fix(proxy): support for system CA with mTLS certs#5074
Queued
brandtkeller wants to merge 1 commit into
Queued
Conversation
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
✅ Deploy Preview for zarf-docs canceled.
|
Codecov Report❌ Patch coverage is
🚀 New features to boost your workflow:
|
AustinAbro321
approved these changes
Jul 15, 2026
AustinAbro321
left a comment
Member
There was a problem hiding this comment.
This makes perfect sense as a fix, nice work
Any commits made after this event will not be merged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The use of the proxy registry mode (which notably added mTLS certs to the registry/proxy) enabled encryption of the image push logic - but when the registry is backed by an s3 storage backend and not configured to disable redirects uses the self-signed CA to perform the redirect to the S3 bucket and fails due to TLS handshake.
This adds the self signed CA to the system CA instead of solely creating a new cert pool.
Worth noting that this can be overcome by setting configuration on the registry to disable redirects and have the registry route all traffic.
Related Issue
Fixes #5075
Checklist before merging