From 0e393ee980562a0ca31dc22de0529a0ec6cbcd06 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Sat, 14 Dec 2019 02:18:42 +0100 Subject: [PATCH] Fix Docker TLS config --- internal/config/config.go | 1 + internal/model/providers.go | 6 ++--- internal/provider/docker/container.go | 2 +- pkg/docker/client.go | 32 +++++++++++++++++++++------ 4 files changed, 29 insertions(+), 12 deletions(-) diff --git a/internal/config/config.go b/internal/config/config.go index 5e6690e8..ab706c0b 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -148,6 +148,7 @@ func (cfg *Config) validateDockerProvider(key int, dock model.PrdDocker) error { } if err := mergo.Merge(&dock, model.PrdDocker{ + TLSVerify: true, SwarmMode: false, WatchByDefault: false, WatchStopped: false, diff --git a/internal/model/providers.go b/internal/model/providers.go index 384b954e..db794f18 100644 --- a/internal/model/providers.go +++ b/internal/model/providers.go @@ -14,10 +14,8 @@ type PrdDocker struct { ID string `yaml:"id,omitempty" json:",omitempty"` Endpoint string `yaml:"endpoint,omitempty" json:",omitempty"` ApiVersion string `yaml:"api_version,omitempty" json:",omitempty"` - CAFile string `yaml:"ca_file,omitempty" json:",omitempty"` - CertFile string `yaml:"cert_file,omitempty" json:",omitempty"` - KeyFile string `yaml:"key_file,omitempty" json:",omitempty"` - TLSVerify string `yaml:"tls_verify,omitempty" json:",omitempty"` + TLSCertsPath string `yaml:"tls_certs_path,omitempty" json:",omitempty"` + TLSVerify bool `yaml:"tls_verify,omitempty" json:",omitempty"` SwarmMode bool `yaml:"swarm_mode,omitempty" json:",omitempty"` WatchByDefault bool `yaml:"watch_by_default,omitempty" json:",omitempty"` WatchStopped bool `yaml:"watch_stopped,omitempty" json:",omitempty"` diff --git a/internal/provider/docker/container.go b/internal/provider/docker/container.go index fedd1f3a..5c5c05fb 100644 --- a/internal/provider/docker/container.go +++ b/internal/provider/docker/container.go @@ -19,7 +19,7 @@ func (c *Client) listContainerImage(elt model.PrdDocker) []model.Image { Str("id", elt.ID). Logger() - cli, err := docker.NewClient(elt.Endpoint, elt.ApiVersion, elt.CAFile, elt.CertFile, elt.KeyFile) + cli, err := docker.NewClient(elt.Endpoint, elt.ApiVersion, elt.TLSCertsPath, elt.TLSVerify) if err != nil { sublog.Error().Err(err).Msg("Cannot create Docker client") return []model.Image{} diff --git a/pkg/docker/client.go b/pkg/docker/client.go index ce75f2d5..dafdd2ba 100644 --- a/pkg/docker/client.go +++ b/pkg/docker/client.go @@ -2,18 +2,22 @@ package docker import ( "context" + "net/http" + "path/filepath" "github.com/docker/docker/client" + "github.com/docker/go-connections/tlsconfig" + "github.com/pkg/errors" ) // Client represents an active docker object type Client struct { - context context.Context - Api *client.Client + ctx context.Context + Api *client.Client } // NewClient initializes a new Docker API client with default values -func NewClient(endpoint string, apiVersion string, caFile string, certFile string, keyFile string) (*Client, error) { +func NewClient(endpoint, apiVersion, tlsCertsPath string, tlsVerify bool) (*Client, error) { var opts []client.Opt if endpoint != "" { opts = append(opts, client.WithHost(endpoint)) @@ -21,8 +25,22 @@ func NewClient(endpoint string, apiVersion string, caFile string, certFile strin if apiVersion != "" { opts = append(opts, client.WithVersion(apiVersion)) } - if caFile != "" && certFile != "" && keyFile != "" { - opts = append(opts, client.WithTLSClientConfig(caFile, certFile, keyFile)) + if tlsCertsPath != "" { + options := tlsconfig.Options{ + CAFile: filepath.Join(tlsCertsPath, "ca.pem"), + CertFile: filepath.Join(tlsCertsPath, "cert.pem"), + KeyFile: filepath.Join(tlsCertsPath, "key.pem"), + InsecureSkipVerify: !tlsVerify, + } + tlsc, err := tlsconfig.Client(options) + if err != nil { + return nil, errors.Wrap(err, "failed to create tls config") + } + httpCli := &http.Client{ + Transport: &http.Transport{TLSClientConfig: tlsc}, + CheckRedirect: client.CheckRedirect, + } + opts = append(opts, client.WithHTTPClient(httpCli)) } cli, err := client.NewClientWithOpts(opts...) @@ -37,7 +55,7 @@ func NewClient(endpoint string, apiVersion string, caFile string, certFile strin } return &Client{ - context: ctx, - Api: cli, + ctx: ctx, + Api: cli, }, err }