Merge pull request operator-framework#279 from ecordell/demonless-index-cmds

fix(add): allow containertool to be specified for registry add

Author: ecordell

cmd/opm/index/add.go

@@ -7,6 +7,7 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/kubectl/pkg/util/templates"
 
+	"github.com/operator-framework/operator-registry/pkg/containertools"
 	"github.com/operator-framework/operator-registry/pkg/lib/indexer"
 	"github.com/operator-framework/operator-registry/pkg/registry"
 )
@@ -52,6 +53,7 @@ func addIndexAddCmd(parent *cobra.Command) {
 	if err := indexCmd.MarkFlagRequired("bundles"); err != nil {
 		logrus.Panic("Failed to set required `bundles` flag for `index add`")
 	}
+	indexCmd.Flags().Bool("skip-tls", false, "skip TLS certificate verification for container image registries while pulling bundles")
 	indexCmd.Flags().StringP("binary-image", "i", "", "container image for on-image `opm` command")
 	indexCmd.Flags().StringP("container-tool", "c", "podman", "tool to interact with container images (save, build, etc.). One of: [docker, podman]")
 	indexCmd.Flags().StringP("tag", "t", "", "custom tag for container image being built")
@@ -99,6 +101,10 @@ func runIndexAddCmdFunc(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	if containerTool == "none" {
+		return fmt.Errorf("none is not a valid container-tool for index add")
+	}
+
 	tag, err := cmd.Flags().GetString("tag")
 	if err != nil {
 		return err
@@ -109,6 +115,11 @@ func runIndexAddCmdFunc(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	skipTLS, err := cmd.Flags().GetBool("skip-tls")
+	if err != nil {
+		return err
+	}
+
 	mode, err := cmd.Flags().GetString("mode")
 	if err != nil {
 		return err
@@ -123,7 +134,7 @@ func runIndexAddCmdFunc(cmd *cobra.Command, args []string) error {
 
 	logger.Info("building the index")
 
-	indexAdder := indexer.NewIndexAdder(containerTool, logger)
+	indexAdder := indexer.NewIndexAdder(containertools.NewContainerTool(containerTool, containertools.PodmanTool), logger)
 
 	request := indexer.AddToIndexRequest{
 		Generate:          generate,
@@ -134,6 +145,7 @@ func runIndexAddCmdFunc(cmd *cobra.Command, args []string) error {
 		Bundles:           bundles,
 		Permissive:        permissive,
 		Mode:              modeEnum,
+		SkipTLS:           skipTLS,
 	}
 
 	err = indexAdder.AddToIndex(request)

cmd/opm/index/delete.go

@@ -1,9 +1,11 @@
 package index
 
 import (
+	"fmt"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
+	"github.com/operator-framework/operator-registry/pkg/containertools"
 	"github.com/operator-framework/operator-registry/pkg/lib/indexer"
 )
 
@@ -35,7 +37,7 @@ func newIndexDeleteCmd() *cobra.Command {
 		logrus.Panic("Failed to set required `operators` flag for `index delete`")
 	}
 	indexCmd.Flags().StringP("binary-image", "i", "", "container image for on-image `opm` command")
-	indexCmd.Flags().StringP("container-tool", "c", "podman", "tool to interact with container images (save, build, etc.). One of: [docker, podman]")
+	indexCmd.Flags().StringP("container-tool", "c", "podman", "tool to interact with container images (save, build, etc.). One of: [none, docker, podman]")
 	indexCmd.Flags().StringP("tag", "t", "", "custom tag for container image being built")
 	indexCmd.Flags().Bool("permissive", false, "allow registry load errors")
 
@@ -78,6 +80,10 @@ func runIndexDeleteCmdFunc(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	if containerTool == "none" {
+		return fmt.Errorf("none is not a valid container-tool for index add")
+	}
+
 	tag, err := cmd.Flags().GetString("tag")
 	if err != nil {
 		return err
@@ -92,7 +98,7 @@ func runIndexDeleteCmdFunc(cmd *cobra.Command, args []string) error {
 
 	logger.Info("building the index")
 
-	indexDeleter := indexer.NewIndexDeleter(containerTool, logger)
+	indexDeleter := indexer.NewIndexDeleter(containertools.NewContainerTool(containerTool, containertools.PodmanTool), logger)
 
 	request := indexer.DeleteFromIndexRequest{
 		Generate:          generate,

cmd/opm/index/export.go

@@ -1,10 +1,12 @@
 package index
 
 import (
+	"fmt"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"k8s.io/kubectl/pkg/util/templates"
 
+	"github.com/operator-framework/operator-registry/pkg/containertools"
 	"github.com/operator-framework/operator-registry/pkg/lib/indexer"
 )
 
@@ -44,7 +46,7 @@ func newIndexExportCmd() *cobra.Command {
 		logrus.Panic("Failed to set required `package` flag for `index export`")
 	}
 	indexCmd.Flags().StringP("download-folder", "f", "downloaded", "directory where downloaded operator bundle(s) will be stored")
-	indexCmd.Flags().StringP("container-tool", "c", "podman", "tool to interact with container images (save, build, etc.). One of: [docker, podman]")
+	indexCmd.Flags().StringP("container-tool", "c", "podman", "tool to interact with container images (save, build, etc.). One of: [none, docker, podman]")
 	if err := indexCmd.Flags().MarkHidden("debug"); err != nil {
 		logrus.Panic(err.Error())
 	}
@@ -74,11 +76,15 @@ func runIndexExportCmdFunc(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	if containerTool == "none" {
+		return fmt.Errorf("none is not a valid container-tool for index add")
+	}
+
 	logger := logrus.WithFields(logrus.Fields{"index": index, "package": packageName})
 
 	logger.Info("export from the index")
 
-	indexExporter := indexer.NewIndexExporter(containerTool, logger)
+	indexExporter := indexer.NewIndexExporter(containertools.NewContainerTool(containerTool, containertools.PodmanTool), logger)
 
 	request := indexer.ExportFromIndexRequest{
 		Index:         index,

cmd/opm/registry/add.go

@@ -4,6 +4,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
+	"github.com/operator-framework/operator-registry/pkg/containertools"
 	"github.com/operator-framework/operator-registry/pkg/lib/registry"
 	reg "github.com/operator-framework/operator-registry/pkg/registry"
 )
@@ -30,11 +31,7 @@ func newRegistryAddCmd() *cobra.Command {
 	rootCmd.Flags().Bool("permissive", false, "allow registry load errors")
 	rootCmd.Flags().Bool("skip-tls", false, "skip TLS certificate verification for container image registries while pulling bundles")
 	rootCmd.Flags().StringP("mode", "", "replaces", "graph update mode that defines how channel graphs are updated. One of: [replaces, semver, semver-skippatch]")
-
-	rootCmd.Flags().StringP("container-tool", "c", "", "")
-	if err := rootCmd.Flags().MarkDeprecated("container-tool", "ignored in favor of standalone image manipulation"); err != nil {
-		logrus.Panic(err.Error())
-	}
+	rootCmd.Flags().StringP("container-tool", "c", "none", "tool to interact with container images (save, build, etc.). One of: [none, docker, podman]")
 
 	return rootCmd
 }
@@ -56,12 +53,14 @@ func addFunc(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
-
+	containerTool, err := cmd.Flags().GetString("container-tool")
+	if err != nil {
+		return err
+	}
 	mode, err := cmd.Flags().GetString("mode")
 	if err != nil {
 		return err
 	}
-
 	modeEnum, err := reg.GetModeFromString(mode)
 	if err != nil {
 		return err
@@ -73,6 +72,7 @@ func addFunc(cmd *cobra.Command, args []string) error {
 		InputDatabase: fromFilename,
 		Bundles:       bundleImages,
 		Mode:          modeEnum,
+		ContainerTool: containertools.NewContainerTool(containerTool, containertools.NoneTool),
 	}
 
 	logger := logrus.WithFields(logrus.Fields{"bundles": bundleImages})

pkg/containertools/command.go

@@ -8,13 +8,6 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-const (
-	// Podman cli tool
-	Podman = "podman"
-	// Docker cli tool
-	Docker = "docker"
-)
-
 // CommandRunner defines methods to shell out to common container tools
 type CommandRunner interface {
 	GetToolName() string
@@ -28,42 +21,32 @@ type CommandRunner interface {
 // execute commands with that tooling.
 type ContainerCommandRunner struct {
 	logger        *logrus.Entry
-	containerTool string
+	containerTool ContainerTool
 }
 
 // NewCommandRunner takes the containerTool as an input string and returns a
 // CommandRunner to run commands with that cli tool
-func NewCommandRunner(containerTool string, logger *logrus.Entry) CommandRunner {
+func NewCommandRunner(containerTool ContainerTool, logger *logrus.Entry) CommandRunner {
 	r := ContainerCommandRunner{
 		logger: logger,
+		containerTool: containerTool,
 	}
-
-	switch containerTool {
-	case Podman:
-		r.containerTool = Podman
-	case Docker:
-		r.containerTool = Docker
-	default:
-		r.containerTool = Podman
-	}
-
 	return &r
 }
 
 // GetToolName returns the container tool this command runner is using
 func (r *ContainerCommandRunner) GetToolName() string {
-	return r.containerTool
+	return r.containerTool.String()
 }
 
 // Pull takes a container image path hosted on a container registry and runs the
 // pull command to download it onto the local environment
 func (r *ContainerCommandRunner) Pull(image string) error {
 	args := []string{"pull", image}
 
-	command := exec.Command(r.containerTool, args...)
+	command := exec.Command(r.containerTool.String(), args...)
 
-	r.logger.Infof("running %s pull", r.containerTool)
-	r.logger.Debugf("%s", command.Args)
+	r.logger.Infof("running %s", command.String())
 
 	out, err := command.CombinedOutput()
 	if err != nil {
@@ -84,7 +67,7 @@ func (r *ContainerCommandRunner) Build(dockerfile, tag string) error {
 
 	args = append(args, ".")
 
-	command := exec.Command(r.containerTool, args...)
+	command := exec.Command(r.containerTool.String(), args...)
 
 	r.logger.Infof("running %s build", r.containerTool)
 	r.logger.Infof("%s", command.Args)
@@ -103,7 +86,7 @@ func (r *ContainerCommandRunner) Build(dockerfile, tag string) error {
 func (r *ContainerCommandRunner) Save(image, tarFile string) error {
 	args := []string{"save", image, "-o", tarFile}
 
-	command := exec.Command(r.containerTool, args...)
+	command := exec.Command(r.containerTool.String(), args...)
 
 	r.logger.Infof("running %s save", r.containerTool)
 	r.logger.Debugf("%s", command.Args)
@@ -122,7 +105,7 @@ func (r *ContainerCommandRunner) Save(image, tarFile string) error {
 func (r *ContainerCommandRunner) Inspect(image string) ([]byte, error) {
 	args := []string{"inspect", image}
 
-	command := exec.Command(r.containerTool, args...)
+	command := exec.Command(r.containerTool.String(), args...)
 
 	r.logger.Infof("running %s inspect", r.containerTool)
 	r.logger.Debugf("%s", command.Args)

pkg/containertools/containertool.go

@@ -0,0 +1,46 @@
+package containertools
+
+type ContainerTool int
+
+const (
+	NoneTool ContainerTool = iota
+	PodmanTool
+	DockerTool
+)
+
+func (t ContainerTool) String() (s string) {
+	switch t {
+	case NoneTool:
+		s = "none"
+	case PodmanTool:
+		s = "podman"
+	case DockerTool:
+		s = "docker"
+	}
+	return
+}
+
+func NewContainerTool(s string, defaultTool ContainerTool) (t ContainerTool) {
+	switch s {
+	case "podman":
+		t = PodmanTool
+	case "docker":
+		t = DockerTool
+	case "none":
+		t = NoneTool
+	default:
+		t = defaultTool
+	}
+	return
+}
+
+// NewCommandContainerTool returns a tool that can be used in `exec` statements.
+func NewCommandContainerTool(s string) (t ContainerTool) {
+	switch s {
+	case "docker":
+		t = DockerTool
+	default:
+		t = PodmanTool
+	}
+	return
+}

pkg/containertools/dockerfilegenerator.go

@@ -24,7 +24,7 @@ type IndexDockerfileGenerator struct {
 }
 
 // NewDockerfileGenerator is a constructor that returns a DockerfileGenerator
-func NewDockerfileGenerator(containerTool string, logger *logrus.Entry) DockerfileGenerator {
+func NewDockerfileGenerator(logger *logrus.Entry) DockerfileGenerator {
 	return &IndexDockerfileGenerator{
 		Logger: logger,
 	}

pkg/containertools/imagereader.go

@@ -33,7 +33,7 @@ type ImageLayerReader struct {
 	Logger *logrus.Entry
 }
 
-func NewImageReader(containerTool string, logger *logrus.Entry) ImageReader {
+func NewImageReader(containerTool ContainerTool, logger *logrus.Entry) ImageReader {
 	cmd := NewCommandRunner(containerTool, logger)
 
 	return &ImageLayerReader{

pkg/containertools/labelreader.go

@@ -17,7 +17,7 @@ type ImageLabelReader struct {
 	Cmd    CommandRunner
 }
 
-func NewLabelReader(containerTool string, logger *logrus.Entry) LabelReader {
+func NewLabelReader(containerTool ContainerTool, logger *logrus.Entry) LabelReader {
 	cmd := NewCommandRunner(containerTool, logger)
 
 	return ImageLabelReader{

pkg/image/containerdregistry/options.go

@@ -1,6 +1,7 @@
 package containerdregistry
 
 import (
+	"crypto/x509"
 	"os"
 	"path/filepath"
 	"sync"
@@ -20,6 +21,7 @@ type RegistryConfig struct {
 	CacheDir          string
 	PreserveCache     bool
 	SkipTLS           bool
+	Roots             *x509.CertPool
 }
 
 func (r *RegistryConfig) apply(options []RegistryOption) {
@@ -52,7 +54,7 @@ func defaultConfig() *RegistryConfig {
 
 // NewRegistry returns a new containerd Registry and a function to destroy it after use.
 // The destroy function is safe to call more than once, but is a no-op after the first call.
-func NewRegistry(options ...RegistryOption) (registry *Registry, destroy func() error, err error) {
+func NewRegistry(options ...RegistryOption) (registry *Registry, err error) {
 	config := defaultConfig()
 	config.apply(options)
 	if err = config.complete(); err != nil {
@@ -71,7 +73,7 @@ func NewRegistry(options ...RegistryOption) (registry *Registry, destroy func()
 	}
 
 	var once sync.Once
-	destroy = func() (destroyErr error) {
+	destroy := func() (destroyErr error) {
 		once.Do(func() {
 			if destroyErr = bdb.Close(); destroyErr != nil {
 				return
@@ -87,14 +89,14 @@ func NewRegistry(options ...RegistryOption) (registry *Registry, destroy func()
 	}
 
 	var resolver remotes.Resolver
-	resolver, err = NewResolver(config.ResolverConfigDir, config.SkipTLS)
+	resolver, err = NewResolver(config.ResolverConfigDir, config.SkipTLS, config.Roots)
 	if err != nil {
 		return
 	}
 
 	registry = &Registry{
-		Store: newStore(metadata.NewDB(bdb, cs, nil)),
-
+		Store:    newStore(metadata.NewDB(bdb, cs, nil)),
+		destroy:  destroy,
 		log:      config.Log,
 		resolver: resolver,
 		platform: platforms.Only(platforms.DefaultSpec()),
@@ -122,6 +124,12 @@ func WithCacheDir(dir string) RegistryOption {
 	}
 }
 
+func WithRootCAs(pool *x509.CertPool) RegistryOption {
+	return func(config *RegistryConfig) {
+		config.Roots = pool
+	}
+}
+
 func PreserveCache(preserve bool) RegistryOption {
 	return func(config *RegistryConfig) {
 		config.PreserveCache = preserve

pkg/image/containerdregistry/registry.go

@@ -3,9 +3,7 @@ package containerdregistry
 import (
 	"archive/tar"
 	"context"
-	"io"
-	"os"
-
+	"fmt"
 	"github.com/containerd/containerd/archive"
 	"github.com/containerd/containerd/archive/compression"
 	"github.com/containerd/containerd/errdefs"
@@ -15,14 +13,16 @@ import (
 	"github.com/containerd/containerd/remotes"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/sirupsen/logrus"
+	"io"
+	"os"
 
 	"github.com/operator-framework/operator-registry/pkg/image"
 )
 
 // Registry enables manipulation of images via containerd modules.
 type Registry struct {
 	Store
-
+	destroy  func() error
 	log      *logrus.Entry
 	resolver remotes.Resolver
 	platform platforms.MatchComparer
@@ -37,7 +37,7 @@ func (r *Registry) Pull(ctx context.Context, ref image.Reference) error {
 
 	name, root, err := r.resolver.Resolve(ctx, ref.String())
 	if err != nil {
-		return err
+		return fmt.Errorf("error resolving name %s: %v", name, err)
 	}
 	r.log.Infof("resolved name: %s", name)
 
@@ -93,13 +93,22 @@ func (r *Registry) Unpack(ctx context.Context, ref image.Reference, dir string)
 	return nil
 }
 
+// Destroy cleans up the on-disk boltdb file and other cache files, unless preserve cache is true
+func (r *Registry) Destroy() (err error) {
+	return r.destroy()
+}
+
 func (r *Registry) fetch(ctx context.Context, fetcher remotes.Fetcher, root ocispec.Descriptor) error {
 	visitor := images.HandlerFunc(func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
 		r.log.WithField("digest", desc.Digest).Info("fetched")
 		r.log.Debug(desc)
 		return nil, nil
 	})
 
+	if root.MediaType == images.MediaTypeDockerSchema1Manifest {
+		return fmt.Errorf("specified image is a docker schema v1 manifest, which is not supported")
+	}
+
 	handler := images.Handlers(
 		visitor,
 		remotes.FetchHandler(r.Content(), fetcher),

pkg/image/containerdregistry/resolver.go

@@ -2,6 +2,7 @@ package containerdregistry
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"net"
 	"net/http"
 	"time"
@@ -14,7 +15,7 @@ import (
 	"github.com/docker/docker/registry"
 )
 
-func NewResolver(configDir string, insecure bool) (remotes.Resolver, error) {
+func NewResolver(configDir string, insecure bool, roots *x509.CertPool) (remotes.Resolver, error) {
 	transport := &http.Transport{
 		Proxy: http.ProxyFromEnvironment,
 		DialContext: (&net.Dialer{
@@ -25,12 +26,20 @@ func NewResolver(configDir string, insecure bool) (remotes.Resolver, error) {
 		IdleConnTimeout:       30 * time.Second,
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 5 * time.Second,
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: false,
+			RootCAs: roots,
+		},
 	}
+
 	if insecure {
 		transport.TLSClientConfig = &tls.Config{
 			InsecureSkipVerify: insecure,
 		}
 	}
+	headers := http.Header{}
+	headers.Set("User-Agent", "opm/alpha")
+
 	client := http.DefaultClient
 	client.Transport = transport
 
@@ -39,9 +48,21 @@ func NewResolver(configDir string, insecure bool) (remotes.Resolver, error) {
 		return nil, err
 	}
 
+	regopts := []docker.RegistryOpt{
+		docker.WithAuthorizer(docker.NewDockerAuthorizer(
+			docker.WithAuthClient(client),
+			docker.WithAuthHeader(headers),
+			docker.WithAuthCreds(credential(cfg)),
+		)),
+		docker.WithClient(client),
+	}
+	if insecure {
+		regopts = append(regopts, docker.WithPlainHTTP(docker.MatchAllHosts))
+	}
+
 	opts := docker.ResolverOptions{
-		Client:      client,
-		Credentials: credential(cfg),
+		Hosts: docker.ConfigureDefaultRegistries(regopts...),
+		Headers: headers,
 	}
 
 	return docker.NewResolver(opts), nil

pkg/image/execregistry/registry.go

@@ -0,0 +1,44 @@
+package execregistry
+
+import (
+	"context"
+	"github.com/operator-framework/operator-registry/pkg/containertools"
+	"github.com/sirupsen/logrus"
+
+	"github.com/operator-framework/operator-registry/pkg/image"
+)
+
+// Registry enables manipulation of images via exec podman/docker commands.
+type Registry struct {
+	log      *logrus.Entry
+	cmd      containertools.CommandRunner
+}
+
+// Adapt the cmd interface to the registry interface
+var _ image.Registry = &Registry{}
+
+func NewRegistry(tool containertools.ContainerTool, logger *logrus.Entry) (registry *Registry, err error) {
+	return &Registry{
+		log: logger,
+		cmd: containertools.NewCommandRunner(tool, logger),
+	}, nil
+}
+
+// Pull fetches and stores an image by reference.
+func (r *Registry) Pull(ctx context.Context, ref image.Reference) error {
+	return r.cmd.Pull(ref.String())
+}
+
+// Unpack writes the unpackaged content of an image to a directory.
+// If the referenced image does not exist in the registry, an error is returned.
+func (r *Registry) Unpack(ctx context.Context, ref image.Reference, dir string) error {
+	return containertools.ImageLayerReader{
+		Cmd:    r.cmd,
+		Logger: r.log,
+	}.GetImageData(ref.String(), dir)
+}
+
+// Destroy is no-op for exec tools
+func (r *Registry) Destroy() error {
+	return nil
+}

pkg/image/registry.go

@@ -18,6 +18,9 @@ type Registry interface {
 	// If the referenced image does not exist in the registry, an error is returned.
 	Unpack(ctx context.Context, ref Reference, dir string) error
 
+	// Destroy cleans up any on-disk resources used to track images
+	Destroy() error
+
 	// Pack creates and stores an image based on the given reference and returns a reference to the new image.
 	// If the referenced image does not exist in the registry, a new image is created from scratch.
 	// If it exists, it's used as the base image.

pkg/image/registry_test.go

@@ -2,7 +2,9 @@ package image_test
 
 import (
 	"context"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"math/rand"
 	"os"
 	"testing"
@@ -16,27 +18,50 @@ import (
 	libimage "github.com/operator-framework/operator-registry/pkg/lib/image"
 )
 
+
 // cleanupFunc is a function that cleans up after some test infra.
 type cleanupFunc func()
 
 // newRegistryFunc is a function that creates and returns a new image.Registry to test its cleanupFunc.
-type newRegistryFunc func(t *testing.T) (image.Registry, cleanupFunc)
+type newRegistryFunc func(t *testing.T, cafile string) (image.Registry, cleanupFunc)
+
+func poolForCertFile(t *testing.T, file string) *x509.CertPool {
+	rootCAs := x509.NewCertPool()
+	certs, err := ioutil.ReadFile(file)
+	require.NoError(t, err)
+	require.True(t, rootCAs.AppendCertsFromPEM(certs))
+	return rootCAs
+}
 
 func TestRegistries(t *testing.T) {
-	registries := []newRegistryFunc{
-		func(t *testing.T) (image.Registry, cleanupFunc) {
-			// TODO: should this fail because the registry isn't TLS and we haven't specified skiptls?
-			r, d, err := containerdregistry.NewRegistry(
+	registries := map[string]newRegistryFunc{
+		"containerd": func(t *testing.T, cafile string) (image.Registry, cleanupFunc) {
+			r, err := containerdregistry.NewRegistry(
 				containerdregistry.WithLog(logrus.New().WithField("test", t.Name())),
 				containerdregistry.WithCacheDir(fmt.Sprintf("cache-%x", rand.Int())),
+				containerdregistry.WithRootCAs(poolForCertFile(t, cafile)),
 			)
 			require.NoError(t, err)
 			cleanup := func() {
-				require.NoError(t, d())
+				require.NoError(t, r.Destroy())
 			}
 
 			return r, cleanup
 		},
+		// TODO: enable docker tests - currently blocked on a cross-platform way to configure either insecure registries
+		// or CA certs
+		//"docker": func(t *testing.T, cafile string) (image.Registry, cleanupFunc) {
+		//	r, err := execregistry.NewRegistry(containertools.DockerTool,
+		//		logrus.New().WithField("test", t.Name()),
+		//		cafile,
+		//	)
+		//	require.NoError(t, err)
+		//	cleanup := func() {
+		//		require.NoError(t, r.Destroy())
+		//	}
+		//
+		//	return r, cleanup
+		//},
 		// TODO: Enable buildah tests
 		// func(t *testing.T) image.Registry {
 		// 	r, err := buildahregistry.NewRegistry(
@@ -49,8 +74,11 @@ func TestRegistries(t *testing.T) {
 		// },
 	}
 
-	for _, registry := range registries {
-		testPullAndUnpack(t, registry)
+	for name, registry := range registries {
+		t.Run(name, func(t *testing.T) {
+			testPullAndUnpack(t, registry)
+		})
+
 	}
 }
 
@@ -94,10 +122,10 @@ func testPullAndUnpack(t *testing.T, newRegistry newRegistryFunc) {
 			ctx, close := context.WithCancel(context.Background())
 			defer close()
 
-			host, err := libimage.RunDockerRegistry(ctx, tt.args.dockerRootDir)
+			host, cafile, err := libimage.RunDockerRegistry(ctx, tt.args.dockerRootDir)
 			require.NoError(t, err)
 
-			r, cleanup := newRegistry(t)
+			r, cleanup := newRegistry(t, cafile)
 			defer cleanup()
 
 			ref := image.SimpleReference(host + tt.args.img)

pkg/lib/bundle/exporter.go

@@ -15,14 +15,14 @@ import (
 type BundleExporter struct {
 	image         string
 	directory     string
-	containerTool string
+	containerTool containertools.ContainerTool
 }
 
 func NewSQLExporterForBundle(image, directory, containerTool string) *BundleExporter {
 	return &BundleExporter{
 		image:         image,
 		directory:     directory,
-		containerTool: containerTool,
+		containerTool: containertools.NewContainerTool(containerTool, containertools.NoneTool),
 	}
 }
 

pkg/lib/bundle/interfaces.go

@@ -23,7 +23,7 @@ type BundleImageValidator interface {
 // NewImageValidator is a constructor that returns an ImageValidator
 func NewImageValidator(containerTool string, logger *logrus.Entry) BundleImageValidator {
 	return imageValidator{
-		imageReader: containertools.NewImageReader(containerTool, logger),
+		imageReader: containertools.NewImageReader(containertools.NewContainerTool(containerTool, containertools.NoneTool), logger),
 		logger:      logger,
 	}
 }

pkg/lib/image/registry.go

@@ -1,8 +1,23 @@
 package image
 
 import (
+	"bytes"
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
 	"fmt"
+	"io"
+	"io/ioutil"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"math/big"
+	"net"
+	"net/http"
+	"os"
 	"time"
 
 	"github.com/docker/distribution/configuration"
@@ -15,14 +30,45 @@ import (
 // RunDockerRegistry runs a docker registry on an available port and returns its host string if successful, otherwise it returns an error.
 // If the rootDir argument isn't empty, the registry is configured to use this as the root directory for persisting image data to the filesystem.
 // If the rootDir argument is empty, the registry is configured to keep image data in memory.
-func RunDockerRegistry(ctx context.Context, rootDir string) (string, error) {
+func RunDockerRegistry(ctx context.Context, rootDir string) (string, string, error) {
 	dockerPort, err := freeport.GetFreePort()
 	if err != nil {
-		return "", err
+		return "", "", err
+	}
+	host := fmt.Sprintf("localhost:%d", dockerPort)
+	certPool := x509.NewCertPool()
+
+	cafile, err := ioutil.TempFile("", "ca")
+	if err != nil {
+		return "", "", err
+	}
+	certfile, err := ioutil.TempFile("", "cert")
+	if err != nil {
+		return "", "", err
+	}
+	keyfile, err := ioutil.TempFile("", "key")
+	if err != nil {
+		return "", "", err
+	}
+	if err := GenerateCerts(cafile, certfile, keyfile, certPool); err != nil {
+		return "", "", err
+	}
+	if err := cafile.Close(); err != nil {
+		return "", "", err
+	}
+	if err := certfile.Close(); err != nil {
+		return "", "", err
+	}
+	if err := keyfile.Close(); err != nil {
+		return "", "", err
 	}
 
 	config := &configuration.Configuration{}
-	config.HTTP.Addr = fmt.Sprintf(":%d", dockerPort)
+	config.HTTP.Addr = host
+	config.HTTP.TLS.Certificate = certfile.Name()
+	config.HTTP.TLS.Key = keyfile.Name()
+	config.Log.Level = "debug"
+
 	if rootDir != "" {
 		config.Storage = map[string]configuration.Parameters{"filesystem": map[string]interface{}{
 			"rootdirectory": rootDir,
@@ -34,15 +80,131 @@ func RunDockerRegistry(ctx context.Context, rootDir string) (string, error) {
 
 	dockerRegistry, err := registry.NewRegistry(ctx, config)
 	if err != nil {
-		return "", err
+		return "", "", err
 	}
 
 	go func() {
+		defer func() {
+			os.Remove(cafile.Name())
+			os.Remove(certfile.Name())
+			os.Remove(keyfile.Name())
+		}()
 		if err := dockerRegistry.ListenAndServe(); err != nil {
 			panic(fmt.Errorf("docker registry stopped listening: %v", err))
 		}
 	}()
 
+	err = wait.Poll(100*time.Millisecond, 10*time.Second, func() (done bool, err error) {
+		tr := &http.Transport{TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: false,
+			RootCAs:            certPool,
+		}}
+		client := &http.Client{Transport: tr}
+		r, err := client.Get("https://"+host+"/v2/")
+		if err != nil {
+			return false, nil
+		}
+		if r.StatusCode == http.StatusOK {
+			return true, nil
+		}
+		return false, nil
+	})
+	if err != nil {
+		return "", "", err
+	}
+
 	// Return the registry host string
-	return fmt.Sprintf("localhost:%d", dockerPort), nil
+	return host, cafile.Name(), nil
+}
+
+func certToPem(der []byte) ([]byte, error) {
+	out := &bytes.Buffer{}
+	if err := pem.Encode(out, &pem.Block{Type: "CERTIFICATE", Bytes: der}); err != nil {
+		return nil, err
+	}
+	return out.Bytes(), nil
+}
+
+func keyToPem(key *ecdsa.PrivateKey) ([]byte, error) {
+	b, err := x509.MarshalECPrivateKey(key)
+	if err != nil {
+		return nil, fmt.Errorf( "unable to marshal private key: %v", err)
+	}
+	out := &bytes.Buffer{}
+	if err := pem.Encode(out, &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}); err != nil {
+		return nil, err
+	}
+	return out.Bytes(), nil
+}
+
+func GenerateCerts(caWriter, certWriter, keyWriter io.Writer, pool *x509.CertPool ) error {
+	priv, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
+	if err != nil {
+		return err
+	}
+	ca := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization: []string{"test ca"},
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(time.Hour),
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IsCA: true,
+	}
+	cert := x509.Certificate{
+		SerialNumber: big.NewInt(2),
+		Subject: pkix.Name{
+			Organization: []string{"test cert"},
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(time.Hour),
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IPAddresses: []net.IP{
+			net.ParseIP("127.0.0.1"),
+			net.ParseIP("::1"),
+		},
+		DNSNames: []string{"localhost"},
+	}
+
+	caBytes, err := x509.CreateCertificate(rand.Reader, &ca, &ca, &priv.PublicKey, priv)
+	if err != nil {
+		return err
+	}
+
+	caFile, err := certToPem(caBytes)
+	if err != nil {
+		return err
+	}
+	if _, err := caWriter.Write(caFile); err != nil {
+		return err
+	}
+	pool.AppendCertsFromPEM(caFile)
+
+	certBytes, err := x509.CreateCertificate(rand.Reader, &cert, &ca, &priv.PublicKey, priv)
+	if err != nil {
+		return err
+	}
+	certFile, err := certToPem(certBytes)
+	if err != nil {
+		return err
+	}
+	if _, err := certWriter.Write(certFile); err != nil {
+		return err
+	}
+
+	keyFile, err := keyToPem(priv)
+	if err != nil {
+		return err
+	}
+	if _, err := keyWriter.Write(keyFile); err != nil {
+		return err
+	}
+	return nil
 }

pkg/lib/indexer/indexer.go

@@ -37,7 +37,7 @@ type ImageIndexer struct {
 	ImageReader         containertools.ImageReader
 	RegistryAdder       registry.RegistryAdder
 	RegistryDeleter     registry.RegistryDeleter
-	ContainerTool       string
+	ContainerTool       containertools.ContainerTool
 	Logger              *logrus.Entry
 }
 
@@ -51,6 +51,7 @@ type AddToIndexRequest struct {
 	Bundles           []string
 	Tag               string
 	Mode              pregistry.Mode
+	SkipTLS           bool
 }
 
 // AddToIndex is an aggregate API used to generate a registry index image with additional bundles
@@ -74,6 +75,7 @@ func (i ImageIndexer) AddToIndex(request AddToIndexRequest) error {
 		InputDatabase: databaseFile,
 		Permissive:    request.Permissive,
 		Mode:          request.Mode,
+		SkipTLS:       request.SkipTLS,
 	}
 
 	// Add the bundles to the registry

pkg/lib/indexer/interfaces.go

@@ -4,7 +4,6 @@ package indexer
 import (
 	"github.com/operator-framework/operator-registry/pkg/containertools"
 	"github.com/operator-framework/operator-registry/pkg/lib/registry"
-
 	"github.com/sirupsen/logrus"
 )
 
@@ -16,9 +15,9 @@ type IndexAdder interface {
 }
 
 // NewIndexAdder is a constructor that returns an IndexAdder
-func NewIndexAdder(containerTool string, logger *logrus.Entry) IndexAdder {
+func NewIndexAdder(containerTool containertools.ContainerTool, logger *logrus.Entry) IndexAdder {
 	return ImageIndexer{
-		DockerfileGenerator: containertools.NewDockerfileGenerator(containerTool, logger),
+		DockerfileGenerator: containertools.NewDockerfileGenerator(logger),
 		CommandRunner:       containertools.NewCommandRunner(containerTool, logger),
 		LabelReader:         containertools.NewLabelReader(containerTool, logger),
 		RegistryAdder:       registry.NewRegistryAdder(logger),
@@ -36,9 +35,9 @@ type IndexDeleter interface {
 }
 
 // NewIndexDeleter is a constructor that returns an IndexDeleter
-func NewIndexDeleter(containerTool string, logger *logrus.Entry) IndexDeleter {
+func NewIndexDeleter(containerTool containertools.ContainerTool, logger *logrus.Entry) IndexDeleter {
 	return ImageIndexer{
-		DockerfileGenerator: containertools.NewDockerfileGenerator(containerTool, logger),
+		DockerfileGenerator: containertools.NewDockerfileGenerator(logger),
 		CommandRunner:       containertools.NewCommandRunner(containerTool, logger),
 		LabelReader:         containertools.NewLabelReader(containerTool, logger),
 		RegistryDeleter:     registry.NewRegistryDeleter(logger),
@@ -54,9 +53,9 @@ type IndexExporter interface {
 }
 
 // NewIndexExporter is a constructor that returns an IndexExporter
-func NewIndexExporter(containerTool string, logger *logrus.Entry) IndexExporter {
+func NewIndexExporter(containerTool containertools.ContainerTool, logger *logrus.Entry) IndexExporter {
 	return ImageIndexer{
-		DockerfileGenerator: containertools.NewDockerfileGenerator(containerTool, logger),
+		DockerfileGenerator: containertools.NewDockerfileGenerator(logger),
 		CommandRunner:       containertools.NewCommandRunner(containerTool, logger),
 		LabelReader:         containertools.NewLabelReader(containerTool, logger),
 		ImageReader:         containertools.NewImageReader(containerTool, logger),

pkg/lib/registry/registry.go

@@ -2,8 +2,11 @@ package registry
 
 import (
 	"context"
+	"crypto/x509"
 	"database/sql"
 	"fmt"
+	"github.com/operator-framework/operator-registry/pkg/containertools"
+	"github.com/operator-framework/operator-registry/pkg/image/execregistry"
 	"io/ioutil"
 	"os"
 
@@ -17,15 +20,17 @@ import (
 )
 
 type RegistryUpdater struct {
-	Logger *logrus.Entry
+	Logger   *logrus.Entry
 }
 
 type AddToRegistryRequest struct {
 	Permissive    bool
 	SkipTLS       bool
+	CaFile        string
 	InputDatabase string
 	Bundles       []string
 	Mode          registry.Mode
+	ContainerTool containertools.ContainerTool
 }
 
 func (r RegistryUpdater) AddToRegistry(request AddToRegistryRequest) error {
@@ -51,16 +56,36 @@ func (r RegistryUpdater) AddToRegistry(request AddToRegistryRequest) error {
 	}
 	dbQuerier := sqlite.NewSQLLiteQuerierFromDb(db)
 
-	// TODO: Dependency inject the registry if we want to swap it out.
-	reg, destroy, err := containerdregistry.NewRegistry(
-		containerdregistry.SkipTLS(request.SkipTLS),
-	)
-	if err != nil {
-		return err
+	// add custom ca certs to resolver
+	rootCAs, err := x509.SystemCertPool()
+	if err != nil || rootCAs == nil {
+		rootCAs = x509.NewCertPool()
+	}
+	if len(request.CaFile) > 0 {
+		certs, err := ioutil.ReadFile(request.CaFile)
+		if err != nil {
+			return fmt.Errorf("failed to append %q to RootCAs: %v", certs, err)
+		}
+		if ok := rootCAs.AppendCertsFromPEM(certs); !ok {
+			return fmt.Errorf("unable to add certs specified in %s", request.CaFile)
+		}
+	}
+
+	var reg image.Registry
+	var rerr error
+	switch request.ContainerTool {
+	case containertools.NoneTool:
+		reg, rerr = containerdregistry.NewRegistry(containerdregistry.SkipTLS(request.SkipTLS), containerdregistry.WithRootCAs(rootCAs))
+	case containertools.PodmanTool:
+	case containertools.DockerTool:
+		reg, rerr = execregistry.NewRegistry(request.ContainerTool, r.Logger)
+	}
+	if rerr != nil {
+		return rerr
 	}
 	defer func() {
-		if err := destroy(); err != nil {
-			r.Logger.WithError(err).Warn("error destroying internal image registry")
+		if err := reg.Destroy(); err != nil {
+			r.Logger.WithError(err).Warn("error destroying local cache")
 		}
 	}()
 

test/e2e/opm_test.go

@@ -3,6 +3,7 @@ package e2e_test
 import (
 	"context"
 	"database/sql"
+	"github.com/operator-framework/operator-registry/pkg/containertools"
 	"io/ioutil"
 	"os"
 	"os/exec"
@@ -86,7 +87,7 @@ func buildIndexWith(containerTool string) error {
 		bundleImage + ":" + bundleTag2,
 	}
 	logger := logrus.WithFields(logrus.Fields{"bundles": bundles})
-	indexAdder := indexer.NewIndexAdder(containerTool, logger)
+	indexAdder := indexer.NewIndexAdder(containertools.NewContainerTool(containerTool, containertools.NoneTool), logger)
 
 	request := indexer.AddToIndexRequest{
 		Generate:          false,
@@ -106,7 +107,7 @@ func buildFromIndexWith(containerTool string) error {
 		bundleImage + ":" + bundleTag3,
 	}
 	logger := logrus.WithFields(logrus.Fields{"bundles": bundles})
-	indexAdder := indexer.NewIndexAdder(containerTool, logger)
+	indexAdder := indexer.NewIndexAdder(containertools.NewContainerTool(containerTool, containertools.NoneTool), logger)
 
 	request := indexer.AddToIndexRequest{
 		Generate:          false,
@@ -141,7 +142,7 @@ func pushBundles(containerTool string) error {
 
 func exportWith(containerTool string) error {
 	logger := logrus.WithFields(logrus.Fields{"package": packageName})
-	indexExporter := indexer.NewIndexExporter(containerTool, logger)
+	indexExporter := indexer.NewIndexExporter(containertools.NewContainerTool(containerTool, containertools.NoneTool), logger)
 
 	request := indexer.ExportFromIndexRequest{
 		Index:         indexImage2,