From 238834c048531dcad26627165d9e93027925cd67 Mon Sep 17 00:00:00 2001 From: Ricardo Branco Date: Wed, 9 Nov 2022 19:56:51 +0100 Subject: [PATCH] Add support for client certificates --- main.go | 11 +++++++++++ registry/registry.go | 15 +++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/main.go b/main.go index ebd5a3dfa..c58a5e505 100644 --- a/main.go +++ b/main.go @@ -28,6 +28,10 @@ var ( username string password string + tlsCACert string + tlsCert string + tlsKey string + debug bool ) @@ -73,6 +77,10 @@ func main() { p.FlagSet.StringVar(&password, "password", "", "password for the registry") p.FlagSet.StringVar(&password, "p", "", "password for the registry") + p.FlagSet.StringVar(&tlsCACert, "tlscacert", "", "Trust certs signed only by this CA") + p.FlagSet.StringVar(&tlsCert, "tlscert", "", "Path to TLS certificate file") + p.FlagSet.StringVar(&tlsKey, "tlskey", "", "Path to TLS key file") + p.FlagSet.BoolVar(&debug, "d", false, "enable debug logging") // Set the before function. @@ -122,6 +130,9 @@ func createRegistryClient(ctx context.Context, domain string) (*registry.Registr logrus.Infof("domain: %s", domain) logrus.Infof("server address: %s", auth.ServerAddress) return registry.New(ctx, auth, registry.Opt{ + CAFile: tlsCACert, + CertFile: tlsCert, + KeyFile: tlsKey, Domain: domain, Insecure: insecure, Debug: debug, diff --git a/registry/registry.go b/registry/registry.go index 9dfc8a3c8..61f5f83ae 100644 --- a/registry/registry.go +++ b/registry/registry.go @@ -14,12 +14,14 @@ import ( "github.com/docker/distribution/manifest/manifestlist" "github.com/docker/distribution/manifest/schema2" "github.com/docker/docker/api/types" + "github.com/docker/go-connections/tlsconfig" ) // Registry defines the client for retrieving information from the registry API. type Registry struct { URL string Domain string + Insecure bool Username string Password string Client *http.Client @@ -43,6 +45,9 @@ func Log(format string, args ...interface{}) { // Opt holds the options for a new registry. type Opt struct { Domain string + CAFile string + CertFile string + KeyFile string Insecure bool Debug bool SkipPing bool @@ -61,6 +66,16 @@ func New(ctx context.Context, auth types.AuthConfig, opt Opt) (*Registry, error) InsecureSkipVerify: true, }, } + } else { + tlsClientConfig, _ := tlsconfig.Client( + tlsconfig.Options{ + CAFile: opt.CAFile, + CertFile: opt.CertFile, + KeyFile: opt.KeyFile, + }) + transport = &http.Transport{ + TLSClientConfig: tlsClientConfig, + } } return newFromTransport(ctx, auth, transport, opt)