Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for mirror registries behind mutual TLS #35658

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add support for mirror registries behind mutual TLS #35658

wants to merge 1 commit into from

Conversation

416e64726579
Copy link

This PR introduces an enhancement by adding mutual TLS (mTLS) support for registry host mirroring, as requested in this issue.

Background: Some companies have internal policies requiring all services to be secured with mutual TLS, which complicates the use of private registries like JFrog. As a result, the approach outlined in JFrog's documentation is not feasible because Terraform currently doesn't support specifying connections with client TLS authentication. These changes address this limitation and have been successfully tested internally. Please note that this patch applies to the latest released version tag, 1.9.5, and not the main branch.

This PR is dependent on PR #72 in the terraform-svchost repository, which introduces the foundational changes necessary for implementing mTLS support in the terraform-svchost library. While the proposed changes could be implemented directly in the Terraform code (in this repository) and have been tested successfully, doing so would not be the proper approach (I suppose).

Fixes #

Issue #32110

Target Release

1.10.x

Draft CHANGELOG entry

  • add support client_cert, client_key, ca_cert for credentials in configuration and environment similar to token handling

ENHANCEMENTS

  • Added support for client_cert, client_key, and ca_cert in the configuration and environment variables, similar to token handling.
  • When using an mTLS-protected mirror configuration, it is now possible to specify credentials for the HTTP client (client_cert, client_key, ca_cert) in the configuration and/or environment variables. These options are not mutually exclusive with token and can be used together.

@416e64726579 416e64726579 requested review from a team as code owners August 30, 2024 14:40
@hashicorp-cla-app HashiCorp CLA App
Copy link

hashicorp-cla-app bot commented Aug 30, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@hashicorp-cla-app HashiCorp CLA App
Copy link

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

1 out of 2 committers have signed the CLA.

  • jbardin
  • 416e64726579

Have you signed the CLA already but the status is still pending? Recheck it.

@crw
Copy link
Collaborator

crw commented Aug 30, 2024

Thanks for this submission. It looks like there is something wrong with this PR as it is pulling in a lot of changes from other contributors. To review this I am guessing this is going to need to be re-submitted after dealing with whatever branching problems caused this. Thanks!

@416e64726579
Copy link
Author

Sorry about that! Indeed something odd happened. I just re-submitted my changes only.

@crw
Copy link
Collaborator

crw commented Aug 30, 2024

Much better, thank you! I'll bring this to triage (next week).

@jar-b jar-b removed request for a team August 30, 2024 18:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@416e64726579 @crw