kaniko

History

Eric 7525828ef9 Add mTLS (client cert) registry authentication (#2180 ) * Add mTLS (client cert) support Add support for Mutual TLS (mTLS) client certificate authentication. The expected format of the new --registry-client-cert flag is the same as the existing --registry-certificate flag, which will allow different client certificates for different registries: --registry-client-cert my.registry.url=/path/to/cert.crt,/path/to/key.key * tidy: Rename mTLS (Client Cert) flag to be in line with others This flag didn't describe that it was for the client certs uses with the registry. Although this should be reasonably obvious, I like the consistency with the other registry flag. * test: Added unit tests for mTLS (Client Cert) loading * test: Add 2 more tests for comma split formatting since the comma splitting is a new portion of code let's make sure that that format works well too in other cases * tidy: Fix formatting of flag help text * tidy: Made invalid cert format error consistent I was running the tests and saw the message: Failed to load client certificate/key '/path/to/client/certificate.cert' for my.registry.name, format is my.registry.name=/path/to/cert,/path/to/key I then realized that it'd be a lot nicer if this showed the user what they input, and how they should change it (rather than decomposing it: Failed to load client certificate/key 'my.registry.name=/path/to/client/certificate.cert', expected format: my.registry.name=/path/to/cert,/path/to/key * test: Fixed incorrect test argument This didn't fail the test before because it's only attempting to show that certs only get loaded and used for their associated registry but it's important to keep this correct. This case is covered by the test below, "RegistriesClientCertificates incorrect cert format" * doc: Add new flag to README.md * mod: Fail to push if there was a problem loading client certs Rather than warning that there was an issue, we should fail if the requested client certificates were not found or failed to load. This feels a lot better than waiting for the build to finish then failing later. * mod: Return an error if the certificate authority fails to load, just like client certs The MakeTransport function was changed in the previous commit to allow returning errors if there was a problem loading certificates, rather than just print warnings. This feels a lot better as you get the error immediately that there's a problem to fix, rather than getting a warning, then later an error that the server's certificate could not be verified. * tidy: fix golint issues	2023-05-18 14:20:51 -07:00
..
executor	Add mTLS (client cert) registry authentication (#2180 )	2023-05-18 14:20:51 -07:00
warmer	Add mTLS (client cert) registry authentication (#2180 )	2023-05-18 14:20:51 -07:00

Add mTLS (client cert) registry authentication (#2180 )

* Add mTLS (client cert) support

Add support for Mutual TLS (mTLS) client certificate authentication.
The expected format of the new --registry-client-cert flag is the same
as the existing --registry-certificate flag, which will allow
different client certificates for different registries:

--registry-client-cert my.registry.url=/path/to/cert.crt,/path/to/key.key

* tidy: Rename mTLS (Client Cert) flag to be in line with others

This flag didn't describe that it was for the client certs uses with
the registry. Although this should be reasonably obvious, I like the
consistency with the other registry flag.

* test: Added unit tests for mTLS (Client Cert) loading

* test: Add 2 more tests for comma split formatting

since the comma splitting is a new portion of code let's make sure
that that format works well too in other cases

* tidy: Fix formatting of flag help text

* tidy: Made invalid cert format error consistent

I was running the tests and saw the message:

Failed to load client certificate/key '/path/to/client/certificate.cert' for my.registry.name, format is my.registry.name=/path/to/cert,/path/to/key

I then realized that it'd be a lot nicer if this showed the user what
they input, and how they should change it (rather than decomposing it:

Failed to load client certificate/key 'my.registry.name=/path/to/client/certificate.cert', expected format: my.registry.name=/path/to/cert,/path/to/key

* test: Fixed incorrect test argument

This didn't fail the test before because it's only attempting to show
that certs only get loaded and used for their associated registry but
it's important to keep this correct.

This case is covered by the test below, "RegistriesClientCertificates
incorrect cert format"

* doc: Add new flag to README.md

* mod: Fail to push if there was a problem loading client certs

Rather than warning that there was an issue, we should fail if the
requested client certificates were not found or failed to load.

This feels a lot better than waiting for the build to finish then
failing later.

* mod: Return an error if the certificate authority fails to load, just like client certs

The MakeTransport function was changed in the previous commit to
allow returning errors if there was a problem loading certificates,
rather than just print warnings.

This feels a lot better as you get the error immediately that there's
a problem to fix, rather than getting a warning, then later an error
that the server's certificate could not be verified.

* tidy: fix golint issues

2023-05-18 14:20:51 -07:00

executor

Add mTLS (client cert) registry authentication (#2180 )

2023-05-18 14:20:51 -07:00

warmer

Add mTLS (client cert) registry authentication (#2180 )

2023-05-18 14:20:51 -07:00