Skip to content

Add support for trusting additional certs in Kit commands #1058

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
amisevsk wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add support for trusting additional certs in Kit commands #1058

amisevsk wants to merge 1 commit into from
+34 −0

Conversation

@amisevsk
Copy link
Contributor

@amisevsk amisevsk commented Jan 13, 2026

Description

To handle cases where e.g. a registry is served with a self-signed or otherwise default-untrusted certificate, add flag --tls-cert to Kit commands that communicate over the network to supplement the existing --tls-verify=false and --plain-http flags.

Linked issues

N/A

AI-Assisted Code

  • This PR contains AI-generated code that I have reviewed and tested
  • I take full responsibility for all code in this PR, regardless of how it was created

@amisevsk amisevsk requested review from Copilot and gorkem January 13, 2026 18:58
Copilot AI reviewed Jan 13, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for trusting additional TLS certificates in Kit commands to handle registries served with self-signed or default-untrusted certificates. The implementation adds a new --tls-cert flag that can be used multiple times to specify certificate paths.

Changes:

  • Added TLSTrustCertPaths field to NetworkOptions to store paths to additional trusted certificates
  • Implemented certificate loading logic that combines system certificates with user-provided certificates
  • Added new --tls-cert flag that accepts multiple certificate paths via repeated flag usage

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
pkg/cmd/options/network.go Adds TLSTrustCertPaths field and --tls-cert flag to network options
pkg/lib/network/auth.go Implements certificate loading logic in DefaultClient and adds getCertsTrust helper function

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@amisevsk
Add support for trusting additional certs in Kit commands
70d83ec 
To handle cases where e.g. a registry is served with a self-signed or
otherwise default-untrusted certificate, add flag `--tls-cert` to Kit
commands that communicate over the network to supplement the existing
`--tls-verify=false` and `--plain-http` flags.

Signed-off-by: Angel Misevski <amisevsk@gmail.com>
gorkem
gorkem approved these changes Jan 17, 2026
View reviewed changes
pkg/lib/network/auth.go
transport.TLSClientConfig.InsecureSkipVerify = !opts.TLSVerify

if len(opts.TLSTrustCertPaths) > 0 {
certPool, err := getCertsTrust(opts)
Copy link
Member

@gorkem gorkem Jan 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we log a warning if --tls-verify=false is also present at the sametime as CA certs?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gorkem gorkem gorkem approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amisevsk @gorkem