Add: Add docker-client-tls-login action for client certificate authentication#1470
Add: Add docker-client-tls-login action for client certificate authentication#1470
Conversation
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. Scanned FilesNone |
Conventional Commits Report
🚀 Conventional commits found. |
docker-client-tls-login/action.yml
Outdated
| - name: Cleanup certificates (if logout enabled) | ||
| if: inputs.logout == 'true' | ||
| shell: bash | ||
| run: | | ||
| [[ -n "${CERT_DIR:-}" && -d "$CERT_DIR" ]] && rm -rf "$CERT_DIR" |
There was a problem hiding this comment.
If we would store the certs directly into the docker config folder, do we need this?
There was a problem hiding this comment.
@pascalholthaus @easamoah7 do we store the tls certificates directly in the docker config folder? how do we get them into that folder?
In my humble understanding, we setup the TLS-Certificates like we setup an SSH-Key or GPG-Key, we pass the Certificate via GitHub Secrets into the action.
Maybe we additionally add support for runner hosted TLS-Certificates, but as open-source, this should be as generic as possible.
If we use these as secret variables this should reduce the bash code for this action, too.
|
Can we test this in https://github.com/greenbone/pipeline-experiments ? |
docker-client-tls-login/action.yml
Outdated
| shell: bash | ||
| run: | | ||
| # Setup certificate directory | ||
| REGISTRY_URL="${{ inputs.registry-url }}" |
There was a problem hiding this comment.
as far as I understand here is just a plain hostname required, and this wont work with an actual URL (https://my-registry.com/path-to-registry) , so I think it's better to name the variable and the workflow input parameter accordingly to avoid misunderstanding and wrong usage
docker-client-tls-login/action.yml
Outdated
| run: | | ||
| # Setup certificate directory | ||
| REGISTRY_URL="${{ inputs.registry-url }}" | ||
| CERT_DIR="$HOME/.docker/certs.d/$REGISTRY_URL" |
There was a problem hiding this comment.
I understand this has already been tried, but on my machine and @y0urself 's mac it worked well when we added these in /etc/docker/certs.d/HOSTNAME/*
so maybe we should keep working with that known good place.
If that works but we later want to rather have it in $HOME, we can try that too, but safe way is /etc for now
4 participants
What
Add new
docker-tls-loginaction that configures Docker with client TLS certificates for mutual authentication with Docker registries.Why
The standard
docker/login-actiondoesn't support client TLS certificate authentication required for external access topackages.greenbone.net.References
Checklist