Decouple `CreateCryptoConfig()` from `github.com/urfave/cli`, so that it
can be called from other applications that do not use `github.com/urfave/cli`.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Update to the latest ocicrypt and adjust the code accordingly. Ocicrypt
now gets the user-provided configuration for pkcs11 only if a pkcs11 key
in yaml format is provided. This avoids unnecessary error messages if for
example an image is pulled but doesn't need pkcs11 configuration since
no keys are needed since it doesn't need to be decrypted. Also, the helper
functions ending in 'WithOpts' do not exist anymore and so we roll back some
of the previous changes.
Also, due to the changes, the config file is searched for in this order:
- ${OCICRYPT_CONFIG}="internal": use an internal allow-all policy
- ${OCICRYPT_CONFIG}
- ${XDG_CONFIG_HOME}/ocicrypt.conf
- ${HOME}/.config/ocicrypt.conf
- /etc/ocicrypt.conf
The previously used IMGCRYPT_CONFIG variable is not used anymore.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the parse_helpers with pkcs11 support.
We introduce a configuration file from which pkcs11 parameters are read. A config file
may look like this:
pkcs11:
module-directories:
- /usr/lib64/pkcs11/
allowed-module-paths:
- /usr/lib64/pkcs11/libsofthsm2.so
The module-directories enumerates directories in which to look for pkcs11 modules.
The allowed-module-paths restricts the pkcs11 modules that can be used.
The config file is searched for in this order:
- ${IMGCRYPT_CONF}
- ${XDG_CONFIG_HOME}/imgcrypt.conf
- ${HOME}/.config/imgcrypt.conf
- /etc/imgcrypt.conf
If no config file can be found then an internal default configuration is used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The mediatype we used before was only experimental:
application/vnd.docker.image.rootfs.diff.tar.gzip+enc
The newer one is
application/vnd.oci.image.layer.v1.tar+gzip+enc
Update to latest containerd and adjust code to it.
We need to update the mediatypes being used by GetImageLayerDescriptors,
so we move the function into our own directory.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Derek McGowan