diff --git a/driver/remote/driver.go b/driver/remote/driver.go index a931e298..eaafc2ac 100644 --- a/driver/remote/driver.go +++ b/driver/remote/driver.go @@ -78,7 +78,10 @@ func (d *Driver) Rm(ctx context.Context, force, rmVolume, rmDaemon bool) error { func (d *Driver) Client(ctx context.Context) (*client.Client, error) { opts := []client.ClientOpt{} if d.tlsOpts != nil { - opts = append(opts, client.WithCredentials(d.tlsOpts.serverName, d.tlsOpts.caCert, d.tlsOpts.cert, d.tlsOpts.key)) + opts = append(opts, []client.ClientOpt{ + client.WithServerConfig(d.tlsOpts.serverName, d.tlsOpts.caCert), + client.WithCredentials(d.tlsOpts.cert, d.tlsOpts.key), + }...) } return client.New(ctx, d.InitConfig.EndpointAddr, opts...) diff --git a/go.mod b/go.mod index 2a15ef9b..b02a3a08 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/google/uuid v1.3.0 github.com/hashicorp/go-cty-funcs v0.0.0-20200930094925-2721b1e36840 github.com/hashicorp/hcl/v2 v2.8.2 - github.com/moby/buildkit v0.11.0-rc3.0.20230330090027-8b7bcb900d3c + github.com/moby/buildkit v0.11.0-rc3.0.20230411142536-333ee9158128 github.com/moby/sys/mountinfo v0.6.2 github.com/moby/sys/signal v0.7.0 github.com/morikuni/aec v1.0.0 @@ -119,7 +119,6 @@ require ( github.com/json-iterator/go v1.1.12 // indirect github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect github.com/klauspost/compress v1.16.0 // indirect - github.com/kr/pretty v0.3.0 // indirect github.com/mailru/easyjson v0.7.6 // indirect github.com/mattn/go-shellwords v1.0.12 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect diff --git a/go.sum b/go.sum index 037f00ed..8fa4bd6b 100644 --- a/go.sum +++ b/go.sum @@ -384,7 +384,6 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= -github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -408,8 +407,8 @@ github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 h1:DpOJ2HYzC github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/moby/buildkit v0.11.0-rc3.0.20230330090027-8b7bcb900d3c h1:JZvvWzulcnA2G4c/gJiSIqKDUoBjctYw2WMuS+XJexU= -github.com/moby/buildkit v0.11.0-rc3.0.20230330090027-8b7bcb900d3c/go.mod h1:NehrLo0nsnhS/+X+XyhU4LNucb1ndYXgPBOx/JNWVDA= +github.com/moby/buildkit v0.11.0-rc3.0.20230411142536-333ee9158128 h1:MpK1e4TlETVYELLbzaxmbvQrftq1TWYoOftFiSNk/iE= +github.com/moby/buildkit v0.11.0-rc3.0.20230411142536-333ee9158128/go.mod h1:GwK84qTEVfkyvAhd6aET84FRzND+lrQZC0pTesljST0= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/patternmatcher v0.5.0 h1:YCZgJOeULcxLw1Q+sVR636pmS7sPEn1Qo2iAN6M7DBo= @@ -496,7 +495,6 @@ github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0ua github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XFkP+Eg= github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= diff --git a/vendor/github.com/moby/buildkit/client/client.go b/vendor/github.com/moby/buildkit/client/client.go index c02162bc..8ef7cab2 100644 --- a/vendor/github.com/moby/buildkit/client/client.go +++ b/vendor/github.com/moby/buildkit/client/client.go @@ -45,8 +45,6 @@ func New(ctx context.Context, address string, opts ...ClientOpt) (*Client, error grpc.WithDefaultCallOptions(grpc.MaxCallSendMsgSize(defaults.DefaultMaxSendMsgSize)), } needDialer := true - needWithInsecure := true - tlsServerName := "" var unary []grpc.UnaryClientInterceptor var stream []grpc.StreamClientInterceptor @@ -56,19 +54,17 @@ func New(ctx context.Context, address string, opts ...ClientOpt) (*Client, error var tracerDelegate TracerDelegate var sessionDialer func(context.Context, string, map[string][]string) (net.Conn, error) var customDialOptions []grpc.DialOption + var creds *withCredentials for _, o := range opts { if _, ok := o.(*withFailFast); ok { gopts = append(gopts, grpc.FailOnNonTempDialError(true)) } if credInfo, ok := o.(*withCredentials); ok { - opt, err := loadCredentials(credInfo) - if err != nil { - return nil, err + if creds == nil { + creds = &withCredentials{} } - gopts = append(gopts, opt) - needWithInsecure = false - tlsServerName = credInfo.ServerName + creds = creds.merge(credInfo) } if wt, ok := o.(*withTracer); ok { customTracer = true @@ -89,6 +85,16 @@ func New(ctx context.Context, address string, opts ...ClientOpt) (*Client, error } } + if creds == nil { + gopts = append(gopts, grpc.WithTransportCredentials(insecure.NewCredentials())) + } else { + credOpts, err := loadCredentials(creds) + if err != nil { + return nil, err + } + gopts = append(gopts, credOpts) + } + if !customTracer { if span := trace.SpanFromContext(ctx); span.SpanContext().IsValid() { tracerProvider = span.TracerProvider() @@ -108,9 +114,6 @@ func New(ctx context.Context, address string, opts ...ClientOpt) (*Client, error } gopts = append(gopts, grpc.WithContextDialer(dialFn)) } - if needWithInsecure { - gopts = append(gopts, grpc.WithTransportCredentials(insecure.NewCredentials())) - } if address == "" { address = appdefaults.Address } @@ -122,7 +125,10 @@ func New(ctx context.Context, address string, opts ...ClientOpt) (*Client, error // ref: https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2.3 // - However, when TLS specified, grpc-go requires it must match // with its servername specified for certificate validation. - authority := tlsServerName + var authority string + if creds != nil && creds.serverName != "" { + authority = creds.serverName + } if authority == "" { // authority as hostname from target address uri, err := url.Parse(address) @@ -201,47 +207,108 @@ func WithContextDialer(df func(context.Context, string) (net.Conn, error)) Clien } type withCredentials struct { - ServerName string - CACert string - Cert string - Key string + // server options + serverName string + caCert string + caCertSystem bool + + // client options + cert string + key string +} + +func (opts *withCredentials) merge(opts2 *withCredentials) *withCredentials { + result := *opts + if opts2 == nil { + return &result + } + + // server options + if opts2.serverName != "" { + result.serverName = opts2.serverName + } + if opts2.caCert != "" { + result.caCert = opts2.caCert + } + if opts2.caCertSystem { + result.caCertSystem = opts2.caCertSystem + } + + // client options + if opts2.cert != "" { + result.cert = opts2.cert + } + if opts2.key != "" { + result.key = opts2.key + } + + return &result } func (*withCredentials) isClientOpt() {} // WithCredentials configures the TLS parameters of the client. // Arguments: -// * serverName: specifies the name of the target server -// * ca: specifies the filepath of the CA certificate to use for verification -// * cert: specifies the filepath of the client certificate -// * key: specifies the filepath of the client key -func WithCredentials(serverName, ca, cert, key string) ClientOpt { - return &withCredentials{serverName, ca, cert, key} +// * cert: specifies the filepath of the client certificate +// * key: specifies the filepath of the client key +func WithCredentials(cert, key string) ClientOpt { + return &withCredentials{ + cert: cert, + key: key, + } +} + +// WithServerConfig configures the TLS parameters to connect to the server. +// Arguments: +// * serverName: specifies the server name to verify the hostname +// * caCert: specifies the filepath of the CA certificate +func WithServerConfig(serverName, caCert string) ClientOpt { + return &withCredentials{ + serverName: serverName, + caCert: caCert, + } +} + +// WithServerConfigSystem configures the TLS parameters to connect to the +// server, using the system's certificate pool. +func WithServerConfigSystem(serverName string) ClientOpt { + return &withCredentials{ + serverName: serverName, + caCertSystem: true, + } } func loadCredentials(opts *withCredentials) (grpc.DialOption, error) { - ca, err := os.ReadFile(opts.CACert) - if err != nil { - return nil, errors.Wrap(err, "could not read ca certificate") + cfg := &tls.Config{} + + if opts.caCertSystem { + cfg.RootCAs, _ = x509.SystemCertPool() + } + if cfg.RootCAs == nil { + cfg.RootCAs = x509.NewCertPool() } - certPool := x509.NewCertPool() - if ok := certPool.AppendCertsFromPEM(ca); !ok { - return nil, errors.New("failed to append ca certs") + if opts.caCert != "" { + ca, err := os.ReadFile(opts.caCert) + if err != nil { + return nil, errors.Wrap(err, "could not read ca certificate") + } + if ok := cfg.RootCAs.AppendCertsFromPEM(ca); !ok { + return nil, errors.New("failed to append ca certs") + } } - cfg := &tls.Config{ - ServerName: opts.ServerName, - RootCAs: certPool, + if opts.serverName != "" { + cfg.ServerName = opts.serverName } // we will produce an error if the user forgot about either cert or key if at least one is specified - if opts.Cert != "" || opts.Key != "" { - cert, err := tls.LoadX509KeyPair(opts.Cert, opts.Key) + if opts.cert != "" || opts.key != "" { + cert, err := tls.LoadX509KeyPair(opts.cert, opts.key) if err != nil { return nil, errors.Wrap(err, "could not read certificate/key") } - cfg.Certificates = []tls.Certificate{cert} + cfg.Certificates = append(cfg.Certificates, cert) } return grpc.WithTransportCredentials(credentials.NewTLS(cfg)), nil diff --git a/vendor/modules.txt b/vendor/modules.txt index 610a2937..671810f9 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -475,8 +475,6 @@ github.com/klauspost/compress/internal/cpuinfo github.com/klauspost/compress/internal/snapref github.com/klauspost/compress/zstd github.com/klauspost/compress/zstd/internal/xxhash -# github.com/kr/pretty v0.3.0 -## explicit; go 1.12 # github.com/mailru/easyjson v0.7.6 ## explicit; go 1.12 github.com/mailru/easyjson/buffer @@ -497,7 +495,7 @@ github.com/mitchellh/go-wordwrap # github.com/mitchellh/mapstructure v1.5.0 ## explicit; go 1.14 github.com/mitchellh/mapstructure -# github.com/moby/buildkit v0.11.0-rc3.0.20230330090027-8b7bcb900d3c +# github.com/moby/buildkit v0.11.0-rc3.0.20230411142536-333ee9158128 ## explicit; go 1.20 github.com/moby/buildkit/api/services/control github.com/moby/buildkit/api/types