imgpkg icon indicating copy to clipboard operation
imgpkg copied to clipboard

Published 20 hours ago verified publisher icon carvel-dev

Add in registry mutual tls

Open btrieger opened this issue 2 years ago • 3 comments

Some Docker Registries have mutual TLS on them meaning that you need to pass a client certificate and key in addition to the registry ca. I have added this functionality with 3 cli flags. --registry-mutual-tls(bool) default false , --registry-client-cert-path, and --registry-client-cert-key

btrieger avatar Mar 23 '22 19:03 btrieger

I had a conversation with @joaopapereira on this and I have tested this on my local with nginx in front of a docker registry and am able to push images with mutual tls set to true and client and key provided. If I set it to false I get a 403 error which is what I receive if the client cert and key are not set. Let me know how else I can test this.

btrieger avatar Mar 23 '22 19:03 btrieger

Expected Failure with mutual-tls false

./imgpkg copy --tar /Users/brieger/Documents/nginx.tar --to-repo 127.0.0.1:5043/nginx --registry-mutual-tls=false --registry-client-cert-path /Users/brieger/.docker/certs.d/127.0.0.1\:5043/client.cert --registry-client-key-path /Users/brieger/.docker/certs.d/127.0.0.1\:5043/client.key --registry-ca-cert-path /Users/brieger/.docker/certs.d/127.0.0.1\:5043/ca.crt --registry-username testuser --registry-password testpassword
copy | importing 1 images...

copy |
copy | done uploading images

imgpkg: Error: Error while preparing a transport to talk with the registry:
  Unable to create round tripper:
    GET https://127.0.0.1:5043/v2/: unexpected status code 400 Bad Request: <html>
<head><title>400 No required SSL certificate was sent</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx/1.21.6</center>
</body>
</html>

Expected Success with mutual tls true:

brieger-a01:carvel-imgpkg brieger$ ./imgpkg copy --tar /Users/brieger/Documents/nginx.tar --to-repo 127.0.0.1:5043/nginx --registry-mutual-tls=true --registry-client-cert-path /Users/brieger/.docker/certs.d/127.0.0.1\:5043/client.cert --registry-client-key-path /Users/brieger/.docker/certs.d/127.0.0.1\:5043/client.key --registry-ca-cert-path /Users/brieger/.docker/certs.d/127.0.0.1\:5043/ca.crt --registry-username testuser --registry-password testpassword
copy | importing 1 images...

426.03 MiB / 426.03 MiB [----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1.53 GiB p/s
copy |
copy | done uploading images
426.03 MiB / 426.03 MiB [----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1.53 GiB p/s

Succeeded

btrieger avatar Mar 23 '22 20:03 btrieger

My team is happy to use your patch @btrieger, so thank you for your work. I've submitted a merge request to make this work with v0.35.0.

❯ git log v0.35.0..HEAD
commit 3c1dc508e2b7488bb66ee1d3cdd63e5debe19a91 (HEAD -> mutual-tls, mine/mutual-tls)
Author: Simon Pettersson <[email protected]>
Date:   Tue Feb 7 13:36:29 2023 +0100

    add mutual tls to options struct clone

commit d6df503753d81b31ecabf9d245430442e42d1ca9
Author: Brian Rieger <[email protected]>
Date:   Wed Mar 23 13:29:01 2022 -0500

    Add in registry mutual tls

simonvpe avatar Feb 07 '23 12:02 simonvpe