feat(docker): add support for mTLS authentication when connecting to registry #4649
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
|
Manveer Singh seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
… - added error handling
knqyf263
reviewed
Jun 20, 2023
pkg/remote/remote.go
Outdated
| return nil, err | ||
| } | ||
| tr.TLSClientConfig = &tls.Config{ | ||
| RootCAs: caCertPool, |
There was a problem hiding this comment.
If RootCAs is nil, TLS uses the host's root CA set.
https://pkg.go.dev/crypto/tls#Config
Do we need to set it manually?
pkg/remote/remote.go
Outdated
| if err != nil { | ||
| return nil, err | ||
| } | ||
| tr.TLSClientConfig = &tls.Config{ |
There was a problem hiding this comment.
If I understand correctly, it overwrites InsecureSkipVerify by mistake and leads to a bug.
pkg/remote/remote.go
Outdated
| @@ -124,6 +134,23 @@ func httpTransport(insecure bool) *http.Transport { | |||
| return tr | |||
| } | |||
|
|
|||
| func httpTransportWithMtls(insecure bool, clientCert []byte, clientKey []byte) (*http.Transport, error) { | |||
There was a problem hiding this comment.
It is better to merge this functionality into httpTransport.
tlsConfig := &tls.Config{InsecureSkipVerify: insecure}
if len(option.ClientCert) > 0 && len(option.ClientKey) > 0 {
cert, err := tls.X509KeyPair(option.ClientCert, option.ClientKey)
if err != nil {
return nil, err
}
tlsConfig.Certificates = []tls.Certificate{cert}
}
tr.TLSClientConfig = tlsConfig
- code quality improvements
knqyf263
reviewed
Jun 28, 2023
|
And need to resolve the conflict |
knqyf263
approved these changes
Jun 28, 2023
AnaisUrlichs
pushed a commit
to AnaisUrlichs/trivy
that referenced
this pull request
Aug 10, 2023
…registry (aquasecurity#4649) * feat: add support for mTLS authentication when connecting to registry * feat: add support for mTLS authentication when connecting to registry - added error handling * feat: add support for mTLS authentication when connecting to registry - code quality improvements * feat: add support for mTLS authentication when connecting to registry - code quality improvements * wrap errors --------- Co-authored-by: knqyf263 <knqyf263@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Added two new fields in registry options ClientCert and ClientKey. If both of these are not empty then https connection with client certificates will be attempted to the registry.
Related issues
Checklist