-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow user to provide registry certificate #1037
Allow user to provide registry certificate #1037
Conversation
d778e4e
to
b83e1c2
Compare
@antechrestos Thank you for this PR? Thanks |
@tejal29 I will. I tested against a inner company registry. I answer you asap. |
$> sudo echo "127.0.0.1 local.host" >> /etc/host
$> mkdir /tmp/registry_certificates && cd /tmp/registry_certificates
$> openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout local.host.key -out local.host.crt -subj /CN=local.host \
-addext subjectAltName=DNS:local.host
$> ls -1
local.host.crt
local.host.key
$ docker run -d \
--restart=always \
--name registry \
-v /tmp/registry_certificates:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/local.host.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/local.host.key \
-p 443:443 \
registry:2
$> echo "FROM busybox:latest" > Dockerfile
$> KANIKO_PROJECT_DIR=<path to the kaniko project where you generated out/executor>
$> docker run --rm -v $(pwd):/sources -w /sources -v $KANIKO_PROJECT_DIR/out/executor:/kaniko/executor gcr.io/kaniko-project/executor:v0.17.1 --context /sources --dockerfile "/sources/Dockerfile" --destination local.host/test/certificates:master --verbosity info You will gate the following error
(note that I mount certificates directory as a volume $> docker run --rm -v $(pwd):/sources -w /sources -v $KANIKO_PROJECT_DIR/out/executor:/kaniko/executor -v /tmp/registry_certificates:/certs gcr.io/kaniko-project/executor:v0.17.1 --context /sources --dockerfile "/sources/Dockerfile" --destination local.host/test/certificates:add-registry-certificate-option --verbosity info --registry-certificate local.host=/certs/local.host.crt You can check it by pulling it |
b83e1c2
to
bf1fe4b
Compare
@tejal29 did you have time to take a look at this? |
bf1fe4b
to
8637dc2
Compare
Rebase done |
@antechrestos Thanks. we are busy with v0.17.0 bug fixes and internal perf process. I will take a look next week. Thank you. |
8637dc2
to
19c353a
Compare
Any update needed.? |
@antechrestos is there an GH issue related to this? Also; did you investigate updating the certificate chain in the docker image as an alternative to handling this via golang? |
@cvgw I did not open an issue should I? Importing the certificate in the docker image will do the job. However I wanted to be consistent with other options (skip tls verification for a given registry and the other one disabling all tls) |
19c353a
to
66e1f66
Compare
@cvgw I've just opened two issues that describes the feature and the fix brought by this PR |
@antechrestos Thank you so much for opening the issues. I was testing your PR and i see the following error
I added a host entry in
Is there something missing? |
@medyagh helped me debug this. I had to get the ip address of the registry and append that to |
@tejal29 sorry I was in a car trip. I had the same in |
@tejal29 I've just learned Just launch registry without port mapping $ docker run -d \
--restart=always \
--name registry \
-v /tmp/registry_certificates:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/local.host.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/local.host.key \
registry:2 And every other kaniko run with |
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
28b6205
to
abdbaa8
Compare
CLAs look good, thanks! ℹ️ Googlers: Go here for more info. |
5421a5b
to
cda06f8
Compare
cda06f8
to
b73c2c1
Compare
@tejal29 thank you |
Description
Fixes #1100
Fixes #1101
Add the multi valued option
registry-certificate
to allow user the providing of certificate such as--registry-certificate my.registry.url=/path/to/the/certificate.cert
. Doing so, user won't have to use the--insecure-registry
option for the provided registry.I found hard to had some tests and was forced to encapsulate te treatments of
x509
package.makeTransport
was using a static objecthttp.DefaultTransport
without cloning it which should lead to a bug as its configuration is modified. This change also brings a fix for this potential issue.Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
Reviewer Notes
Release Notes