Temporarily remove imgcrypt in CRI to fix circular dependency

Signed-off-by: Derek McGowan <[email protected]>
mbhavya · Oct 27, 2023 · 638b474 · 638b474
1 parent 1921680
commit 638b474
Show file tree

Hide file tree

Showing 171 changed files with 39 additions and 47,811 deletions.
diff --git a/go.mod b/go.mod
@@ -17,7 +17,6 @@ require (
 	github.com/containerd/fifo v1.1.0
 	github.com/containerd/go-cni v1.1.9
 	github.com/containerd/go-runc v1.1.0
-	github.com/containerd/imgcrypt v1.1.7
 	github.com/containerd/log v0.1.0
 	github.com/containerd/nri v0.5.0
 	github.com/containerd/ttrpc v1.2.2
@@ -83,8 +82,6 @@ require (
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/cilium/ebpf v0.9.1 // indirect
-	github.com/containerd/typeurl v1.0.2 // indirect
-	github.com/containers/ocicrypt v1.1.6 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/emicklei/go-restful/v3 v3.10.2 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect
@@ -100,7 +97,6 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
-	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
@@ -110,15 +106,12 @@ require (
 	github.com/prometheus/common v0.44.0 // indirect
 	github.com/prometheus/procfs v0.10.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 // indirect
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
-	go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.14.0 // indirect
 	go.opentelemetry.io/otel/metric v0.37.0 // indirect
 	go.opentelemetry.io/proto/otlp v0.19.0 // indirect
-	golang.org/x/crypto v0.14.0 // indirect
 	golang.org/x/mod v0.12.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/oauth2 v0.10.0 // indirect
@@ -130,7 +123,6 @@ require (
 	google.golang.org/genproto v0.0.0-20230720185612-659f7aaaa771 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20230726155614-23370e0ffb3e // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/api v0.28.2 // indirect

diff --git a/go.sum b/go.sum
diff --git a/pkg/cri/server/images/image_pull.go b/pkg/cri/server/images/image_pull.go
@@ -33,8 +33,6 @@ import (
 	"sync/atomic"
 	"time"
 
-	"github.com/containerd/imgcrypt"
-	"github.com/containerd/imgcrypt/images/encryption"
 	imagedigest "github.com/opencontainers/go-digest"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
@@ -171,7 +169,8 @@ func (c *CRIImageService) PullImage(ctx context.Context, r *runtime.PullImageReq
 		}),
 	}
 
-	pullOpts = append(pullOpts, c.encryptedImagesPullOpts()...)
+	// Temporarily removed for v2 upgrade
+	//pullOpts = append(pullOpts, c.encryptedImagesPullOpts()...)
 	if !c.config.ContainerdConfig.DisableSnapshotAnnotations {
 		pullOpts = append(pullOpts,
 			containerd.WithImageHandlerWrapper(snpkg.AppendInfoHandlerWrapper(ref)))
@@ -545,15 +544,16 @@ func newTransport() *http.Transport {
 
 // encryptedImagesPullOpts returns the necessary list of pull options required
 // for decryption of encrypted images based on the cri decryption configuration.
-func (c *CRIImageService) encryptedImagesPullOpts() []containerd.RemoteOpt {
-	if c.config.ImageDecryption.KeyModel == criconfig.KeyModelNode {
-		ltdd := imgcrypt.Payload{}
-		decUnpackOpt := encryption.WithUnpackConfigApplyOpts(encryption.WithDecryptedUnpack(&ltdd))
-		opt := containerd.WithUnpackOpts([]containerd.UnpackOpt{decUnpackOpt})
-		return []containerd.RemoteOpt{opt}
-	}
-	return nil
-}
+// Temporarily removed for v2 upgrade
+//func (c *CRIImageService) encryptedImagesPullOpts() []containerd.RemoteOpt {
+//	if c.config.ImageDecryption.KeyModel == criconfig.KeyModelNode {
+//		ltdd := imgcrypt.Payload{}
+//		decUnpackOpt := encryption.WithUnpackConfigApplyOpts(encryption.WithDecryptedUnpack(&ltdd))
+//		opt := containerd.WithUnpackOpts([]containerd.UnpackOpt{decUnpackOpt})
+//		return []containerd.RemoteOpt{opt}
+//	}
+//	return nil
+//}
 
 const (
 	// minPullProgressReportInternal is used to prevent the reporter from

diff --git a/pkg/cri/server/images/image_pull_test.go b/pkg/cri/server/images/image_pull_test.go
@@ -348,32 +348,33 @@ func TestDefaultScheme(t *testing.T) {
 	}
 }
 
-func TestEncryptedImagePullOpts(t *testing.T) {
-	for _, test := range []struct {
-		desc         string
-		keyModel     string
-		expectedOpts int
-	}{
-		{
-			desc:         "node key model should return one unpack opt",
-			keyModel:     criconfig.KeyModelNode,
-			expectedOpts: 1,
-		},
-		{
-			desc:         "no key model selected should default to node key model",
-			keyModel:     "",
-			expectedOpts: 0,
-		},
-	} {
-		test := test
-		t.Run(test.desc, func(t *testing.T) {
-			c := newTestCRIService()
-			c.config.ImageDecryption.KeyModel = test.keyModel
-			got := len(c.encryptedImagesPullOpts())
-			assert.Equal(t, test.expectedOpts, got)
-		})
-	}
-}
+// Temporarily remove for v2 upgrade
+//func TestEncryptedImagePullOpts(t *testing.T) {
+//	for _, test := range []struct {
+//		desc         string
+//		keyModel     string
+//		expectedOpts int
+//	}{
+//		{
+//			desc:         "node key model should return one unpack opt",
+//			keyModel:     criconfig.KeyModelNode,
+//			expectedOpts: 1,
+//		},
+//		{
+//			desc:         "no key model selected should default to node key model",
+//			keyModel:     "",
+//			expectedOpts: 0,
+//		},
+//	} {
+//		test := test
+//		t.Run(test.desc, func(t *testing.T) {
+//			c := newTestCRIService()
+//			c.config.ImageDecryption.KeyModel = test.keyModel
+//			got := len(c.encryptedImagesPullOpts())
+//			assert.Equal(t, test.expectedOpts, got)
+//		})
+//	}
+//}
 
 func TestSnapshotterFromPodSandboxConfig(t *testing.T) {
 	defaultSnashotter := "native"

diff --git a/vendor/github.com/containerd/imgcrypt/.gitignore b/vendor/github.com/containerd/imgcrypt/.gitignore
diff --git a/vendor/github.com/containerd/imgcrypt/.golangci.yml b/vendor/github.com/containerd/imgcrypt/.golangci.yml
diff --git a/vendor/github.com/containerd/imgcrypt/CHANGES b/vendor/github.com/containerd/imgcrypt/CHANGES