Add support for remote manifest

Supports http(s) urls for manifest.

It implements the following safeguards
- HTTP timeout (30s)
- File size validation (10MB)
- YAML validation
- YAML document limit (10)
- Prevent redirect loops

Signed-off-by: Pradipta Banerjee <[email protected]>

Author: bpradipt

cmd/apply.go

@@ -30,17 +30,20 @@ var applyCmd = &cobra.Command{
 	Long: `Transform a regular Kubernetes manifest to a CoCo-enabled manifest and apply it.
 
 This command will:
-  1. Load the specified manifest
+  1. Load the specified manifest (local file or URL)
   2. Add/update RuntimeClass
   3. Add initdata annotation
   4. Add first initContainer for attestation (if requested)
   5. Save a backup of the transformed manifest (*-coco.yaml)
   6. Apply the transformed manifest using kubectl
 
+Supports both local files and remote URLs (http/https).
+
 Example:
   kubectl coco apply -f app.yaml
   kubectl coco apply -f app.yaml --runtime-class kata-remote
-  kubectl coco apply -f app.yaml --init-container`,
+  kubectl coco apply -f app.yaml --init-container
+  kubectl coco apply -f https://raw.githubusercontent.com/user/repo/main/app.yaml`,
 	RunE: runApply,
 }
 
@@ -64,7 +67,7 @@ var (
 func init() {
 	rootCmd.AddCommand(applyCmd)
 
-	applyCmd.Flags().StringVarP(&manifestFile, "filename", "f", "", "Path to Kubernetes manifest file (required)")
+	applyCmd.Flags().StringVarP(&manifestFile, "filename", "f", "", "Path to Kubernetes manifest file or URL (required)")
 	applyCmd.Flags().StringVar(&runtimeClass, "runtime-class", "", "RuntimeClass to use (default from config)")
 	applyCmd.Flags().BoolVar(&addInitContainer, "init-container", false, "Add default attestation initContainer")
 	applyCmd.Flags().StringVar(&initContainerImg, "init-container-img", "", "Custom init container image (requires --init-container)")
@@ -110,9 +113,26 @@ func runApply(_ *cobra.Command, _ []string) error {
 		rc = cfg.RuntimeClass
 	}
 
+	// Handle remote files
+	actualManifestFile := manifestFile
+	var tempFile string
+	if isRemoteFile(manifestFile) {
+		fmt.Printf("Downloading remote manifest: %s\n", manifestFile)
+		var err error
+		tempFile, err = downloadRemoteFile(manifestFile)
+		if err != nil {
+			return fmt.Errorf("failed to download remote manifest: %w", err)
+		}
+		defer func() {
+			_ = os.Remove(tempFile)
+		}()
+		actualManifestFile = tempFile
+		fmt.Printf("Downloaded to: %s\n", tempFile)
+	}
+
 	// Load manifest (supports multi-document YAML)
-	fmt.Printf("Loading manifest: %s\n", manifestFile)
-	manifestSet, err := manifest.LoadMultiDocument(manifestFile)
+	fmt.Printf("Loading manifest: %s\n", actualManifestFile)
+	manifestSet, err := manifest.LoadMultiDocument(actualManifestFile)
 	if err != nil {
 		return fmt.Errorf("failed to load manifest: %w", err)
 	}

cmd/common.go

@@ -0,0 +1,211 @@
+package cmd
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"time"
+
+	"gopkg.in/yaml.v3"
+)
+
+const (
+	// maxYAMLDocuments is the maximum number of YAML documents allowed in a manifest file
+	// Typical K8s manifests have 1-5 documents. This limit protects against accidentally
+	// parsing non-YAML content (like HTML) which could be interpreted as many documents.
+	maxYAMLDocuments = 10
+
+	// maxManifestSize is the maximum size allowed for a remote manifest file
+	// Typical K8s manifests are a few KB. This limit (10MB) protects against excessive
+	// disk usage from malicious or misconfigured remote URLs.
+	maxManifestSize = 10 * 1024 * 1024 // 10MB
+
+	// maxRedirects is the maximum number of HTTP redirects to follow
+	// This prevents redirect loops and excessive redirect chains.
+	maxRedirects = 5
+)
+
+// isRemoteFile checks if the given path is a URL
+func isRemoteFile(path string) bool {
+	u, err := url.Parse(path)
+	if err != nil {
+		return false
+	}
+	return u.Scheme == "http" || u.Scheme == "https"
+}
+
+// isPrivateIP checks if an IP address is in a private/internal range
+func isPrivateIP(ip net.IP) bool {
+	// Check for loopback addresses (127.0.0.0/8, ::1)
+	if ip.IsLoopback() {
+		return true
+	}
+
+	// Check for link-local addresses (169.254.0.0/16, fe80::/10)
+	if ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
+		return true
+	}
+
+	// Check for private IPv4 ranges
+	// 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
+	privateIPv4Ranges := []string{
+		"10.0.0.0/8",
+		"172.16.0.0/12",
+		"192.168.0.0/16",
+	}
+
+	for _, cidr := range privateIPv4Ranges {
+		_, network, _ := net.ParseCIDR(cidr)
+		if network.Contains(ip) {
+			return true
+		}
+	}
+
+	// Check for private IPv6 ranges (fc00::/7 - Unique Local Addresses)
+	if len(ip) == net.IPv6len && (ip[0] == 0xfc || ip[0] == 0xfd) {
+		return true
+	}
+
+	return false
+}
+
+// downloadRemoteFile downloads a remote file and returns the path to a temporary file
+func downloadRemoteFile(remoteURL string) (string, error) {
+	// Track redirect count to prevent loops and excessive redirects
+	redirectCount := 0
+
+	// Create HTTP client with timeout and redirect validation
+	client := &http.Client{
+		Timeout: 30 * time.Second,
+		CheckRedirect: func(req *http.Request, _ []*http.Request) error {
+			// Limit number of redirects
+			redirectCount++
+			if redirectCount > maxRedirects {
+				return fmt.Errorf("too many redirects (max: %d)", maxRedirects)
+			}
+
+			// Validate redirect URL scheme
+			if req.URL.Scheme != "http" && req.URL.Scheme != "https" {
+				return fmt.Errorf("redirect to unsupported scheme: %s", req.URL.Scheme)
+			}
+
+			// Resolve hostname to IP addresses for SSRF protection
+			hostname := req.URL.Hostname()
+			ips, err := net.LookupIP(hostname)
+			if err != nil {
+				// DNS lookup failed - this could be temporary or the hostname might not exist
+				// We allow the redirect to proceed and let the actual HTTP request handle the error
+				// This avoids blocking legitimate redirects due to transient DNS issues
+				// nolint:nilerr // Intentionally returning nil when DNS lookup fails
+				return nil
+			}
+
+			// Check if any resolved IP is private/internal (SSRF protection)
+			for _, ip := range ips {
+				if isPrivateIP(ip) {
+					return fmt.Errorf("redirect to private/internal IP address blocked: %s resolves to %s", hostname, ip.String())
+				}
+			}
+
+			return nil
+		},
+	}
+
+	// Download the file
+	// #nosec G107 - URL is user-provided manifest location
+	resp, err := client.Get(remoteURL)
+	if err != nil {
+		return "", fmt.Errorf("failed to download remote file: %w", err)
+	}
+	defer func() {
+		_ = resp.Body.Close()
+	}()
+
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("failed to download remote file: HTTP %d", resp.StatusCode)
+	}
+
+	// Check Content-Length header if available to fail fast
+	if resp.ContentLength > 0 && resp.ContentLength > maxManifestSize {
+		return "", fmt.Errorf("remote file too large: %d bytes (max: %d bytes)", resp.ContentLength, maxManifestSize)
+	}
+
+	// Check Content-Type header (if present)
+	// Note: We don't enforce Content-Type validation because some servers
+	// (like GitHub raw.githubusercontent.com) serve YAML as text/plain
+	contentType := resp.Header.Get("Content-Type")
+
+	// Use LimitReader as safety net to enforce hard limit
+	// (in case Content-Length is not set, incorrect, or malicious)
+	// Read one extra byte to detect if limit was exceeded
+	limitedReader := io.LimitReader(resp.Body, maxManifestSize+1)
+	content, err := io.ReadAll(limitedReader)
+	if err != nil {
+		return "", fmt.Errorf("failed to read response body: %w", err)
+	}
+
+	// Check if we exceeded the size limit
+	if len(content) > maxManifestSize {
+		return "", fmt.Errorf("remote file too large: exceeds maximum size of %d bytes", maxManifestSize)
+	}
+
+	// Validate that content is valid YAML
+	if err := validateYAML(content); err != nil {
+		return "", fmt.Errorf("downloaded content is not valid YAML: %w\nURL: %s\nContent-Type: %s", err, remoteURL, contentType)
+	}
+
+	// Create temporary file
+	tmpFile, err := os.CreateTemp("", "kubectl-coco-*.yaml")
+	if err != nil {
+		return "", fmt.Errorf("failed to create temporary file: %w", err)
+	}
+	defer func() {
+		_ = tmpFile.Close()
+	}()
+
+	// Write validated content to temporary file
+	_, err = tmpFile.Write(content)
+	if err != nil {
+		_ = os.Remove(tmpFile.Name())
+		return "", fmt.Errorf("failed to write temporary file: %w", err)
+	}
+
+	return tmpFile.Name(), nil
+}
+
+// validateYAML checks if the content is valid YAML
+func validateYAML(content []byte) error {
+	// Try to parse as YAML
+	decoder := yaml.NewDecoder(bytes.NewReader(content))
+
+	// Attempt to decode all documents in the YAML
+	var docCount int
+	for {
+		var doc interface{}
+		err := decoder.Decode(&doc)
+		if errors.Is(err, io.EOF) {
+			break
+		}
+		if err != nil {
+			return fmt.Errorf("YAML parsing error: %w", err)
+		}
+		docCount++
+
+		// Sanity check: protect against accidentally parsing non-YAML content
+		if docCount > maxYAMLDocuments {
+			return fmt.Errorf("file contains too many YAML documents (>%d), might not be a valid manifest", maxYAMLDocuments)
+		}
+	}
+
+	// Check if we got at least one document
+	if docCount == 0 {
+		return fmt.Errorf("file is empty or contains no valid YAML documents")
+	}
+
+	return nil
+}

cmd/explain.go

@@ -21,10 +21,15 @@ a regular Kubernetes manifest to a CoCo-enabled manifest.
 This command is purely educational and does not require a cluster connection.
 It helps you understand what changes are made to enable Confidential Containers.
 
+Supports both local files and remote URLs (http/https).
+
 Examples:
   # Explain transformations on your manifest
   kubectl coco explain -f app.yaml
 
+  # Explain from remote URL
+  kubectl coco explain -f https://raw.githubusercontent.com/user/repo/main/app.yaml
+
   # Use a built-in example
   kubectl coco explain --example simple-pod
   kubectl coco explain --example deployment-secrets
@@ -56,7 +61,7 @@ var (
 func init() {
 	rootCmd.AddCommand(explainCmd)
 
-	explainCmd.Flags().StringVarP(&explainManifestFile, "filename", "f", "", "Path to Kubernetes manifest file")
+	explainCmd.Flags().StringVarP(&explainManifestFile, "filename", "f", "", "Path to Kubernetes manifest file or URL")
 	explainCmd.Flags().StringVar(&explainExample, "example", "", "Use built-in example (simple-pod, deployment-secrets, sidecar-service)")
 	explainCmd.Flags().StringVar(&explainFormat, "format", "text", "Output format: text, diff, markdown")
 	explainCmd.Flags().BoolVar(&explainListExamples, "list-examples", false, "List available built-in examples")
@@ -77,6 +82,7 @@ func runExplain(_ *cobra.Command, _ []string) error {
 	var manifestPath string
 	var manifestContent string
 	var isExample bool
+	var tempFile string
 
 	if explainExample != "" {
 		// Use built-in example
@@ -108,8 +114,25 @@ func runExplain(_ *cobra.Command, _ []string) error {
 		manifestContent = ex.Manifest
 		isExample = true
 	} else if explainManifestFile != "" {
-		// Use user-provided manifest
-		manifestPath = explainManifestFile
+		// Check if it's a remote URL
+		if isRemoteFile(explainManifestFile) {
+			fmt.Printf("📥 Downloading remote manifest: %s\n", explainManifestFile)
+			var err error
+			tempFile, err = downloadRemoteFile(explainManifestFile)
+			if err != nil {
+				return fmt.Errorf("failed to download remote manifest: %w", err)
+			}
+			defer func() {
+				_ = os.Remove(tempFile)
+			}()
+			manifestPath = tempFile
+			fmt.Printf("   Downloaded to: %s\n\n", tempFile)
+		} else {
+			// Use local file
+			manifestPath = explainManifestFile
+		}
+
+		// Read manifest content
 		// #nosec G304 - User-provided manifest file path is expected
 		data, err := os.ReadFile(manifestPath)
 		if err != nil {