Browse code
integration-cli: support remote docker host that uses TLS - fixes #17952
Signed-off-by: Todd Whiteman <todd.whiteman@joyent.com>
Todd Whiteman authored on 2015/11/13 08:55:48Showing 1 changed files
| ... | ... |
@@ -3,6 +3,7 @@ package main |
| 3 | 3 |
import ( |
| 4 | 4 |
"bufio" |
| 5 | 5 |
"bytes" |
| 6 |
+ "crypto/tls" |
|
| 6 | 7 |
"encoding/json" |
| 7 | 8 |
"errors" |
| 8 | 9 |
"fmt" |
| ... | ... |
@@ -481,6 +482,26 @@ func daemonHost() string {
|
| 481 | 481 |
return daemonURLStr |
| 482 | 482 |
} |
| 483 | 483 |
|
| 484 |
+func getTLSConfig() (*tls.Config, error) {
|
|
| 485 |
+ dockerCertPath := os.Getenv("DOCKER_CERT_PATH")
|
|
| 486 |
+ |
|
| 487 |
+ if dockerCertPath == "" {
|
|
| 488 |
+ return nil, fmt.Errorf("DOCKER_TLS_VERIFY specified, but no DOCKER_CERT_PATH environment variable")
|
|
| 489 |
+ } |
|
| 490 |
+ |
|
| 491 |
+ option := &tlsconfig.Options{
|
|
| 492 |
+ CAFile: filepath.Join(dockerCertPath, "ca.pem"), |
|
| 493 |
+ CertFile: filepath.Join(dockerCertPath, "cert.pem"), |
|
| 494 |
+ KeyFile: filepath.Join(dockerCertPath, "key.pem"), |
|
| 495 |
+ } |
|
| 496 |
+ tlsConfig, err := tlsconfig.Client(*option) |
|
| 497 |
+ if err != nil {
|
|
| 498 |
+ return nil, err |
|
| 499 |
+ } |
|
| 500 |
+ |
|
| 501 |
+ return tlsConfig, nil |
|
| 502 |
+} |
|
| 503 |
+ |
|
| 484 | 504 |
func sockConn(timeout time.Duration) (net.Conn, error) {
|
| 485 | 505 |
daemon := daemonHost() |
| 486 | 506 |
daemonURL, err := url.Parse(daemon) |
| ... | ... |
@@ -493,6 +514,15 @@ func sockConn(timeout time.Duration) (net.Conn, error) {
|
| 493 | 493 |
case "unix": |
| 494 | 494 |
return net.DialTimeout(daemonURL.Scheme, daemonURL.Path, timeout) |
| 495 | 495 |
case "tcp": |
| 496 |
+ if os.Getenv("DOCKER_TLS_VERIFY") != "" {
|
|
| 497 |
+ // Setup the socket TLS configuration. |
|
| 498 |
+ tlsConfig, err := getTLSConfig() |
|
| 499 |
+ if err != nil {
|
|
| 500 |
+ return nil, err |
|
| 501 |
+ } |
|
| 502 |
+ dialer := &net.Dialer{Timeout: timeout}
|
|
| 503 |
+ return tls.DialWithDialer(dialer, daemonURL.Scheme, daemonURL.Host, tlsConfig) |
|
| 504 |
+ } |
|
| 496 | 505 |
return net.DialTimeout(daemonURL.Scheme, daemonURL.Host, timeout) |
| 497 | 506 |
default: |
| 498 | 507 |
return c, fmt.Errorf("unknown scheme %v (%s)", daemonURL.Scheme, daemon)
|