Skip to content

Adds https mode to credentialConfig#397

Merged
BigVan merged 2 commits intocontainerd:mainfrom
juliusl:pr/add-https-auth-mode
Apr 12, 2026
Merged

Adds https mode to credentialConfig#397
BigVan merged 2 commits intocontainerd:mainfrom
juliusl:pr/add-https-auth-mode

Conversation

@juliusl
Copy link
Copy Markdown
Contributor

@juliusl juliusl commented Mar 24, 2026

What this PR does / why we need it:
Similar to the current http credentialConfig mode, this PR adds a https mode with additional options for enabling full mTLS with a local auth server.

This enables hardening localhost connections in environments that may allow merged network namespaces w/ running containers.

Tested integration manually w/ private build of AKS/ACR artifact streaming.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Please check the following list:

  • Does the affected code have corresponding tests, e.g. unit test, E2E test?
  • Does this change require a documentation update?
  • Does this introduce breaking changes that would require an announcement or bumping the major version?
  • Do all new files have an appropriate license header?

juliusl added 2 commits March 24, 2026 15:17
@juliusl
feat: adding https mode to credentialConfig
fea2728 
Signed-off-by: Julius <juliusl@microsoft.com>
@juliusl
chore: polish settings and docs
448b599 
Signed-off-by: Julius <juliusl@microsoft.com>
@liulanzheng liulanzheng requested a review from BigVan March 26, 2026 06:18
@BigVan
Copy link
Copy Markdown
Member

BigVan commented Apr 8, 2026

Maybe we can add a 'certs.d' dir like contiainerd to support multiple Registry and credential Server
such as:
' /etc/overlaybd/certs.d//client.key'
' /etc/overlaybd/certs.d//client.crt'
' /etc/overlaybd/certs.d//ca.crt'

@juliusl
Copy link
Copy Markdown
Contributor Author

juliusl commented Apr 8, 2026

That containerd feature still requires the cert paths to be configured in a hosts.toml file, it doesn't automatically pick certs from the folder.

Also it works by routing by host matching directories, while the current feature centralizes credential fetching from a single source. It would be a new design altogether since this change is about securing the connection used by the current design.

@BigVan
Copy link
Copy Markdown
Member

BigVan commented Apr 12, 2026

That containerd feature still requires the cert paths to be configured in a hosts.toml file, it doesn't automatically pick certs from the folder.

Also it works by routing by host matching directories, while the current feature centralizes credential fetching from a single source. It would be a new design altogether since this change is about securing the connection used by the current design.

Fine...
What you said does make sense. Actually, Databricks mentioned to me about the customized certification for their self-registries a few days ago 😂
However, create a new PR is also possible

@BigVan BigVan merged commit d3fab24 into containerd:main Apr 12, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BigVan BigVan Awaiting requested review from BigVan

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@juliusl @BigVan