Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support mTLS towards container registry #3922

Merged
merged 5 commits into from
Nov 6, 2024
Merged

Support mTLS towards container registry #3922

merged 5 commits into from
Nov 6, 2024

Conversation

zpon
Copy link
Contributor

@zpon zpon commented Nov 4, 2024
edited
Loading

Summary

Some container registries require that the client present a certificate when establishing the connection. There is currently no way of specifying this when using cosign.
This change adds four arguments that allows the users to specify the root CA, the client cert and the client key and the expected SAN name.

Release Note

  • Config changes (additions, deletions, updates)
    • None
  • API additions—new endpoint, new response fields, or newly accepted request parameters
    • None
  • Database changes (any)
    • None
  • Websocket additions or changes
    • None
  • Anything noteworthy to an administrator running private sigstore instances (err on the side of over-communicating)
    • It is now possible to specify client certificates (mTLS) for container registry connections
  • New features and improvements, including behavioural changes, UI changes and CLI changes
    • It is now possible to specify client certificates (mTLS) for container registry connections
  • Bug fixes and fixes of previous known issues
    • None
  • Deprecation warnings, breaking changes, or compatibility notes
    • None

Documentation

Documentation has been added for these new arguments added:

      --registry-cacert string                                                                   path to the X.509 CA certificate file in PEM format to be used for the connection to the registry
      --registry-client-cert string                                                              path to the X.509 certificate file in PEM format to be used for the connection to the registry
      --registry-client-key string                                                               path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry
      --registry-server-name string                                                              SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry

All code is Copyright 2024 by Uber Technologies, Inc.

Closes #3915

@codecov Codecov
Copy link

codecov bot commented Nov 4, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 60.86957% with 18 lines in your changes missing coverage. Please review.

Project coverage is 36.35%. Comparing base (2ef6022) to head (bab0180).
Report is 236 commits behind head on main.

Files with missing lines Patch % Lines
cmd/cosign/cli/options/registry.go 60.86% 17 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3922      +/-   ##
==========================================
- Coverage   40.10%   36.35%   -3.75%     
==========================================
  Files         155      209      +54     
  Lines       10044    13379    +3335     
==========================================
+ Hits         4028     4864     +836     
- Misses       5530     7889    +2359     
- Partials      486      626     +140

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@zpon
Support for client certs towards registry server
80bb49c 
This commit refactors the registry options handling in the
`cmd/cosign/cli/options/registry.go` file. It introduces new flags for
specifying the X.509 CA certificate, client certificate, client key, and
server name for the connection to the registry.
This allows cosign to connect to registries that requires mTLS for
authentication.

Signed-off-by: Søren Juul <[email protected]>
@zpon
Update documentation
e8f3422 
Signed-off-by: Søren Juul <[email protected]>
@zpon
Add registry_test.go
b5823de 
Increase test coverage of `getTLSConfig` method.

Signed-off-by: Søren Juul <[email protected]>
haydentherapper
haydentherapper previously approved these changes Nov 5, 2024
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution!

@zpon
Fix temp file creation
bab0180 
Signed-off-by: Søren Juul <[email protected]>
@zpon
Copy link
Contributor Author

zpon commented Nov 6, 2024

Thank you for your contribution!

@haydentherapper Thanks for the approval. I added another commit to fix unittest on Windows. Can you take another look?

@haydentherapper haydentherapper merged commit ad5bc3b into sigstore:main Nov 6, 2024
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support client certificates when communicating with the registry server (mTLS)
2 participants
@zpon @haydentherapper