X509 Authentication with OCI registry

[catric333]

Hi, there currently does not seem to be a way to authenticate with X509 certs with a registry.

The registry does not have password authentication (which seems to be currently supported with the registry config.json that can be passed in via --registry-config flag).

Would it be possible to add a way to specify X509 certs or point to a file path where they are located to authenticate?

Output of helm version:
3.8.0

Output of kubectl version:
v1.2.4 (with K3S)

Cloud Provider/Platform (AKS, GKE, Minikube etc.):
K3S

[logan064]

I noticed this as well. We use x509 client authentication instead of passwords and I am facing the same issue. We can not adopt the OCI features, until we have a way to authenticate with the registry as a client with helm via certificates. Perhaps it makes sense to follow the following approach since other tools like podman/skopeo/docker all use it: https://docs.docker.com/engine/security/certificates/

There is a dir for each registry domain with the CA & client's cert/key used for authentication. It seems almost standard among these tools and podman does something similar, but the dirs are located here, /etc/containers/certs.d. The certs allow skopeo, podman, crio, and buildah to authenticate.

[catric333]

@bacongobbler
Is there any foreseen timeline for this to get picked up and implemented?
In the environment I'm trying to use helm in there's no easy way to not use x509 authentication for the registry.

[sabre1041]

@catric96 there is work currently in flight in the upstream ORAS to add this feature. As soon as it is in the dependency library, it can then be integrated into helm

[github-actions]

This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs.

[catric333]

@catric96 there is work currently in flight in the upstream ORAS to add this feature. As soon as it is in the dependency library, it can then be integrated into helm

Has this since been merged into helm? I wasn't sure which ORAS issue this was linked to after looking through

[rdjones517]

looks like ORAS v2 now supports mTLS
oras-project/oras#491 (comment)

[github-actions]

This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs.

[github-actions]

This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs.