Support for client certificates #321

New Issue

bf · 2023-08-03T00:22:53Z

bf commented

2023-08-03 00:22:53 +00:00

As act runner is supposed to run on it's own server it'd be great to also support client certificates for act runner.

Setup:

Gitea behind NGINX
NGINX requires client certificate before request is passed through to NGINX
gitea docker container registry works fine, because docker login supports client certificates
only act_runner does not support client certificates

Is this something you think makes sense for act_runner or not?

As act runner is supposed to run on it's own server it'd be great to also support *client certificates* for act runner. Setup: - Gitea behind NGINX - NGINX requires client certificate before request is passed through to NGINX - gitea docker container registry works fine, because docker login supports client certificates - only act_runner does not support client certificates Is this something you think makes sense for act_runner or not?

lunny added the

kind

proposal

label 2023-08-03 03:18:51 +00:00

ryanjbudhu commented

2023-12-08 04:48:30 +00:00

I have the same problem when trying to set up a runner for Gitea Actions... Looking at the code (with my limited Go experience) one could modify the getHTTPClient() function in http.go to something like:

Example code:

func getHTTPClient(endpoint string, insecure bool, clientcert string, clientkey string) *http.Client {
	var cfg *tls.Config
	if strings.HasPrefix(endpoint, "https://") && insecure {
		cfg.InsecureSkipVerify = true
	}

	if len(strings.TrimSpace(clientcert)) > 0 && len(strings.TrimSpace(clientkey)) > 0 {
		// Load client certificate and private key
		clientCert, err := tls.LoadX509KeyPair(clientcert, clientkey)
		if err != nil {
			log.WithError(err).
				Errorln("Error loading client certificate")
		} else {
			cfg.Certificates = []tls.Certificate{clientCert}
		}
	}

	if cfg.InsecureSkipVerify || len(cfg.Certificates) > 0 {
		return &http.Client{
			Transport: &http.Transport{
				TLSClientConfig: cfg,
			},
		}
	}

	return http.DefaultClient
}

Although this wouldn't be able to handle an encrypted key...
clientcert and clientkey could be paths set in the runner config, and are obviously valid keys for authenticating to the Gitea server.

Is there any work on this currently? I'd also be happy to take pointers/suggestions while I work on this myself.

I have the same problem when trying to set up a runner for Gitea Actions... Looking at the code (with my limited Go experience) one could modify the `getHTTPClient()` function in [http.go](src/branch/main/internal/pkg/client/http.go) to something like: <details> <summary>Example code:</summary> ```go func getHTTPClient(endpoint string, insecure bool, clientcert string, clientkey string) *http.Client { var cfg *tls.Config if strings.HasPrefix(endpoint, "https://") && insecure { cfg.InsecureSkipVerify = true } if len(strings.TrimSpace(clientcert)) > 0 && len(strings.TrimSpace(clientkey)) > 0 { // Load client certificate and private key clientCert, err := tls.LoadX509KeyPair(clientcert, clientkey) if err != nil { log.WithError(err). Errorln("Error loading client certificate") } else { cfg.Certificates = []tls.Certificate{clientCert} } } if cfg.InsecureSkipVerify || len(cfg.Certificates) > 0 { return &http.Client{ Transport: &http.Transport{ TLSClientConfig: cfg, }, } } return http.DefaultClient } ``` </details> Although this wouldn't be able to handle an encrypted key... `clientcert` and `clientkey` could be paths set in the runner config, and are obviously valid keys for authenticating to the Gitea server. Is there any work on this currently? I'd also be happy to take pointers/suggestions while I work on this myself.

ryanjbudhu referenced this issue from a commit

2023-12-10 17:21:01 +00:00

feat: add config for runner auth with client certificates (gitea/act_runner#321)

ryanjbudhu referenced this issue

2023-12-11 20:23:32 +00:00

feat: add config for runner auth with client certificates (#321) #446

Sign in to join this conversation.