-
Notifications
You must be signed in to change notification settings - Fork 557
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support mTLS towards container registry #3922
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3922 +/- ##
==========================================
- Coverage 40.10% 36.35% -3.75%
==========================================
Files 155 209 +54
Lines 10044 13379 +3335
==========================================
+ Hits 4028 4864 +836
- Misses 5530 7889 +2359
- Partials 486 626 +140 ☔ View full report in Codecov by Sentry. |
This commit refactors the registry options handling in the `cmd/cosign/cli/options/registry.go` file. It introduces new flags for specifying the X.509 CA certificate, client certificate, client key, and server name for the connection to the registry. This allows cosign to connect to registries that requires mTLS for authentication. Signed-off-by: Søren Juul <449942+zpon@users.noreply.github.com>
Signed-off-by: Søren Juul <449942+zpon@users.noreply.github.com>
Increase test coverage of `getTLSConfig` method. Signed-off-by: Søren Juul <449942+zpon@users.noreply.github.com>
Signed-off-by: Søren Juul <449942+zpon@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your contribution!
Signed-off-by: Søren Juul <449942+zpon@users.noreply.github.com>
@haydentherapper Thanks for the approval. I added another commit to fix unittest on Windows. Can you take another look? |
Summary
Some container registries require that the client present a certificate when establishing the connection. There is currently no way of specifying this when using cosign.
This change adds four arguments that allows the users to specify the root CA, the client cert and the client key and the expected SAN name.
Release Note
Documentation
Documentation has been added for these new arguments added:
All code is Copyright 2024 by Uber Technologies, Inc.
Closes #3915