Add support for mirror registries behind mutual TLS #35658
Conversation
|
|
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes 1 out of 2 committers have signed the CLA.
Have you signed the CLA already but the status is still pending? Recheck it. |
|
Thanks for this submission. It looks like there is something wrong with this PR as it is pulling in a lot of changes from other contributors. To review this I am guessing this is going to need to be re-submitted after dealing with whatever branching problems caused this. Thanks! |
416e64726579
force-pushed
the
feature/mtls-mirror-registry
branch
from
e1dba72
to
3b6790f
Compare
|
Sorry about that! Indeed something odd happened. I just re-submitted my changes only. |
|
Much better, thank you! I'll bring this to triage (next week). |
|
Any chance we could get this change merged? |
|
Apologies, I didn't update here as I was waiting for internal feedback that I am realizing got dropped. The results from triage were that this is a fairly sensitive change with some complex logic that would need careful review. We were going to investigate the need for this with customers, which is where the process got dropped. I'll pick this up again and find out the results of that research. |
This PR introduces an enhancement by adding mutual TLS (mTLS) support for registry host mirroring, as requested in this issue.
Background: Some companies have internal policies requiring all services to be secured with mutual TLS, which complicates the use of private registries like JFrog. As a result, the approach outlined in JFrog's documentation is not feasible because Terraform currently doesn't support specifying connections with client TLS authentication. These changes address this limitation and have been successfully tested internally. Please note that this patch applies to the latest released version tag, 1.9.5, and not the main branch.
This PR is dependent on PR #72 in the terraform-svchost repository, which introduces the foundational changes necessary for implementing mTLS support in the terraform-svchost library. While the proposed changes could be implemented directly in the Terraform code (in this repository) and have been tested successfully, doing so would not be the proper approach (I suppose).
Fixes #
Issue #32110
Target Release
1.10.x
Draft CHANGELOG entry
client_cert,client_key,ca_certfor credentials in configuration and environment similar to token handlingENHANCEMENTS
client_cert,client_key, andca_certin the configuration and environment variables, similar to token handling.client_cert,client_key,ca_cert) in the configuration and/or environment variables. These options are not mutually exclusive withtokenand can be used together.