Windows: Enhance Containerd tls support with Windows certificate store integration #11909
Conversation
|
Hi @apurv15. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Include the descriptor for the image target on image events. Signed-off-by: Derek McGowan <derek@mcg.dev>
Signed-off-by: Apurv Barve <apurvbarve@microsoft.com>
Signed-off-by: Apurv Barve <apurvbarve@microsoft.com>
Signed-off-by: Apurv Barve <apurvbarve@microsoft.com>
| @@ -202,6 +202,13 @@ func New(ctx context.Context, config *srvconfig.Config) (*Server, error) { | |||
| } | |||
|
|
|||
| tcpServerOpts = append(tcpServerOpts, grpc.Creds(credentials.NewTLS(tlsConfig))) | |||
| } else if config.GRPC.TCPTLSCName != "" { | |||
There was a problem hiding this comment.
@dmcgowan @samuelkarp any thoughts on doing this?
Windows uses certstore to load certificates which is a rather important Windows usecase which customers have been requesting for.
Add support to retrieve certificate and key from windows cert store.
On Windows, the Windows certificate store is a secure location where certificates and keys can be stored. This patch enhances containerd to take certificate subject (common name) in the config toml file. Then fetch the certificate and key from the key store and use it for TLS. This patch makes use of a library google/certtostore which implements private key crypto signer and decrypter interfaces. This is necessary as the key is not accessible from the cert store directly as a file.
Signed-off-by: Apurv Barve apurvbarve@microsoft.com
These changes address: #11905