Skip to content

Add registry certificate verification support #1734

Merged
wagoodman merged 8 commits into
anchore:mainfrom
5p2O5pe25ouT:main
Aug 29, 2023
Merged

Add registry certificate verification support #1734
wagoodman merged 8 commits into
anchore:mainfrom
5p2O5pe25ouT:main

Conversation

@5p2O5pe25ouT
Copy link
Copy Markdown
Contributor

@5p2O5pe25ouT 5p2O5pe25ouT commented Apr 13, 2023
edited by wagoodman
Loading

I want to help add support for carrying certificates when Syft scans the registry. Supported configurations are:

...MTLS for a specific registry:

# .syft.yaml
registry:
  ca-cert: "./ca-certs/myreg.crt"     # trust a specific CA cert

  auth:
   # note: no user/pass was provided, so the keychain will be used for basic auth
    - authority: "myregistry.com"
      tls-cert: "./certs/myreg-client.crt"
      tls-key: "./certs/myreg-client.key"

... MTLS for multiple registries:

# .syft.yaml
registry:
  ca-cert: "./ca-certs"     # trust all in all *.crt files in a dir as root CAs

  auth:

    - authority: "myregistry.com"
      tls-cert: "./certs/myreg-client.crt"
      tls-key: "./certs/myreg-client.key"

    - authority: "otherreg.com"
      tls-cert: "./certs/other-client.crt"
      tls-key: "./certs/other-client.key"

... configure via environment variables:

export SYFT_REGISTRY_CA_CERT="./ca-certs/"
export SYFT_REGISTRY_AUTH_TLS_CERT="./certs/myreg-client.crt"
export SYFT_REGISTRY_AUTH_TLS_KEY="./certs/other-client.key"

which will be the same as:

registry:
  ca-cert: "./ca-certs"   

  auth:

    - authority: ""
      tls-cert: "./certs/myreg-client.crt"
      tls-key: "./certs/myreg-client.key"

...which will offer the client cert during TLS negotiation to any registry that will accept it.

Pulls in features from anchore/stereoscope#169 and anchore/stereoscope#195

@tgerla tgerla mentioned this pull request Apr 13, 2023
Closed
@spiffcs spiffcs self-requested a review June 22, 2023 16:21
@wagoodman wagoodman self-assigned this Jun 22, 2023
@wagoodman wagoodman mentioned this pull request Aug 23, 2023
Merged
@wagoodman wagoodman added the enhancement New feature or request label Aug 24, 2023
@wagoodman wagoodman changed the title add registry certificate verification support Add registry certificate verification support Aug 24, 2023
@wagoodman
pull in stereoscope update
15842fb 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman
Merge remote-tracking branch 'origin/main' into 5p2O5pe25ouT/main
3f78e78 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman
rename registry cert options, add docs, and add test
bd702b3 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman
update to account for changes in anchore/stereoscope#195
fb6cd70 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman mentioned this pull request Aug 29, 2023
Closed
@wagoodman wagoodman removed the request for review from spiffcs August 29, 2023 14:56
@wagoodman
fix cli tests
81772f2 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman merged commit b03e9c6 into anchore:main Aug 29, 2023
@wagoodman wagoodman mentioned this pull request Aug 29, 2023
Merged
@Porkepix Porkepix mentioned this pull request Aug 31, 2023
Merged
This was referenced Sep 1, 2023
Merged
Closed
Closed
Closed
This was referenced Sep 12, 2023
Closed
Closed
Open
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@5p2O5pe25ouT @wagoodman
Add registry certificate verification support (anchore#1734)
e8e1371 
* add registry certificate verification support

* replace stereoscope version

* modify go.mod

* pull in stereoscope update

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* rename registry cert options, add docs, and add test

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update to account for changes in anchore/stereoscope#195

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix cli tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: lishituo <24578666@qq.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees

@wagoodman wagoodman

Labels

enhancement New feature or request

Projects

OSS
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@5p2O5pe25ouT @wagoodman