Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable configuring a certificate authority file for registry client. #217

Closed
absoludity opened this issue Feb 8, 2021 · 5 comments · Fixed by #400
Closed

Enable configuring a certificate authority file for registry client. #217

absoludity opened this issue Feb 8, 2021 · 5 comments · Fixed by #400
Milestone
v0.13.0

Comments

@absoludity
Copy link

Just as Helm allows as --kube-ca-file option to use a specific certificate authority file for the Kubernetes API Server connection, it would be great if ORAS enabled requests to the registry to be made with a specific certificate authority, so that connections to internal private registries are not susceptible to machine-in-the-middle.

Currently it appears the only option is to use the --insecure flag which I assume results in a TLS connection configured with InsecureSkipVerify. As per the docs there "This should be used only for testing or in combination with VerifyConnection or VerifyPeerCertificate".
@absoludity absoludity mentioned this issue Feb 8, 2021
Merged
@jdolitsky jdolitsky added this to the v0.11.0 milestone Feb 9, 2021
@souleb
Copy link
Contributor

souleb commented Apr 15, 2022

Hi,

I would like to work on this issue if possible.

Regards,
Soule

@sajayantony
Copy link
Contributor

Should we target using oras-go v2?

@sabre1041
Copy link
Contributor

@sajayantony I would recommend it be part of v1 and v2 since it is a capability that would be desired by consumers of each version

@scottrigby
Copy link

👍 should be fixed in v2 first, then would need a backport to v1 for Helm users to take advantage.

PS, when there is a plan for the oras-project/oras-go stable v2.0.0 release, we should coordinate to also plan the Oras dependency upgrade in Helm.

@sajayantony sajayantony mentioned this issue Apr 18, 2022
Closed
@qweeah qweeah mentioned this issue Apr 18, 2022
Merged
@scottrigby
Copy link

scottrigby commented Apr 21, 2022
edited
Loading

👍 should be fixed in v2 first, then would need a backport to v1 for Helm users to take advantage.

PS, when there is a plan for the oras-project/oras-go stable v2.0.0 release, we should coordinate to also plan the Oras dependency upgrade in Helm.

Update to this note. I was not aware that v2 has removed docker auth and implemented their own auth. Because of this v2 would have to implement things from scratch that v1 could do more easily using Docker client auth. So we may need to propose a working change for v1 to start which would then need to be ported to v2 (not backported from v2 to v1). V1 is needed for Helm at this point.

However, to keep with our agreement to ensure v1 and v2 have the opportunity to stay in sync in terms of features, we should in that same proposal give a recommendation on how the new v2 auth would want to implement the same thing. This way, we can get signoff from the v2 maintainers before approving/merging into v1. So we at least stay on the same page with features even if the code is completely different.

@sajayantony does this make sense to you?

@qweeah qweeah mentioned this issue May 11, 2022
Merged
@shizhMSFT shizhMSFT modified the milestones: v0.11.0, v0.13.0 May 16, 2022
@qweeah qweeah mentioned this issue May 23, 2022
Closed
@souleb souleb mentioned this issue Jun 8, 2022
Merged
@qweeah qweeah mentioned this issue Jun 16, 2022
Merged
@shizhMSFT shizhMSFT mentioned this issue Jul 7, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.13.0
7 participants
@jdolitsky @scottrigby @absoludity @sabre1041 @sajayantony @souleb @shizhMSFT