X509 Authentication with OCI registry

[catric333]

I previously opened this issue in helm and was directed to this repo as it is upstream to helm's OCI registry features.

However, I wasn't able to find a related issue here. Would anyone be able to point me in the right direction or link me to the updates to ORAS facilitating x509 mTLS authentication?

[qweeah]

Looks like HELM 3.8.0 is still using oras-go v1. This should goes to v1 branch of oras-project/oras-go.

@shizhMSFT @Wwwsylvia Does oras-go v2 support mTLS auth?

[shizhMSFT]

oras-go v2 supports mTLS natively.

[TerryHowe]

If this is don in v2, should this ticket be closed? Sounds like helm needs to upgrade

[TerryHowe]

helm is on oras.land/oras-go v1.2.2 it appears, on their default branch

[djmcgreal-cc]

What about the CLI though? I don't see options there.

[TerryHowe]

What about the CLI though? I don't see options there.

Depending on what command you are using, there should be a --ca-file or a from/to version of that option. There is also a --insecure option. What were you looking for?

[djmcgreal-cc]

What were you looking for?

The m in mTLS is mutual. --ca-file gives the client a way of trusting a bespoke certificate on the server, but there don't seem to be any arguments where the client can provide a certificate and key for the server to authenticate the client. This is what the linked to issue in helm is also asking. It's about authentication, not trust.

Is this supported in oras-go v2 or is it limited to certificate authority trust?

[shizhMSFT]

This feature request is to let oras support client cert for mTLS.

[shizhMSFT]

Related implementation: helm/helm#11711