search

containrrr / watchtower

A process for automating Docker container base image updates.
https://containrrr.dev/watchtower/
Apache License 2.0
18.53k stars 833 forks source link

Enable import of certificate for private HTTPS secure registry #1282

Open sparky3387 opened 2 years ago

sparky3387 commented 2 years ago

I did a search and could not find a similar issue or request, on this line it creates the TLS variable in GO to login to the docker registry, are we able to pass in a custom CA certificate for this stage

TLSConfig Variable

The lack of a CA certificate causes the following error:

2022-05-02T02:20:03Z [D] Reason: Get "https://docker-registry:443/v2/": x509: certificate signed by unknown authority
                         container: /containername
                         image: docker-registry:443/containername-image
2022-05-02T02:20:03Z [D] Pulling image
                         container: /containername
                         image: docker-registry:443/containername-image
2022-05-02T02:20:03Z [D] Error pulling image docker-registry:443/containername-image, Error response from daemon: Get "https://docker-registry:443/v2/": x509: certificate signed by unknown authority
2022-05-02T02:20:03Z [I] Unable to update container "/containername": Error response from daemon: Get "https://docker-registry:443/v2/": x509: certificate signed by unknown authority. Proceeding to next.

A link on how the TLSConfig variable can be setup to work in this configuration

github-actions[bot] commented 2 years ago

Hi there! 👋🏼 As you're new to this repo, we'd like to suggest that you read our code of conduct as well as our contribution guidelines. Thanks a bunch for opening your first issue! 🙏

piksel commented 2 years ago

Yeah, initial work for allowing custom certs for notification service was started in https://github.com/containrrr/shoutrrr/pull/185, and the cert pool would need to be seeded from watchtowers side. Using the same pool (or another) for the docker registry lookups shouldn't be an issue. Generally, what needs to be defined is a way to get the certificates into the container. Easiest solution is to just check if a folder exists inside the container and load all certificates from that folder on startup. That way you could just place the certs in a volume.

intmainreturnzero commented 6 months ago

Hi @piksel , wanted to understand about the status for the support to add custom CAs for watchtower. The above pull request is active, so I'm assuming such support doesn't exist yet in Watchtower?

hyeoncheolkim91 commented 2 weeks ago

Is this still not supported?