Add support for mirror registries behind mutual TLS #35658
+583
−9
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces an enhancement by adding mutual TLS (mTLS) support for registry host mirroring, as requested in this issue.
Background: Some companies have internal policies requiring all services to be secured with mutual TLS, which complicates the use of private registries like JFrog. As a result, the approach outlined in JFrog's documentation is not feasible because Terraform currently doesn't support specifying connections with client TLS authentication. These changes address this limitation and have been successfully tested internally. Please note that this patch applies to the latest released version tag, 1.9.5, and not the main branch.
This PR is dependent on PR #72 in the terraform-svchost repository, which introduces the foundational changes necessary for implementing mTLS support in the terraform-svchost library. While the proposed changes could be implemented directly in the Terraform code (in this repository) and have been tested successfully, doing so would not be the proper approach (I suppose).
Fixes #
Issue #32110
Target Release
1.10.x
Draft CHANGELOG entry
client_cert
,client_key
,ca_cert
for credentials in configuration and environment similar to token handlingENHANCEMENTS
client_cert
,client_key
, andca_cert
in the configuration and environment variables, similar to token handling.client_cert
,client_key
,ca_cert
) in the configuration and/or environment variables. These options are not mutually exclusive withtoken
and can be used together.