Skip to content

Commit

Permalink
Merge pull request #280 from depot/feat/registry-tls-server-name
Browse files Browse the repository at this point in the history 
feat: update local registry mTLS to do client-side server name verification
  • Loading branch information
@goller
goller authored May 3, 2024
2 parents d31441a + e2d6e6b commit e72d69b
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 14 deletions.
19 changes: 9 additions & 10 deletions pkg/cmd/registry/registry.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ import (
"log"
"net"
"net/http"
"net/url"
"os"
"os/signal"
"strconv"
Expand Down Expand Up @@ -64,6 +63,11 @@ func run() error {
return err
}

serverName, err := base64.StdEncoding.DecodeString(os.Getenv("SERVER_NAME"))
if err != nil {
return err
}

rawConfig, err := base64.StdEncoding.DecodeString(os.Getenv("CONFIG"))
if err != nil {
return err
Expand Down Expand Up @@ -103,7 +107,7 @@ func run() error {
cancel()
}()

contentClient, err := NewContentClient(ctx, caCert, certPEM, keyPEM, string(addr))
contentClient, err := NewContentClient(ctx, caCert, certPEM, keyPEM, string(serverName), string(addr))
if err != nil {
return err
}
Expand All @@ -120,18 +124,13 @@ func run() error {
return nil
}

func NewContentClient(ctx context.Context, caCert, certPEM, keyPEM []byte, buildkitdAddress string) (contentv1.ContentClient, error) {
uri, err := url.Parse(buildkitdAddress)
if err != nil {
return nil, err
}

func NewContentClient(ctx context.Context, caCert, certPEM, keyPEM []byte, serverName, buildkitdAddress string) (contentv1.ContentClient, error) {
certPool := x509.NewCertPool()
if ok := certPool.AppendCertsFromPEM(caCert); !ok {
return nil, fmt.Errorf("failed to append ca certs")
}

cfg := &tls.Config{RootCAs: certPool}
cfg := &tls.Config{RootCAs: certPool, ServerName: serverName}
cert, err := tls.X509KeyPair(certPEM, keyPEM)
if err != nil {
return nil, fmt.Errorf("could not read certificate/key: %w", err)
Expand All @@ -142,7 +141,7 @@ func NewContentClient(ctx context.Context, caCert, certPEM, keyPEM []byte, build
grpc.WithBlock(),
grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(defaults.DefaultMaxRecvMsgSize)),
grpc.WithDefaultCallOptions(grpc.MaxCallSendMsgSize(defaults.DefaultMaxSendMsgSize)),
grpc.WithAuthority(uri.Host),
grpc.WithAuthority(serverName),
grpc.WithTransportCredentials(credentials.NewTLS(cfg)),
grpc.WithContextDialer(func(ctx context.Context, _ string) (net.Conn, error) {
addr := strings.TrimPrefix(buildkitdAddress, "tcp://")
Expand Down
1 change: 1 addition & 0 deletions pkg/load/load.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ func DepotFastLoad(ctx context.Context, dockerapi docker.APIClient, resp []depot
RawManifest: manifest,
RawConfig: config,
Addr: nodeRes.Node.DriverOpts["addr"],
ServerName: nodeRes.Node.DriverOpts["serverName"],
CACert: []byte(nodeRes.Node.DriverOpts["caCert"]),
Key: []byte(nodeRes.Node.DriverOpts["key"]),
Cert: []byte(nodeRes.Node.DriverOpts["cert"]),
Expand Down
10 changes: 6 additions & 4 deletions pkg/load/proxy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,11 @@ type ProxyContainer struct {

type ProxyConfig struct {
// Addr is the remote buildkit address (e.g. tcp://192.168.0.1)
Addr string
CACert []byte
Key []byte
Cert []byte
Addr string
ServerName string
CACert []byte
Key []byte
Cert []byte

// RawManifest is the raw manifest bytes for the single image to serve.
RawManifest []byte
Expand All @@ -55,6 +56,7 @@ func RunProxyImage(ctx context.Context, dockerapi docker.APIClient, config *Prox
fmt.Sprintf("KEY=%s", base64.StdEncoding.EncodeToString(config.Key)),
fmt.Sprintf("CERT=%s", base64.StdEncoding.EncodeToString(config.Cert)),
fmt.Sprintf("ADDR=%s", base64.StdEncoding.EncodeToString([]byte(config.Addr))),
fmt.Sprintf("SERVER_NAME=%s", base64.StdEncoding.EncodeToString([]byte(config.ServerName))),
fmt.Sprintf("MANIFEST=%s", base64.StdEncoding.EncodeToString(config.RawManifest)),
fmt.Sprintf("CONFIG=%s", base64.StdEncoding.EncodeToString(config.RawConfig)),
},
Expand Down

0 comments on commit e72d69b

Please sign in to comment.