chore(deps): bump ossf/scorecard-action from 1.1.1 to 2.0.4

.github/workflows/scorecards-analysis.yml

@@ -26,7 +26,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e
+        uses: ossf/scorecard-action@e363bfca00e752f91de7b7d2a77340e2e523cb18
         with:
           results_file: results.sarif
           results_format: sarif

pkg/buildcontext/s3.go

@@ -18,16 +18,20 @@ package buildcontext
 
 import (
 	"fmt"
+	"github.com/aws/aws-sdk-go/aws/request"
 	"os"
 	"path/filepath"
 	"strings"
+	"time"
 
 	kConfig "github.com/GoogleContainerTools/kaniko/pkg/config"
 	"github.com/GoogleContainerTools/kaniko/pkg/constants"
 	"github.com/GoogleContainerTools/kaniko/pkg/util"
 	"github.com/GoogleContainerTools/kaniko/pkg/util/bucket"
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/session"
+	signer "github.com/aws/aws-sdk-go/aws/signer/v4"
 	"github.com/aws/aws-sdk-go/service/s3"
 	"github.com/aws/aws-sdk-go/service/s3/s3manager"
 )
@@ -56,13 +60,42 @@ func (s *S3) UnpackTarFromBuildContext() (string, error) {
 		option.Config = aws.Config{
 			Endpoint:         aws.String(endpoint),
 			S3ForcePathStyle: aws.Bool(forcePath),
+			DisableSSL:       aws.Bool(true),
+			Credentials:      credentials.NewStaticCredentials(os.Getenv(constants.S3StaticAccessKey), os.Getenv(constants.S3StaticSecret), ""),
 		}
 	}
 	sess, err := session.NewSessionWithOptions(option)
 	if err != nil {
 		return bucket, err
 	}
-	downloader := s3manager.NewDownloader(sess)
+
+	s3Client := s3.New(sess)
+	if os.Getenv(constants.S3Host) != "" {
+		sig := signer.NewSigner(credentials.NewStaticCredentials(os.Getenv(constants.S3StaticAccessKey), os.Getenv(constants.S3StaticSecret), ""))
+
+		//s3Client.Handlers.Sign.Clear()
+		s3Client.Handlers.Sign.PushBack(func(request *request.Request) {
+			originalHost := request.HTTPRequest.Host
+			originalHost2 := request.HTTPRequest.URL.Host
+			defer func() {
+				request.HTTPRequest.Host = originalHost
+				request.HTTPRequest.URL.Host = originalHost2
+			}()
+			request.HTTPRequest.Host = os.Getenv(constants.S3Host)
+			request.HTTPRequest.URL.Host = os.Getenv(constants.S3Host)
+			region := "us-east-1"
+			if os.Getenv("AWS_REGION") != "" {
+				region = os.Getenv("AWS_REGION")
+			}
+			t := time.Now()
+			_, err := sig.Sign(request.HTTPRequest, request.Body, "s3", region, t)
+			if err != nil {
+				panic(err)
+				return
+			}
+		})
+	}
+	downloader := s3manager.NewDownloaderWithClient(s3Client)
 	directory := kConfig.BuildContextDir
 	tarPath := filepath.Join(directory, constants.ContextTar)
 	if err := os.MkdirAll(directory, 0750); err != nil {

pkg/constants/constants.go

@@ -56,8 +56,11 @@ const (
 	Dockerignore = ".dockerignore"
 
 	// S3 Custom endpoint ENV name
-	S3EndpointEnv    = "S3_ENDPOINT"
-	S3ForcePathStyle = "S3_FORCE_PATH_STYLE"
+	S3EndpointEnv     = "S3_ENDPOINT"
+	S3ForcePathStyle  = "S3_FORCE_PATH_STYLE"
+	S3StaticAccessKey = "S3_STATIC_ACCESS_KEYID"
+	S3StaticSecret    = "S3_STATIC_ACCESS_SECRET"
+	S3Host            = "S3_HOST"
 )
 
 // ScratchEnvVars are the default environment variables needed for a scratch image.