Skip to content

Commit

Permalink
feat(docker): add support for mTLS authentication when connecting to …
Browse files Browse the repository at this point in the history
…registry (#4649)

* feat: add support for mTLS authentication when connecting to registry

* feat: add support for mTLS authentication when connecting to registry - added error handling

* feat: add support for mTLS authentication when connecting to registry
- code quality improvements

* feat: add support for mTLS authentication when connecting to registry
- code quality improvements

* wrap errors

---------

Co-authored-by: knqyf263 <knqyf263@gmail.com>
  • Loading branch information
manveer94 and knqyf263 authored Jun 28, 2023
1 parent d699e8c commit 26bc911
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 6 deletions.
4 changes: 4 additions & 0 deletions pkg/fanal/types/image.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,10 @@ type RegistryOptions struct {
// SSL/TLS
Insecure bool

// For internal use. Needed for mTLS authentication.
ClientCert []byte
ClientKey []byte

// Architecture
Platform Platform

Expand Down
29 changes: 23 additions & 6 deletions pkg/remote/remote.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,10 @@ type Descriptor = remote.Descriptor
// Get is a wrapper of google/go-containerregistry/pkg/v1/remote.Get
// so that it can try multiple authentication methods.
func Get(ctx context.Context, ref name.Reference, option types.RegistryOptions) (*Descriptor, error) {
transport := httpTransport(option.Insecure)
transport, err := httpTransport(option)
if err != nil {
return nil, xerrors.Errorf("failed to create http transport: %w", err)
}

var errs error
// Try each authentication method until it succeeds
Expand Down Expand Up @@ -68,7 +71,10 @@ func Get(ctx context.Context, ref name.Reference, option types.RegistryOptions)
// Image is a wrapper of google/go-containerregistry/pkg/v1/remote.Image
// so that it can try multiple authentication methods.
func Image(ctx context.Context, ref name.Reference, option types.RegistryOptions) (v1.Image, error) {
transport := httpTransport(option.Insecure)
transport, err := httpTransport(option)
if err != nil {
return nil, xerrors.Errorf("failed to create http transport: %w", err)
}

var errs error
// Try each authentication method until it succeeds
Expand All @@ -92,7 +98,10 @@ func Image(ctx context.Context, ref name.Reference, option types.RegistryOptions
// Referrers is a wrapper of google/go-containerregistry/pkg/v1/remote.Referrers
// so that it can try multiple authentication methods.
func Referrers(ctx context.Context, d name.Digest, option types.RegistryOptions) (v1.ImageIndex, error) {
transport := httpTransport(option.Insecure)
transport, err := httpTransport(option)
if err != nil {
return nil, xerrors.Errorf("failed to create http transport: %w", err)
}

var errs error
// Try each authentication method until it succeeds
Expand All @@ -113,15 +122,23 @@ func Referrers(ctx context.Context, d name.Digest, option types.RegistryOptions)
return nil, errs
}

func httpTransport(insecure bool) *http.Transport {
func httpTransport(option types.RegistryOptions) (*http.Transport, error) {
d := &net.Dialer{
Timeout: 10 * time.Minute,
}
tr := http.DefaultTransport.(*http.Transport).Clone()
tr.DialContext = d.DialContext
tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: insecure}
tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: option.Insecure}

if len(option.ClientCert) != 0 && len(option.ClientKey) != 0 {
cert, err := tls.X509KeyPair(option.ClientCert, option.ClientKey)
if err != nil {
return nil, err
}
tr.TLSClientConfig.Certificates = []tls.Certificate{cert}
}

return tr
return tr, nil
}

func authOptions(ctx context.Context, ref name.Reference, option types.RegistryOptions) []remote.Option {
Expand Down

0 comments on commit 26bc911

Please sign in to comment.