github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #1233 from AkihiroSuda/allow-ca-without-client-certs

Browse Source 
allow non-mutual TLS
This commit is contained in:
Lantao Liu 2019-08-11 17:07:57 -07:00 committed by GitHub
commit 8021850e91
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 27 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/registry.md
View File

@ -37,6 +37,14 @@ To configure the TLS settings for a specific registry, create/modify the `/etc/c
In the config example shown above, TLS mutual authentication will be used for communications with the registry endpoint located at https://my.custom.registry. In the config example shown above, TLS mutual authentication will be used for communications with the registry endpoint located at https://my.custom.registry.
`ca_file` is file name of the certificate authority (CA) certificate used to authenticate the x509 certificate/key pair specified by the files respectively pointed to by `cert_file` and `key_file`. `ca_file` is file name of the certificate authority (CA) certificate used to authenticate the x509 certificate/key pair specified by the files respectively pointed to by `cert_file` and `key_file`.
`cert_file` and `key_file` are not needed when TLS mutual authentication is unused.
```toml
# The registry host has to be an FDQN or IP.
[plugins.cri.registry.configs."my.custom.registry".tls]
ca_file = "ca.pem"
```
## Configure Registry Credentials ## Configure Registry Credentials
`cri` plugin also supports docker like registry credential config. `cri` plugin also supports docker like registry credential config.

24
pkg/server/image_pull.go
View File

@ -251,9 +251,21 @@ func (c *criService) updateImage(ctx context.Context, r string) error {
// getTLSConfig returns a TLSConfig configured with a CA/Cert/Key specified by registryTLSConfig // getTLSConfig returns a TLSConfig configured with a CA/Cert/Key specified by registryTLSConfig
func (c *criService) getTLSConfig(registryTLSConfig criconfig.TLSConfig) (*tls.Config, error) { func (c *criService) getTLSConfig(registryTLSConfig criconfig.TLSConfig) (*tls.Config, error) {
cert, err := tls.LoadX509KeyPair(registryTLSConfig.CertFile, registryTLSConfig.KeyFile) var (
if err != nil { cert tls.Certificate
return nil, errors.Wrap(err, "failed to load cert file") err error
)
if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile != "" {
cert, err = tls.LoadX509KeyPair(registryTLSConfig.CertFile, registryTLSConfig.KeyFile)
if err != nil {
return nil, errors.Wrap(err, "failed to load cert file")
}
}
if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile == "" {
return nil, errors.Errorf("cert file %q was specified, but no corresponding key file was specified", registryTLSConfig.CertFile)
}
if registryTLSConfig.CertFile == "" && registryTLSConfig.KeyFile != "" {
return nil, errors.Errorf("key file %q was specified, but no corresponding cert file was specified", registryTLSConfig.KeyFile)
} }
caCertPool, err := x509.SystemCertPool() caCertPool, err := x509.SystemCertPool()
@ -267,8 +279,10 @@ func (c *criService) getTLSConfig(registryTLSConfig criconfig.TLSConfig) (*tls.C
caCertPool.AppendCertsFromPEM(caCert) caCertPool.AppendCertsFromPEM(caCert)
tlsConfig := &tls.Config{ tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert}, RootCAs: caCertPool,
RootCAs: caCertPool, }
if len(cert.Certificate) != 0 {
tlsConfig.Certificates = []tls.Certificate{cert}
} }
tlsConfig.BuildNameToCertificate() tlsConfig.BuildNameToCertificate()
return tlsConfig, nil return tlsConfig, nil