github.com/containerd/nerdctl@v1.7.7/cmd/nerdctl/image_decrypt.go

github.com/containerd/nerdctl@v1.7.7/cmd/nerdctl/image_decrypt.go (about)

     1  /*
     2     Copyright The containerd Authors.
     3  
     4     Licensed under the Apache License, Version 2.0 (the "License");
     5     you may not use this file except in compliance with the License.
     6     You may obtain a copy of the License at
     7  
     8         http://www.apache.org/licenses/LICENSE-2.0
     9  
    10     Unless required by applicable law or agreed to in writing, software
    11     distributed under the License is distributed on an "AS IS" BASIS,
    12     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13     See the License for the specific language governing permissions and
    14     limitations under the License.
    15  */
    16  
    17  package main
    18  
    19  import (
    20  	"github.com/spf13/cobra"
    21  )
    22  
    23  const imageDecryptHelp = `Decrypt an image locally.
    24  
    25  Use '--key' to specify the private keys.
    26  Private keys in PEM format may be encrypted and the password may be passed
    27  along in any of the following formats:
    28  - <filename>:<password>
    29  - <filename>:pass=<password>
    30  - <filename>:fd=<file descriptor> (not available for rootless mode)
    31  - <filename>:filename=<password file>
    32  
    33  Use '--platform' to define the platforms to decrypt. Defaults to the host platform.
    34  When '--all-platforms' is given all images in a manifest list must be available.
    35  Unspecified platforms are omitted from the output image.
    36  
    37  Example (encrypt):
    38    openssl genrsa -out mykey.pem
    39    openssl rsa -in mykey.pem -pubout -out mypubkey.pem
    40    nerdctl image encrypt --recipient=jwe:mypubkey.pem --platform=linux/amd64,linux/arm64 foo example.com/foo:encrypted
    41    nerdctl push example.com/foo:encrypted
    42  
    43  Example (decrypt):
    44    nerdctl pull --unpack=false example.com/foo:encrypted
    45    nerdctl image decrypt --key=mykey.pem example.com/foo:encrypted foo:decrypted
    46  `
    47  
    48  func newImageDecryptCommand() *cobra.Command {
    49  	cmd := &cobra.Command{
    50  		Use:               "decrypt [flags] <source_ref> <target_ref>...",
    51  		Short:             "decrypt an image",
    52  		Long:              imageDecryptHelp,
    53  		Args:              cobra.MinimumNArgs(2),
    54  		RunE:              getImgcryptAction(false),
    55  		ValidArgsFunction: imgcryptShellComplete,
    56  		SilenceUsage:      true,
    57  		SilenceErrors:     true,
    58  	}
    59  	registerImgcryptFlags(cmd, false)
    60  	return cmd
    61  }