my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest: failed to write image my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest: Get https://my-registry-1:5000/v2/: x509: certificate signed by unknown authority
PASSED
try to relocate to private registry without cert verification, should succeed
writing cnab/helloworld:latest to my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest
PASSED
try to relocate from/to private registry without specifying CA cert path for source, should fail
writing my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest to my-registry-2:5001/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a-02f8e960a10901897e7305066b3c40c0:latest
Error: failed to read image my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest: Get https://my-registry-1:5000/v2/: x509: certificate signed by unknown authority
PASSED
try to relocate from/to private registry without specifying CA cert path for destination, should fail
writing my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest to my-registry-2:5001/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a-02f8e960a10901897e7305066b3c40c0:latest
Error: failed to write image my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest to my-registry-2:5001/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a-02f8e960a10901897e7305066b3c40c0:latest: failed to write image my-registry-2:5001/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a-02f8e960a10901897e7305066b3c40c0:latest: Get https://my-registry-2:5001/v2/: x509: certificate signed by unknown authority
PASSED
try to relocate from/to private registry with specifying CA cert paths for both source and destination, should succeed
writing my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest to my-registry-2:5001/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a-02f8e960a10901897e7305066b3c40c0:latest
PASSED
try to relocate from/to private registry with specifying CA cert paths for both source and destination, should succeed
writing my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest to my-registry-2:5001/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a-02f8e960a10901897e7305066b3c40c0:latest
PASSED
try to relocate from/to private registry without cert verifictation, should succeed
writing my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest to my-registry-2:5001/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a-02f8e960a10901897e7305066b3c40c0:latest
PASSED
try to relocate images from thick bundle to private registry without specifying CA cert, should fail
writing cnab/helloworld:latest to my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest
Error: failed to write image sha256:55f83710272990efab4e076f9281453e136980becfd879640b06552ead751284 to my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest: failed to write image my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest: Get https://my-registry-1:5000/v2/: x509: certificate signed by unknown authority
PASSED
try to relocate images from thick bundle to private registry with specifying CA cert, should succeed
writing cnab/helloworld:latest to my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest
PASSED
try to relocate images from thick bundle to private registry without cert verification, should succeed
writing cnab/helloworld:latest to my-registry-1:5000/cnab-helloworld-cf2fb20a6a55f18c0144591952a7013a:latest
PASSED
This PR fixes #874 by adding:
--ca-cert-pathtoduffle relocate--skip-tls-verifytoduffle relocateI believe we should add the same flags to
duffle export. I'll create a separate issue for that.As part of this PR, I added a bunch of unit tests. Since I didn't see any end-to-end tests in this repo, I manually verified that relocation actually works as expected using the script in this gist. If you would like to run the same e2e tests, simply build duffle, put it in your path, and then run
sudo ./tls-test.sh setupfollowed bysudo ./tls-test.sh duffle.Just for the record, following is the output from running my e2e test script.